)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"42e7aad3c21cd06744ea2e26a53141b36b061e94","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Adam Young \u003cayoung@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2016-12-02 09:57:33 -0500"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Role Check Check from Middleware"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Verify the roles for the API during the"},{"line_number":10,"context_line":"keystone middleware call, after token"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":15,"id":"3a71b18c_968708b4","line":7,"range":{"start_line":7,"start_character":5,"end_line":7,"end_character":16},"updated":"2016-12-06 20:37:46.000000000","message":"more an extra Check","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"}],"specs/keystone/ongoing/role-check-from-middleware.rst":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":169,"context_line":"   auth_type\u003dpassword"},{"line_number":170,"context_line":"   auth_url\u003dhttp://192.0.2.3:35357"},{"line_number":171,"context_line":"   password\u003d7c48bc8f2668001d81582506f7c83d242f62502e"},{"line_number":172,"context_line":"   service\u003dcompute"},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"Fetch RBAC Data"},{"line_number":175,"context_line":"~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_d320609e","line":172,"updated":"2016-12-02 00:42:22.000000000","message":"Thank you for using the service type, not the code name!","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"After the token has been validated via a call to Keystone, the"},{"line_number":178,"context_line":"middleware will fetch the RBAC specific data via python-keystoneclient"},{"line_number":179,"context_line":"which calls the API."},{"line_number":180,"context_line":""},{"line_number":181,"context_line":".. code-block:: bash"},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_10264ece","line":179,"updated":"2016-12-02 00:42:22.000000000","message":"Is this done on every-single validation? This seems to imply as such. If that is the case, I worry that we\u0027re adding a significant overhead to validation. Simple indication to something like \"if needed\" should be sufficient here to let us have flexibility in implementation. Details on cached/not-cached, etc can be deferred to implementation time.\n\nAs a IMPL detail (not to be filled in here within the spec), if it is cached we can simply use an IMS (HTTP If-Modified-Since) call to fetch new update or just reference cached value(s). If not modified, keystone says \"not modified\" if it is, it returns the new values.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"After the token has been validated via a call to Keystone, the"},{"line_number":178,"context_line":"middleware will fetch the RBAC specific data via python-keystoneclient"},{"line_number":179,"context_line":"which calls the API."},{"line_number":180,"context_line":""},{"line_number":181,"context_line":".. code-block:: bash"},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_135f3842","line":179,"in_reply_to":"3a71b18c_10264ece","updated":"2016-12-02 00:56:19.000000000","message":"No, this is just the first pass.  It will be subsequently cached and reused from cache.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":203,"context_line":"         },"},{"line_number":204,"context_line":"         {"},{"line_number":205,"context_line":"             verbs\u003d[\"PUT\"],"},{"line_number":206,"context_line":"             url_pattern\u003d\"/v2.{subversion}/{tenant_id}​/servers/​{server_id}\""},{"line_number":207,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":208,"context_line":"             admin_project_only\u003dFalse"},{"line_number":209,"context_line":"         }"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_f340fc58","line":206,"updated":"2016-12-02 00:56:19.000000000","message":"Stray spaces here...weird.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":211,"context_line":"      \u0027default\u0027: {"},{"line_number":212,"context_line":"          roles\u003d[\"Member\", \"admin\"],"},{"line_number":213,"context_line":"          admin_project_only\u003dFalse"},{"line_number":214,"context_line":"      },"},{"line_number":215,"context_line":"  }"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_f3739caf","line":214,"updated":"2016-12-02 00:42:22.000000000","message":"This seems like it could be exceptionally verbose/very large document in some cases.\n\nCan wild-cards be used here as well in the pattern to alleviate possible document bloat? is the pattern an actual regex? or simply a custom subst template?","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":211,"context_line":"      \u0027default\u0027: {"},{"line_number":212,"context_line":"          roles\u003d[\"Member\", \"admin\"],"},{"line_number":213,"context_line":"          admin_project_only\u003dFalse"},{"line_number":214,"context_line":"      },"},{"line_number":215,"context_line":"  }"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_b3368401","line":214,"in_reply_to":"3a71b18c_f3739caf","updated":"2016-12-02 00:56:19.000000000","message":"FOr an implementation, I was planning on using the Routes API like Keystone does, as I know that will work.  I don\u0027t think we want to go with a RegEx, as they could be impossible to work with.  We really want to match segment by segment of the URL.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":230,"context_line":""},{"line_number":231,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":232,"context_line":"URL will have been processed by the WSGI pipeline, removing the"},{"line_number":233,"context_line":"Hostname and port. The remainder of the URL will most likely start"},{"line_number":234,"context_line":"with the version information in the pattern /v[0-9.]*/."},{"line_number":235,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":236,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":237,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_73b78c39","line":234,"range":{"start_line":233,"start_character":19,"end_line":234,"end_character":55},"updated":"2016-12-02 00:42:22.000000000","message":"Is this a question, do services not always adhere to this?","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":230,"context_line":""},{"line_number":231,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":232,"context_line":"URL will have been processed by the WSGI pipeline, removing the"},{"line_number":233,"context_line":"Hostname and port. The remainder of the URL will most likely start"},{"line_number":234,"context_line":"with the version information in the pattern /v[0-9.]*/."},{"line_number":235,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":236,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":237,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_73914cf0","line":234,"range":{"start_line":233,"start_character":19,"end_line":234,"end_character":55},"in_reply_to":"3a71b18c_73b78c39","updated":"2016-12-02 00:56:19.000000000","message":"It is possible that they do not comply with the URL scheme as I posted.  That is not a hard and fast rule in OpenStack, and a service outside of OpenStack may chose to use Keystone as well.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":235,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":236,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"keystonemiddleware will iterate through the set of patterns,"},{"line_number":239,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":240,"context_line":"match the pattern"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"GET /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":243,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_13973891","line":240,"range":{"start_line":238,"start_character":0,"end_line":240,"end_character":17},"updated":"2016-12-02 00:42:22.000000000","message":"I have questions on what a large tree looks like for this... but that can wait until we get to implementation.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":243,"context_line":""},{"line_number":244,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":245,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":248,"context_line":"contain a role from the set specified by the pattern, validation"},{"line_number":249,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"After the token and RBAC validation is completed successfuly, there is"},{"line_number":252,"context_line":"no change to existing processing.  The auth_token middleware adds"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_13c5788d","line":249,"range":{"start_line":246,"start_character":0,"end_line":249,"end_character":69},"updated":"2016-12-02 00:42:22.000000000","message":"Please assert if it is in-fact the same as a failed token validation or not and/or if it is similar what is different?\n\nIs this cacheable? Does this mean the token is marked invalid. Generally speaking be a little more specific when stating similarity vs asserting this is would in-fact be the same response.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":243,"context_line":""},{"line_number":244,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":245,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":248,"context_line":"contain a role from the set specified by the pattern, validation"},{"line_number":249,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"After the token and RBAC validation is completed successfuly, there is"},{"line_number":252,"context_line":"no change to existing processing.  The auth_token middleware adds"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_d3b6a089","line":249,"range":{"start_line":246,"start_character":0,"end_line":249,"end_character":69},"in_reply_to":"3a71b18c_13c5788d","updated":"2016-12-02 00:56:19.000000000","message":"It is the same as a failed token validation.\n\nThe token is not marked as invalid.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":248,"context_line":"contain a role from the set specified by the pattern, validation"},{"line_number":249,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"After the token and RBAC validation is completed successfuly, there is"},{"line_number":252,"context_line":"no change to existing processing.  The auth_token middleware adds"},{"line_number":253,"context_line":"several additional headers to the request and completes. The WSGI"},{"line_number":254,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":255,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"},{"line_number":256,"context_line":"library to enforce policy as specified by either the Nova annotations"},{"line_number":257,"context_line":"or the overloads provided in the policy.json or policy.yaml files."},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"Object Schema"},{"line_number":260,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_33c27486","line":257,"range":{"start_line":251,"start_character":0,"end_line":257,"end_character":66},"updated":"2016-12-02 00:42:22.000000000","message":"So this starts working the same as today. Cool.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":261,"context_line":""},{"line_number":262,"context_line":"url_pattern"},{"line_number":263,"context_line":"~~~~~~~~~~~"},{"line_number":264,"context_line":"ID: Autogenerated UUID"},{"line_number":265,"context_line":"Service: Indexable String, matches the values from the service catalog"},{"line_number":266,"context_line":"URL_Pattern: Long String (\u003e255 chars) that contains the patterns."},{"line_number":267,"context_line":"role_id: UUID index to the role table"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_d35860fd","line":264,"updated":"2016-12-02 00:42:22.000000000","message":"If this is consumable externally (an actual resource a user references), UUID is fine. If it is meant for internal-only consumption, make this an auto-inc INT as a PK.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":261,"context_line":""},{"line_number":262,"context_line":"url_pattern"},{"line_number":263,"context_line":"~~~~~~~~~~~"},{"line_number":264,"context_line":"ID: Autogenerated UUID"},{"line_number":265,"context_line":"Service: Indexable String, matches the values from the service catalog"},{"line_number":266,"context_line":"URL_Pattern: Long String (\u003e255 chars) that contains the patterns."},{"line_number":267,"context_line":"role_id: UUID index to the role table"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_9318a886","line":264,"in_reply_to":"3a71b18c_d35860fd","updated":"2016-12-02 00:56:19.000000000","message":"Will be used for modification, so you can change the ROle associated with an URL + Verb","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":264,"context_line":"ID: Autogenerated UUID"},{"line_number":265,"context_line":"Service: Indexable String, matches the values from the service catalog"},{"line_number":266,"context_line":"URL_Pattern: Long String (\u003e255 chars) that contains the patterns."},{"line_number":267,"context_line":"role_id: UUID index to the role table"},{"line_number":268,"context_line":"admin_project_only: Boolean"},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"Additional Details"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_134c9841","line":267,"updated":"2016-12-02 00:42:22.000000000","message":"role_id? or role_name? We only *ever* reference roles by names in tokens. Or is this meant to be the keystone-internal object.\n\nIf this is *ever* to be consumed by an external user, use role_names not role_ids, or at least make sure to display the role-name.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":264,"context_line":"ID: Autogenerated UUID"},{"line_number":265,"context_line":"Service: Indexable String, matches the values from the service catalog"},{"line_number":266,"context_line":"URL_Pattern: Long String (\u003e255 chars) that contains the patterns."},{"line_number":267,"context_line":"role_id: UUID index to the role table"},{"line_number":268,"context_line":"admin_project_only: Boolean"},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"Additional Details"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_f35f1c70","line":267,"in_reply_to":"3a71b18c_134c9841","updated":"2016-12-02 00:56:19.000000000","message":"this is the Keystone internal data object.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":502,"context_line":"the remote server, there should be minimal impact on the Keystone side"},{"line_number":503,"context_line":"due to database lookups."},{"line_number":504,"context_line":""},{"line_number":505,"context_line":"Evaluating the rules would require a linear match, much the same way"},{"line_number":506,"context_line":"that a router does in Keystone. The longer the set of roles, the"},{"line_number":507,"context_line":"longer it will take to match. More complex matching schemes based on"},{"line_number":508,"context_line":"the URL patterns can potentially optimize this if it proves to be a"},{"line_number":509,"context_line":"problem."},{"line_number":510,"context_line":""},{"line_number":511,"context_line":"One positive impact is that, for tokens without valid roles, code that"},{"line_number":512,"context_line":"would have, in previous cases, called into the database layer of the"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_530450bf","line":509,"range":{"start_line":505,"start_character":0,"end_line":509,"end_character":8},"updated":"2016-12-02 00:42:22.000000000","message":"Depending on the size of the block of rules, there are optimizations we can approach for this. The idea is to specify how large a list of rules we expect this to actually be for a service.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":502,"context_line":"the remote server, there should be minimal impact on the Keystone side"},{"line_number":503,"context_line":"due to database lookups."},{"line_number":504,"context_line":""},{"line_number":505,"context_line":"Evaluating the rules would require a linear match, much the same way"},{"line_number":506,"context_line":"that a router does in Keystone. The longer the set of roles, the"},{"line_number":507,"context_line":"longer it will take to match. More complex matching schemes based on"},{"line_number":508,"context_line":"the URL patterns can potentially optimize this if it proves to be a"},{"line_number":509,"context_line":"problem."},{"line_number":510,"context_line":""},{"line_number":511,"context_line":"One positive impact is that, for tokens without valid roles, code that"},{"line_number":512,"context_line":"would have, in previous cases, called into the database layer of the"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_d36dc005","line":509,"range":{"start_line":505,"start_character":0,"end_line":509,"end_character":8},"in_reply_to":"3a71b18c_530450bf","updated":"2016-12-02 00:56:19.000000000","message":"there are 250 rules for Keystone and Nova today, if we do not fold the \"Verbs\" under one rule.  We\u0027ll probably have a bit lower than that, as POST and DELETE are usually covered by the same Role.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"23f9310deddf7573785cb2d5dc6b8e9b193bb297","unresolved":false,"context_lines":[{"line_number":564,"context_line":"      \u0027role\u0027: \u0027reader\u0027"},{"line_number":565,"context_line":"      },"},{"line_number":566,"context_line":"  }"},{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"Developer Impact"},{"line_number":570,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_73186c1e","line":567,"updated":"2016-12-02 00:42:22.000000000","message":"Highly recommend adding an easy-to-use keystone-manage cmd for initial population (during bootstrap). Not a requirement though.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"fc022ede0a84d073b9535b7ae6de703f9bd5f1a4","unresolved":false,"context_lines":[{"line_number":564,"context_line":"      \u0027role\u0027: \u0027reader\u0027"},{"line_number":565,"context_line":"      },"},{"line_number":566,"context_line":"  }"},{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"Developer Impact"},{"line_number":570,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_1ead7fe9","line":567,"in_reply_to":"3a71b18c_337514cb","updated":"2016-12-02 01:02:26.000000000","message":"As discussed in IRC the default should be something akin to:\n\n  \"ANY\" \"ANY\" \"\u003crole\u003e\"\n\nThe use of \"ANY\" over \"ALL\" or \"DEFAULT","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"cacbed6e356eec330fd7cf22bcd38b8895a7ce96","unresolved":false,"context_lines":[{"line_number":564,"context_line":"      \u0027role\u0027: \u0027reader\u0027"},{"line_number":565,"context_line":"      },"},{"line_number":566,"context_line":"  }"},{"line_number":567,"context_line":""},{"line_number":568,"context_line":""},{"line_number":569,"context_line":"Developer Impact"},{"line_number":570,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"3a71b18c_337514cb","line":567,"in_reply_to":"3a71b18c_73186c1e","updated":"2016-12-02 00:56:19.000000000","message":"We might want to just populate the Defaults.","commit_id":"fdb50926eeaa962d553efe3d32f878c62aeb8e69"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":20,"context_line":"The goals:"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":" * Allow operator assignment of the roles to operations"},{"line_number":23,"context_line":" * Provide a means to report what role is required for an operation"},{"line_number":24,"context_line":" * Allow fine grained delegations down to individual operations"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_458214c9","line":23,"updated":"2016-12-06 23:11:53.000000000","message":"via the API, right?","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":20,"context_line":"The goals:"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":" * Allow operator assignment of the roles to operations"},{"line_number":23,"context_line":" * Provide a means to report what role is required for an operation"},{"line_number":24,"context_line":" * Allow fine grained delegations down to individual operations"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_4071f4df","line":23,"in_reply_to":"3a71b18c_458214c9","updated":"2016-12-07 19:04:12.000000000","message":"the goal is to make it possible.  THe method is via the API.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Problem Description"},{"line_number":28,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control. This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control"},{"line_number":33,"context_line":"in that the roles are repeated, and scoped to the projects. A user"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_a57a0822","line":30,"updated":"2016-12-06 23:11:53.000000000","message":"Porting David\u0027s comment from patch set 11:\n\n\nLet\u0027s say, for example, that we want to protect \u0027identity:get_credential\u0027 in keystone using this new model (I don\u0027t know the URL offhand). What is in the new keystone API vs. the service policy file? I want admin to be able to get any credential (ignore security implications here) and users to be able to get their own. Like our \u0027admin_or_owner\u0027 rule.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Problem Description"},{"line_number":28,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control. This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control"},{"line_number":33,"context_line":"in that the roles are repeated, and scoped to the projects. A user"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_605d1048","line":30,"in_reply_to":"3a71b18c_a57a0822","updated":"2016-12-07 19:04:12.000000000","message":"That one would not benefit from additional RBAC, as it is doing ABAC on the user ID.  That has to be done in oslo-policuy check, as you need the credential from the database to make the check.  If we wanted that to be performed with an unscoped token, we would have to exempt it from the middleware check.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":54,"context_line":"work within the restrictions of a distributed development model. Any"},{"line_number":55,"context_line":"approach which requires changes to every project has little to no"},{"line_number":56,"context_line":"chance of succeeding. Thus, RBAC enforcement needs to be encapsulated"},{"line_number":57,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":58,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":59,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":60,"context_line":"from a database to check attributes."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_05f1fc6a","line":57,"updated":"2016-12-06 23:11:53.000000000","message":"I\u0027m not sure this needs to be encapsulated within keystone. The main problem I just read has to do with policy administration, which can be solved by pulling all the things into keystone, but that\u0027s probably a heavy-handed approach.\n\nAn elegant policy administration solution coupled with keeping policy decision and enforcement at the endpoint would technically solve our problem. Centralizing RBAC enforcement in keystone is but one way to do that.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":54,"context_line":"work within the restrictions of a distributed development model. Any"},{"line_number":55,"context_line":"approach which requires changes to every project has little to no"},{"line_number":56,"context_line":"chance of succeeding. Thus, RBAC enforcement needs to be encapsulated"},{"line_number":57,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":58,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":59,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":60,"context_line":"from a database to check attributes."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_a02e48a3","line":57,"in_reply_to":"3a71b18c_05f1fc6a","updated":"2016-12-07 19:04:12.000000000","message":"It has to be within Keystone for consistency.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0e3f36ea1572e3f345fe1dcd89b61b5a5372c966","unresolved":false,"context_lines":[{"line_number":54,"context_line":"work within the restrictions of a distributed development model. Any"},{"line_number":55,"context_line":"approach which requires changes to every project has little to no"},{"line_number":56,"context_line":"chance of succeeding. Thus, RBAC enforcement needs to be encapsulated"},{"line_number":57,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":58,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":59,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":60,"context_line":"from a database to check attributes."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_6186ef14","line":57,"in_reply_to":"3a71b18c_a02e48a3","updated":"2016-12-07 21:48:48.000000000","message":"Why?","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":57,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":58,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":59,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":60,"context_line":"from a database to check attributes."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"When looking at most of the policy files, they either check that the"},{"line_number":63,"context_line":"user has the admin role, or that the user has any role on the"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_a5ae882b","line":60,"updated":"2016-12-06 23:11:53.000000000","message":"An example here would help a lot.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":57,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":58,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":59,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":60,"context_line":"from a database to check attributes."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"When looking at most of the policy files, they either check that the"},{"line_number":63,"context_line":"user has the admin role, or that the user has any role on the"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_c002640b","line":60,"in_reply_to":"3a71b18c_a5ae882b","updated":"2016-12-07 19:04:12.000000000","message":"example is further down in the doc.  It breaks up the flow here, as it is implementation details and code example.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"When looking at most of the policy files, they either check that the"},{"line_number":63,"context_line":"user has the admin role, or that the user has any role on the"},{"line_number":64,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":65,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":66,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_85618c07","line":64,"updated":"2016-12-06 23:11:53.000000000","message":"Or - that the user is the actual owner of the resource.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"When looking at most of the policy files, they either check that the"},{"line_number":63,"context_line":"user has the admin role, or that the user has any role on the"},{"line_number":64,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":65,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":66,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_db2415b4","line":64,"in_reply_to":"3a71b18c_85618c07","updated":"2016-12-07 19:04:12.000000000","message":"That is not the norm.  Only Keystone and Barbican do that.  Swift used to, and backed off it.  In general, it is an anti-pattern, but I don\u0027t want to derail this spec discussing that.  Suffice to say, this spec is not attempting to addres those use cases, but will not break them.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":68,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":69,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":70,"context_line":"additional questions unsolved: how do we make the role checks easily"},{"line_number":71,"context_line":"editable, but still distributed to all of the services?"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":74,"context_line":"scope check. While the scope check requires attributes off a resource"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_d7289788","line":71,"updated":"2016-12-06 23:11:53.000000000","message":"^ that\u0027s the million dollar question.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":68,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":69,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":70,"context_line":"additional questions unsolved: how do we make the role checks easily"},{"line_number":71,"context_line":"editable, but still distributed to all of the services?"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":74,"context_line":"scope check. While the scope check requires attributes off a resource"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_7b36a1e8","line":71,"in_reply_to":"3a71b18c_d7289788","updated":"2016-12-07 19:04:12.000000000","message":"I\u0027ll take payment in small, unmarked, non-sequential Candian bills.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdfe5d6bb980bf2f7d493c2b5a47e074de75c199","unresolved":false,"context_lines":[{"line_number":86,"context_line":"Overview"},{"line_number":87,"context_line":"--------"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a Role check in keystonemiddelware after the token validation"},{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_b375f632","line":89,"range":{"start_line":89,"start_character":24,"end_line":89,"end_character":42},"updated":"2016-12-06 20:21:51.000000000","message":"middleware*","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdfe5d6bb980bf2f7d493c2b5a47e074de75c199","unresolved":false,"context_lines":[{"line_number":86,"context_line":"Overview"},{"line_number":87,"context_line":"--------"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a Role check in keystonemiddelware after the token validation"},{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_f3912e48","line":89,"range":{"start_line":89,"start_character":10,"end_line":89,"end_character":14},"updated":"2016-12-06 20:21:51.000000000","message":"role*","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":86,"context_line":"Overview"},{"line_number":87,"context_line":"--------"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a Role check in keystonemiddelware after the token validation"},{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_002ffcf6","line":89,"range":{"start_line":89,"start_character":24,"end_line":89,"end_character":42},"in_reply_to":"3a71b18c_b375f632","updated":"2016-12-07 19:04:12.000000000","message":"Done","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdfe5d6bb980bf2f7d493c2b5a47e074de75c199","unresolved":false,"context_lines":[{"line_number":87,"context_line":"--------"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a Role check in keystonemiddelware after the token validation"},{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_13a78abd","line":90,"range":{"start_line":90,"start_character":15,"end_line":90,"end_character":17},"updated":"2016-12-06 20:21:51.000000000","message":"of","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":87,"context_line":"--------"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a Role check in keystonemiddelware after the token validation"},{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_4039f440","line":90,"range":{"start_line":90,"start_character":15,"end_line":90,"end_character":17},"in_reply_to":"3a71b18c_13a78abd","updated":"2016-12-07 19:04:12.000000000","message":"Done","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a Role check in keystonemiddelware after the token validation"},{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"},{"line_number":94,"context_line":"the service specific code. Leave the current oslo-policy based access"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_97337ff5","line":91,"updated":"2016-12-06 23:11:53.000000000","message":"roles*","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a Role check in keystonemiddelware after the token validation"},{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"},{"line_number":94,"context_line":"the service specific code. Leave the current oslo-policy based access"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_e01040ae","line":91,"in_reply_to":"3a71b18c_97337ff5","updated":"2016-12-07 19:04:12.000000000","message":"No, singular.  Implied roles explans the list.  I\u0027ll make that explicit.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdfe5d6bb980bf2f7d493c2b5a47e074de75c199","unresolved":false,"context_lines":[{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"},{"line_number":94,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":95,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":96,"context_line":"separation of concerns: Middleware enforces the role check, source"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_93939a5a","line":93,"range":{"start_line":93,"start_character":22,"end_line":93,"end_character":24},"updated":"2016-12-06 20:21:51.000000000","message":"double space","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":90,"context_line":"by using a set pf access rules that map from VERB + URL Patterns to a"},{"line_number":91,"context_line":"role."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"},{"line_number":94,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":95,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":96,"context_line":"separation of concerns: Middleware enforces the role check, source"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_40d574b7","line":93,"range":{"start_line":93,"start_character":22,"end_line":93,"end_character":24},"in_reply_to":"3a71b18c_93939a5a","updated":"2016-12-07 19:04:12.000000000","message":"Done","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"},{"line_number":94,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":95,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":96,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":97,"context_line":"code enforces the scope check."},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_97bd3f04","line":95,"updated":"2016-12-06 23:11:53.000000000","message":"What happens in the case where you have an admin_or_owner rule? Let\u0027s say I\u0027m the owner of the resource I am operating on, but I don\u0027t have the admin role. What happens at the RBAC check? Based on the description of Scoped RBAC, I would assume the RBAC check to fail because I don\u0027t have the \u0027admin\u0027 role. But, I *am* the resource owner, which is a now separate check done at a different time by a different piece of software. Technically, if I am the owner of the resource I should be allowed to access it, but if the RBAC check fails before the \"ownership\" is checked, does the whole request fail?\n\nAs a deployer, how do I go about building policy rules that consist of both types of checks? Am I still required to update policy.json files and the keystone API?","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0e3f36ea1572e3f345fe1dcd89b61b5a5372c966","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"},{"line_number":94,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":95,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":96,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":97,"context_line":"code enforces the scope check."},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_5c2478ae","line":95,"in_reply_to":"3a71b18c_0993af50","updated":"2016-12-07 21:48:48.000000000","message":"Exactly - for cases where we want to enforce owner \u003d\u003d user.id we are required to make the RBAC check pass in order to enforce the ABAC check. This makes for terrible user-experience if a specific role is removed from a user that happens to be the owner of something. The ABAC check breaks because we did something unrelated to the policy for it.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"The RBAC check happens  before keystonemiddleware passes control to"},{"line_number":94,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":95,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":96,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":97,"context_line":"code enforces the scope check."},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_0993af50","line":95,"in_reply_to":"3a71b18c_97bd3f04","updated":"2016-12-07 19:04:12.000000000","message":"admin_or_owner will still pass.  3 cases ( I think)\n\nA. admin role on admin project\nB. admin role on resource\u0027s project \nC. member role on resource\u0027s project\n\nAdmin -\u003e Member means that any of these roles will pass the RBAC check in middleware.\n\nA. policy will enforce on is_admin/admin project as the override, and that will pass\n\nB \u0026 C. policy will enforce that the role is a supported role, and the project matches\n\nFor the keystone cases where \"owner\" means that the user id needs to match, the policy check that currently is in force will still be in force.  That check will still be done in oslo-policy, not RBAC.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdfe5d6bb980bf2f7d493c2b5a47e074de75c199","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":103,"context_line":"    contain"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_933d5a2d","line":102,"range":{"start_line":102,"start_character":28,"end_line":102,"end_character":36},"updated":"2016-12-06 20:21:51.000000000","message":"i\u0027d prefer this go in it\u0027s own backend, no need to trample on resource","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":99,"context_line":""},{"line_number":100,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":103,"context_line":"    contain"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_20e6b8e8","line":102,"range":{"start_line":102,"start_character":28,"end_line":102,"end_character":36},"in_reply_to":"3a71b18c_933d5a2d","updated":"2016-12-07 19:04:12.000000000","message":"It belongs in resource.  Specifically, it belongs with the role backend.  There should be a referential intergrity constraint between an API and a  role, or we have breakage.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"  * Create an entity in the resource backend for linking from a role"},{"line_number":113,"context_line":"    to an URL pattern."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of URL patterns, to"},{"line_number":116,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_e5a7a0a4","line":113,"updated":"2016-12-06 23:11:53.000000000","message":"Porting David\u0027s comment from patch set 11:\n\nHow do these get updated? For example, when nova is upgraded will it also have to have an update-keystone script? What happens to customizations and will it be easy to discover new things before deploying?","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0e3f36ea1572e3f345fe1dcd89b61b5a5372c966","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"  * Create an entity in the resource backend for linking from a role"},{"line_number":113,"context_line":"    to an URL pattern."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of URL patterns, to"},{"line_number":116,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_fcce24b6","line":113,"in_reply_to":"3a71b18c_e0b4c0d5","updated":"2016-12-07 21:48:48.000000000","message":"I have a feeling this will make it even harder to change policy. We\u0027re duplicating it in multiple places. I\u0027d like to have operators weigh in on this.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"  * Create an entity in the resource backend for linking from a role"},{"line_number":113,"context_line":"    to an URL pattern."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of URL patterns, to"},{"line_number":116,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_e0b4c0d5","line":113,"in_reply_to":"3a71b18c_e5a7a0a4","updated":"2016-12-07 19:04:12.000000000","message":"The defaults will continue to cover new APIs, so there will be nothing uncovered.  Adding in a new API will require a merge process.  I think that this will be possible with the currently spec\u0027ed API.  If this proves insufficient, we can build a diff/patch approach.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdfe5d6bb980bf2f7d493c2b5a47e074de75c199","unresolved":false,"context_lines":[{"line_number":128,"context_line":"  * Create instances via the above API that map the above values"},{"line_number":129,"context_line":"    to a role ID."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"  * Perform a Role check in keystonemiddelware after the token validation"},{"line_number":132,"context_line":"    that uses the role to URL Pattern mappings to ensure that the user"},{"line_number":133,"context_line":"    has the mapped role.  Roles will be expanded via the role"},{"line_number":134,"context_line":"    inference rules."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_936b9a1d","line":131,"range":{"start_line":131,"start_character":28,"end_line":131,"end_character":46},"updated":"2016-12-06 20:21:51.000000000","message":"keystonemiddleware*","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":128,"context_line":"  * Create instances via the above API that map the above values"},{"line_number":129,"context_line":"    to a role ID."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"  * Perform a Role check in keystonemiddelware after the token validation"},{"line_number":132,"context_line":"    that uses the role to URL Pattern mappings to ensure that the user"},{"line_number":133,"context_line":"    has the mapped role.  Roles will be expanded via the role"},{"line_number":134,"context_line":"    inference rules."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_60da70eb","line":131,"range":{"start_line":131,"start_character":28,"end_line":131,"end_character":46},"in_reply_to":"3a71b18c_936b9a1d","updated":"2016-12-07 19:04:12.000000000","message":"Done","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":144,"context_line":""},{"line_number":145,"context_line":"   curl -H \"X-Auth-Token: adb5c708a55f\" \\"},{"line_number":146,"context_line":"     -H \"Content-type: application/json\" \\"},{"line_number":147,"context_line":"     PUT https://nova1:8774:/v2.1/2497f6/servers/83cbdc \\"},{"line_number":148,"context_line":"     -d @new_values.json"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"With the body of the request inside the @new_values.json file."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_a5c84856","line":147,"updated":"2016-12-06 23:11:53.000000000","message":"Porting David\u0027s comment from patch set 11: \n\n\nAre there spaces here?","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":144,"context_line":""},{"line_number":145,"context_line":"   curl -H \"X-Auth-Token: adb5c708a55f\" \\"},{"line_number":146,"context_line":"     -H \"Content-type: application/json\" \\"},{"line_number":147,"context_line":"     PUT https://nova1:8774:/v2.1/2497f6/servers/83cbdc \\"},{"line_number":148,"context_line":"     -d @new_values.json"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"With the body of the request inside the @new_values.json file."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_008c5c34","line":147,"in_reply_to":"3a71b18c_a5c84856","updated":"2016-12-07 19:04:12.000000000","message":"They has snuck in as a copy/paste error somethow, and were removed.  THere are some like it below, that show up as red dots.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":188,"context_line":""},{"line_number":189,"context_line":"   {"},{"line_number":190,"context_line":"      \u0027service\u0027: \u0027compute\u0027,"},{"line_number":191,"context_line":"      \u0027access_rules\u0027: ["},{"line_number":192,"context_line":"         {"},{"line_number":193,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":194,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_65e9d0b6","line":191,"updated":"2016-12-06 23:11:53.000000000","message":"Porting David\u0027s comment from patch set 11: \n\n\nThis gets a bit down into the implementation, but I wish that the middleware could preprocess this into a dictionary for fast lookup. You don\u0027t want to be scanning a potentially long list for every request, but I realize in the current design we can\u0027t do that.\n{url: {verb: [roles, admin_project_only]}}","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":188,"context_line":""},{"line_number":189,"context_line":"   {"},{"line_number":190,"context_line":"      \u0027service\u0027: \u0027compute\u0027,"},{"line_number":191,"context_line":"      \u0027access_rules\u0027: ["},{"line_number":192,"context_line":"         {"},{"line_number":193,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":194,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_20aa3886","line":191,"in_reply_to":"3a71b18c_65e9d0b6","updated":"2016-12-07 19:04:12.000000000","message":"There is nothing in this spec that would prevent that, but let\u0027s see first if it is necessary.  Premature optimization at this point.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":219,"context_line":"~~~~~~~~~~"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":222,"context_line":"inference rules in the token response is disabled. This will minimize"},{"line_number":223,"context_line":"the token response data size as the number of defined roles increases."},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"keystonemiddleware.auth_token will use python-keystoneclient to make a remote"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_c5f1c496","line":222,"updated":"2016-12-06 23:11:53.000000000","message":"Wait - wasn\u0027t implied roles a requirement for this? I thought the use of implied roles is what made the one-to-many relationship for url_patterns/access_rules possible.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":219,"context_line":"~~~~~~~~~~"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":222,"context_line":"inference rules in the token response is disabled. This will minimize"},{"line_number":223,"context_line":"the token response data size as the number of defined roles increases."},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"keystonemiddleware.auth_token will use python-keystoneclient to make a remote"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_9abd3b05","line":222,"in_reply_to":"3a71b18c_c5f1c496","updated":"2016-12-07 19:04:12.000000000","message":"yes, they are essential.  In this case, we are going to say that the calculation of implied roles is done in the RBAC layer, not in the token response.  It can be done in both, but it is redundant.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":239,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":240,"context_line":"match the pattern"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"GET /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":245,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_da35f3a8","line":242,"updated":"2016-12-07 19:04:12.000000000","message":"spaces snuck un here again...fixed","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"562b1dffe48f0c67bdf4ab75360a32ba2672db41","unresolved":false,"context_lines":[{"line_number":242,"context_line":"GET /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":245,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":248,"context_line":"contain a role from the set specified by the pattern, validation"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_d7d5f71b","line":245,"updated":"2016-12-06 23:11:53.000000000","message":"But the current policy in nova uses the admin_or_owner concept: \n\nhttps://github.com/openstack/nova/blob/d84b04098577f799e378b59059ab529f6a64586c/nova/policies/servers.py#L37\n\nThis check would fail if the user doesn\u0027t have the admin role if the RBAC check happens in middleware before the ownership check.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":242,"context_line":"GET /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":245,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":246,"context_line":""},{"line_number":247,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":248,"context_line":"contain a role from the set specified by the pattern, validation"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_3a5c27ed","line":245,"in_reply_to":"3a71b18c_d7d5f71b","updated":"2016-12-07 19:04:12.000000000","message":"\"owner\" there just means that the tenantid/projectid matches.  Not that the userid matches.  nothing there would change.","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"cdfe5d6bb980bf2f7d493c2b5a47e074de75c199","unresolved":false,"context_lines":[{"line_number":472,"context_line":""},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Here is an example"},{"line_number":475,"context_line":".. code-block:: bnf"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"  member -\u003e compute_delete_server"},{"line_number":478,"context_line":"  compute_delete_server -\u003e DELETE /v2.1/​{tenant_id}​/servers/​{server_id}​"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_56a7300a","line":475,"range":{"start_line":475,"start_character":16,"end_line":475,"end_character":19},"updated":"2016-12-06 20:21:51.000000000","message":"bnf?","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"ce1984219810ed1f7b87fd170e173d565975a355","unresolved":false,"context_lines":[{"line_number":472,"context_line":""},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Here is an example"},{"line_number":475,"context_line":".. code-block:: bnf"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"  member -\u003e compute_delete_server"},{"line_number":478,"context_line":"  compute_delete_server -\u003e DELETE /v2.1/​{tenant_id}​/servers/​{server_id}​"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_900ecc30","line":475,"range":{"start_line":475,"start_character":16,"end_line":475,"end_character":19},"in_reply_to":"3a71b18c_32527cde","updated":"2016-12-08 16:08:41.000000000","message":"Done","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"5595e67f42d8045e7996aae413fb59fdc588b539","unresolved":false,"context_lines":[{"line_number":472,"context_line":""},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Here is an example"},{"line_number":475,"context_line":".. code-block:: bnf"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"  member -\u003e compute_delete_server"},{"line_number":478,"context_line":"  compute_delete_server -\u003e DELETE /v2.1/​{tenant_id}​/servers/​{server_id}​"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_a0a9e826","line":475,"range":{"start_line":475,"start_character":16,"end_line":475,"end_character":19},"in_reply_to":"3a71b18c_56a7300a","updated":"2016-12-07 19:04:12.000000000","message":"https://en.wikipedia.org/wiki/Backus%E2%80%93Naur_form\n\nFormat for describing languages","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"ae01ebd68d524d5e270bfee3a7ec8a89ea181e4a","unresolved":false,"context_lines":[{"line_number":472,"context_line":""},{"line_number":473,"context_line":""},{"line_number":474,"context_line":"Here is an example"},{"line_number":475,"context_line":".. code-block:: bnf"},{"line_number":476,"context_line":""},{"line_number":477,"context_line":"  member -\u003e compute_delete_server"},{"line_number":478,"context_line":"  compute_delete_server -\u003e DELETE /v2.1/​{tenant_id}​/servers/​{server_id}​"}],"source_content_type":"text/x-rst","patch_set":15,"id":"3a71b18c_32527cde","line":475,"range":{"start_line":475,"start_character":16,"end_line":475,"end_character":19},"in_reply_to":"3a71b18c_a0a9e826","updated":"2016-12-08 03:39:20.000000000","message":"i don\u0027t think it\u0027s a supported sphinx code-block, it\u0027s not rendering: http://docs-draft.openstack.org/24/391624/18/check/gate-keystone-specs-docs-ubuntu-xenial/7bc726f//doc/build/html/specs/keystone/ongoing/role-check-from-middleware.html#security-impact\n\nJust use double colons to indicate basic formatting, like this:\n\nHere is an example::\n\n  member -\u003e compute_delete_server\n  compute_delete_server -\u003e DELETE /v2.1/​{tenant_id}​/servers/​{server_id}​","commit_id":"d81a23c542e54c464bdfb862e0d485c2e59e353b"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":100,"context_line":""},{"line_number":101,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":104,"context_line":"    contain"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_d65da349","line":103,"updated":"2016-12-08 15:41:57.000000000","message":"drop impl detail about which backend.","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":100,"context_line":""},{"line_number":101,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":104,"context_line":"    contain"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_85c9307c","line":103,"in_reply_to":"3a71b18c_d65da349","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":181,"context_line":""},{"line_number":182,"context_line":".. code-block:: bash"},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"   GET https://hostname:port/v3/access/service/compute"},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"An example of a subset of the response data is shown below:"},{"line_number":187,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_e2873a10","line":184,"updated":"2016-12-08 15:41:57.000000000","message":"should this be a query param instead?\n\nGET https://hostname:port/v3/api_role?service\u003dcompute","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":181,"context_line":""},{"line_number":182,"context_line":".. code-block:: bash"},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"   GET https://hostname:port/v3/access/service/compute"},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"An example of a subset of the response data is shown below:"},{"line_number":187,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_a59f0c5e","line":184,"in_reply_to":"3a71b18c_e2873a10","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":189,"context_line":""},{"line_number":190,"context_line":"   {"},{"line_number":191,"context_line":"      \u0027service\u0027: \u0027compute\u0027,"},{"line_number":192,"context_line":"      \u0027access_rules\u0027: ["},{"line_number":193,"context_line":"         {"},{"line_number":194,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":195,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_c2ecfef5","line":192,"updated":"2016-12-08 15:41:57.000000000","message":"api_roles","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":189,"context_line":""},{"line_number":190,"context_line":"   {"},{"line_number":191,"context_line":"      \u0027service\u0027: \u0027compute\u0027,"},{"line_number":192,"context_line":"      \u0027access_rules\u0027: ["},{"line_number":193,"context_line":"         {"},{"line_number":194,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":195,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_e5874410","line":192,"in_reply_to":"3a71b18c_c2ecfef5","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":233,"context_line":"URL will have been processed by the WSGI pipeline, removing the"},{"line_number":234,"context_line":"Hostname and port. The remainder of the URL will most likely start"},{"line_number":235,"context_line":"with the version information in the pattern /v[0-9.]*/."},{"line_number":236,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":237,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"keystonemiddleware will iterate through the set of access_rules,"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_761ccf77","line":236,"updated":"2016-12-08 15:41:57.000000000","message":"stray whitespace","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":233,"context_line":"URL will have been processed by the WSGI pipeline, removing the"},{"line_number":234,"context_line":"Hostname and port. The remainder of the URL will most likely start"},{"line_number":235,"context_line":"with the version information in the pattern /v[0-9.]*/."},{"line_number":236,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":237,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"keystonemiddleware will iterate through the set of access_rules,"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_25993c6f","line":236,"in_reply_to":"3a71b18c_761ccf77","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":240,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":241,"context_line":"match the pattern"},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"GET /v2.1/{tenant_id}/servers/{server_id}​"},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":246,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_d624c3c7","line":243,"updated":"2016-12-08 15:41:57.000000000","message":"stray whitespace","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":261,"context_line":"--------------"},{"line_number":262,"context_line":"The new entity stored in the database would have the following layout."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"access_rule"},{"line_number":265,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":266,"context_line":"ID: Autogenerated UUID"},{"line_number":267,"context_line":"Service: Indexable String, matches the values from the service catalog"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_16063b20","line":264,"updated":"2016-12-08 15:41:57.000000000","message":"change to `api_role`","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":291,"context_line":"    { pattern: \"/v\", verb: \"GET\" role: \"None\"}"},{"line_number":292,"context_line":"    { pattern: \"/v3\", verb: \"GET\" role: \"None\"}"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"The initial rule is that APIs require the `Member` rule. However, once"},{"line_number":295,"context_line":"appropriate hardening has been performed, this default should be set"},{"line_number":296,"context_line":"to the `admin` role instead."},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_22ddb242","line":294,"updated":"2016-12-08 15:41:57.000000000","message":"rule-\u003erole","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":291,"context_line":"    { pattern: \"/v\", verb: \"GET\" role: \"None\"}"},{"line_number":292,"context_line":"    { pattern: \"/v3\", verb: \"GET\" role: \"None\"}"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"The initial rule is that APIs require the `Member` rule. However, once"},{"line_number":295,"context_line":"appropriate hardening has been performed, this default should be set"},{"line_number":296,"context_line":"to the `admin` role instead."},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_859e9052","line":294,"in_reply_to":"3a71b18c_22ddb242","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":302,"context_line":"implementation without breaking existing deployments,"},{"line_number":303,"context_line":"`is_admin_project` will default to `False`."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Bulk Upload and Query of Access Rules"},{"line_number":306,"context_line":"-------------------------------------"},{"line_number":307,"context_line":""},{"line_number":308,"context_line":"Initialization of a system requires a set of rules for each of the"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_c215dee5","line":305,"updated":"2016-12-08 15:41:57.000000000","message":"API Roles","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":302,"context_line":"implementation without breaking existing deployments,"},{"line_number":303,"context_line":"`is_admin_project` will default to `False`."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Bulk Upload and Query of Access Rules"},{"line_number":306,"context_line":"-------------------------------------"},{"line_number":307,"context_line":""},{"line_number":308,"context_line":"Initialization of a system requires a set of rules for each of the"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_a5ad4c8a","line":305,"in_reply_to":"3a71b18c_c215dee5","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":318,"context_line":""},{"line_number":319,"context_line":"   {"},{"line_number":320,"context_line":"   \u0027service\u0027: \u0027image\u0027,"},{"line_number":321,"context_line":"   \u0027access_rules\u0027:["},{"line_number":322,"context_line":"      {"},{"line_number":323,"context_line":"      \u0027pattern\u0027: \u0027/v2/images\u0027,"},{"line_number":324,"context_line":"      \u0027verbs\u0027: [\u0027POST\u0027],"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_c2e23e2f","line":321,"updated":"2016-12-08 15:41:57.000000000","message":"api_roles","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":318,"context_line":""},{"line_number":319,"context_line":"   {"},{"line_number":320,"context_line":"   \u0027service\u0027: \u0027image\u0027,"},{"line_number":321,"context_line":"   \u0027access_rules\u0027:["},{"line_number":322,"context_line":"      {"},{"line_number":323,"context_line":"      \u0027pattern\u0027: \u0027/v2/images\u0027,"},{"line_number":324,"context_line":"      \u0027verbs\u0027: [\u0027POST\u0027],"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_e5b584d0","line":321,"in_reply_to":"3a71b18c_c2e23e2f","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":367,"context_line":""},{"line_number":368,"context_line":"  {"},{"line_number":369,"context_line":"     \u0027service\u0027: \u0027storage\u0027,"},{"line_number":370,"context_line":"     \u0027access_rules\u0027:["},{"line_number":371,"context_line":"     {"},{"line_number":372,"context_line":"       \u0027pattern\u0027: \u0027/v1/{tenant_id}/volumes/{volume_id}\u0027,"},{"line_number":373,"context_line":"       \u0027verbs\u0027: [\u0027GET\u0027],"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_22ca12a2","line":370,"updated":"2016-12-08 15:41:57.000000000","message":"api_roles","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":367,"context_line":""},{"line_number":368,"context_line":"  {"},{"line_number":369,"context_line":"     \u0027service\u0027: \u0027storage\u0027,"},{"line_number":370,"context_line":"     \u0027access_rules\u0027:["},{"line_number":371,"context_line":"     {"},{"line_number":372,"context_line":"       \u0027pattern\u0027: \u0027/v1/{tenant_id}/volumes/{volume_id}\u0027,"},{"line_number":373,"context_line":"       \u0027verbs\u0027: [\u0027GET\u0027],"}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_25b05cdd","line":370,"in_reply_to":"3a71b18c_22ca12a2","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":431,"context_line":""},{"line_number":432,"context_line":"Assuming an implied role chain like this: `r1-\u003er2-\u003er3-\u003er4-\u003er5-\u003er6-\u003er7`"},{"line_number":433,"context_line":""},{"line_number":434,"context_line":"And an URL pattern rule like this:"},{"line_number":435,"context_line":""},{"line_number":436,"context_line":".. code-block:: json"},{"line_number":437,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_a20382b7","line":434,"updated":"2016-12-08 15:41:57.000000000","message":"api_role","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":431,"context_line":""},{"line_number":432,"context_line":"Assuming an implied role chain like this: `r1-\u003er2-\u003er3-\u003er4-\u003er5-\u003er6-\u003er7`"},{"line_number":433,"context_line":""},{"line_number":434,"context_line":"And an URL pattern rule like this:"},{"line_number":435,"context_line":""},{"line_number":436,"context_line":".. code-block:: json"},{"line_number":437,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_65ca5451","line":434,"in_reply_to":"3a71b18c_a20382b7","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":450,"context_line":"            {\u0027name\u0027:\u0027r5\u0027},{\u0027name\u0027:\u0027r6\u0027},{\u0027name\u0027:\u0027r7\u0027}]"},{"line_number":451,"context_line":""},{"line_number":452,"context_line":""},{"line_number":453,"context_line":"The latter one would have an access_rule response that looks like this:"},{"line_number":454,"context_line":""},{"line_number":455,"context_line":".. code-block:: json"},{"line_number":456,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_4212ae0a","line":453,"updated":"2016-12-08 15:41:57.000000000","message":"api_role","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":450,"context_line":"            {\u0027name\u0027:\u0027r5\u0027},{\u0027name\u0027:\u0027r6\u0027},{\u0027name\u0027:\u0027r7\u0027}]"},{"line_number":451,"context_line":""},{"line_number":452,"context_line":""},{"line_number":453,"context_line":"The latter one would have an access_rule response that looks like this:"},{"line_number":454,"context_line":""},{"line_number":455,"context_line":".. code-block:: json"},{"line_number":456,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_85c5b03e","line":453,"in_reply_to":"3a71b18c_4212ae0a","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":479,"context_line":"For example, if a user only wants a watchdog program to kill a VM if"},{"line_number":480,"context_line":"it misbehaves, the administrator could create a role called"},{"line_number":481,"context_line":"`compute_delete_server` specific to the API `DELETE"},{"line_number":482,"context_line":"/v2.1/​{tenant_id}​/servers/​{server_id}​` as well as a role inference"},{"line_number":483,"context_line":"rules"},{"line_number":484,"context_line":""},{"line_number":485,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_62724a7e","line":482,"updated":"2016-12-08 15:41:57.000000000","message":"whitespace","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":479,"context_line":"For example, if a user only wants a watchdog program to kill a VM if"},{"line_number":480,"context_line":"it misbehaves, the administrator could create a role called"},{"line_number":481,"context_line":"`compute_delete_server` specific to the API `DELETE"},{"line_number":482,"context_line":"/v2.1/​{tenant_id}​/servers/​{server_id}​` as well as a role inference"},{"line_number":483,"context_line":"rules"},{"line_number":484,"context_line":""},{"line_number":485,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_65f8947d","line":482,"in_reply_to":"3a71b18c_62724a7e","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":487,"context_line":".. code-block:: bnf"},{"line_number":488,"context_line":""},{"line_number":489,"context_line":"  member -\u003e compute_delete_server"},{"line_number":490,"context_line":"  compute_delete_server -\u003e DELETE /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"The user could then create a trust with only the role"},{"line_number":493,"context_line":"compute_delete_server specified."}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_826da69b","line":490,"updated":"2016-12-08 15:41:57.000000000","message":"whitespace","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":487,"context_line":".. code-block:: bnf"},{"line_number":488,"context_line":""},{"line_number":489,"context_line":"  member -\u003e compute_delete_server"},{"line_number":490,"context_line":"  compute_delete_server -\u003e DELETE /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":491,"context_line":""},{"line_number":492,"context_line":"The user could then create a trust with only the role"},{"line_number":493,"context_line":"compute_delete_server specified."}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_853a1033","line":490,"in_reply_to":"3a71b18c_826da69b","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"bd6571352f0557fd855a37dd7fbd29b3be850c20","unresolved":false,"context_lines":[{"line_number":570,"context_line":"3. Change the access rule so that instead of requiring the `member`"},{"line_number":571,"context_line":"   role it requires the `reader` role."},{"line_number":572,"context_line":""},{"line_number":573,"context_line":"Retrieving the access_rules would result in the following entries."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":".. code-block:: json"},{"line_number":576,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_e2049ac7","line":573,"updated":"2016-12-08 15:41:57.000000000","message":"api_roles","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"93ffd2c14845791ab7f1026bf9ed8583285d2894","unresolved":false,"context_lines":[{"line_number":570,"context_line":"3. Change the access rule so that instead of requiring the `member`"},{"line_number":571,"context_line":"   role it requires the `reader` role."},{"line_number":572,"context_line":""},{"line_number":573,"context_line":"Retrieving the access_rules would result in the following entries."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":".. code-block:: json"},{"line_number":576,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"3a71b18c_e51104b1","line":573,"in_reply_to":"3a71b18c_e2049ac7","updated":"2016-12-08 16:08:17.000000000","message":"Done","commit_id":"4e49f8ae0cbf36dd923c543c0041d6316b76fccb"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":20,"context_line":"The goals:"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":" * Allow operator assignment of the roles to operations"},{"line_number":23,"context_line":" * Provide a means to report what role is required for an operation"},{"line_number":24,"context_line":" * Allow fine grained delegations down to individual operations"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d4658a1d","line":23,"range":{"start_line":23,"start_character":3,"end_line":23,"end_character":67},"updated":"2016-12-08 22:44:30.000000000","message":"this is only a start, since user and/or resource attributes may also be checked (via policy.json), but it would allow something like a UI knowing at least some of the time when it should grey something out.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":" * Allow operator assignment of the roles to operations"},{"line_number":23,"context_line":" * Provide a means to report what role is required for an operation"},{"line_number":24,"context_line":" * Allow fine grained delegations down to individual operations"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Problem Description"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_345ebe45","line":24,"range":{"start_line":24,"start_character":3,"end_line":24,"end_character":63},"updated":"2016-12-08 22:44:30.000000000","message":"I\u0027m not sure what you mean here.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control. This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control"},{"line_number":33,"context_line":"in that the roles are repeated, and scoped to the projects. A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project. Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_3713205e","line":33,"range":{"start_line":33,"start_character":50,"end_line":33,"end_character":58},"updated":"2016-12-08 22:44:30.000000000","message":"or domains. And hopefully someday we introduce a global scope to replace the admin_project hack.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control. This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control"},{"line_number":33,"context_line":"in that the roles are repeated, and scoped to the projects. A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project. Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d433ca11","line":33,"range":{"start_line":33,"start_character":22,"end_line":33,"end_character":30},"updated":"2016-12-08 22:44:30.000000000","message":"repeated? Are you trying to refer to the fact that a role can be assigned to the same user multiple times for different projects/domains? Could be clearer.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control. This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control"},{"line_number":33,"context_line":"in that the roles are repeated, and scoped to the projects. A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project. Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_5e55e5bf","line":33,"range":{"start_line":33,"start_character":22,"end_line":33,"end_character":30},"in_reply_to":"3a71b18c_d433ca11","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":31,"context_line":"of roles that can be used to enforce access control. This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control"},{"line_number":33,"context_line":"in that the roles are repeated, and scoped to the projects. A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project. Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_978b1468","line":34,"range":{"start_line":34,"start_character":41,"end_line":34,"end_character":46},"updated":"2016-12-08 22:44:30.000000000","message":"have","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":31,"context_line":"of roles that can be used to enforce access control. This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control"},{"line_number":33,"context_line":"in that the roles are repeated, and scoped to the projects. A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project. Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_be70b973","line":34,"range":{"start_line":34,"start_character":41,"end_line":34,"end_character":46},"in_reply_to":"3a71b18c_978b1468","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":40,"context_line":"unclearly scoped to both global and project scoped operations. While"},{"line_number":41,"context_line":"the policy.json files are supposed to be configuration files, and"},{"line_number":42,"context_line":"editable by the end deployers, the reality is that this is difficult,"},{"line_number":43,"context_line":"and even discouraged in the official documentation."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"There are numerous challenges to updating the current policy"},{"line_number":46,"context_line":"files. Changing policy now requires redeploying configuration files"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_576dfc97","line":43,"range":{"start_line":43,"start_character":9,"end_line":43,"end_character":50},"updated":"2016-12-08 22:44:30.000000000","message":"really? Where? We should go correct that... It should not be discouraged.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":40,"context_line":"unclearly scoped to both global and project scoped operations. While"},{"line_number":41,"context_line":"the policy.json files are supposed to be configuration files, and"},{"line_number":42,"context_line":"editable by the end deployers, the reality is that this is difficult,"},{"line_number":43,"context_line":"and even discouraged in the official documentation."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"There are numerous challenges to updating the current policy"},{"line_number":46,"context_line":"files. Changing policy now requires redeploying configuration files"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_de69f58d","line":43,"range":{"start_line":43,"start_character":9,"end_line":43,"end_character":50},"in_reply_to":"3a71b18c_576dfc97","updated":"2021-09-24 20:29:41.000000000","message":"It is, and I would not change that yet.\n\nhttp://docs.openstack.org/newton/config-reference/policy-json-file.html","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":44,"context_line":""},{"line_number":45,"context_line":"There are numerous challenges to updating the current policy"},{"line_number":46,"context_line":"files. Changing policy now requires redeploying configuration files"},{"line_number":47,"context_line":"for each node in the service. When applying changes to a role"},{"line_number":48,"context_line":"requires coordination between keystone and the service configuration."},{"line_number":49,"context_line":"Certain operations require other operations in order to be successful,"},{"line_number":50,"context_line":"so if the policy fails on a downstream operation the whole operation"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_37208049","line":47,"range":{"start_line":47,"start_character":30,"end_line":47,"end_character":36},"updated":"2016-12-08 22:44:30.000000000","message":"s/When a/A/","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":45,"context_line":"There are numerous challenges to updating the current policy"},{"line_number":46,"context_line":"files. Changing policy now requires redeploying configuration files"},{"line_number":47,"context_line":"for each node in the service. When applying changes to a role"},{"line_number":48,"context_line":"requires coordination between keystone and the service configuration."},{"line_number":49,"context_line":"Certain operations require other operations in order to be successful,"},{"line_number":50,"context_line":"so if the policy fails on a downstream operation the whole operation"},{"line_number":51,"context_line":"fails. This is too high a risk for most deployment."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_37cec083","line":48,"range":{"start_line":48,"start_character":0,"end_line":48,"end_character":68},"updated":"2016-12-08 22:44:30.000000000","message":"how so? Creating a new role would require talking to keystone, but changing an existing role\u0027s permissions shouldn\u0027t require anything to do with keystone.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":45,"context_line":"There are numerous challenges to updating the current policy"},{"line_number":46,"context_line":"files. Changing policy now requires redeploying configuration files"},{"line_number":47,"context_line":"for each node in the service. When applying changes to a role"},{"line_number":48,"context_line":"requires coordination between keystone and the service configuration."},{"line_number":49,"context_line":"Certain operations require other operations in order to be successful,"},{"line_number":50,"context_line":"so if the policy fails on a downstream operation the whole operation"},{"line_number":51,"context_line":"fails. This is too high a risk for most deployment."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_7ead419a","line":48,"range":{"start_line":48,"start_character":0,"end_line":48,"end_character":68},"in_reply_to":"3a71b18c_37cec083","updated":"2021-09-24 20:29:41.000000000","message":"But you need to assign the new role to the users in order to have the policy enforce it.  The changes at least require understand what is going on in keystone.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":87,"context_line":"--------"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a role check in keystonemiddleware after the token validation"},{"line_number":90,"context_line":"by using a set of rules that map from VERB + URL Patterns to a role,"},{"line_number":91,"context_line":"and then expanding that to a set of roles via the role inference"},{"line_number":92,"context_line":"rules."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"The RBAC check happens before keystonemiddleware passes control to"},{"line_number":95,"context_line":"the service specific code. Leave the current oslo-policy based access"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_f734484b","line":92,"range":{"start_line":90,"start_character":61,"end_line":92,"end_character":5},"updated":"2016-12-08 22:44:30.000000000","message":"I see no reason for this to have to be a single role and get into role inference. On the other hand, I see issues with that approach, which only works if roles are true supersets/subsets of one another, which is not always going to be the case.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":87,"context_line":"--------"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Perform a role check in keystonemiddleware after the token validation"},{"line_number":90,"context_line":"by using a set of rules that map from VERB + URL Patterns to a role,"},{"line_number":91,"context_line":"and then expanding that to a set of roles via the role inference"},{"line_number":92,"context_line":"rules."},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"The RBAC check happens before keystonemiddleware passes control to"},{"line_number":95,"context_line":"the service specific code. Leave the current oslo-policy based access"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_be93595a","line":92,"range":{"start_line":90,"start_character":61,"end_line":92,"end_character":5},"in_reply_to":"3a71b18c_f734484b","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":94,"context_line":"The RBAC check happens before keystonemiddleware passes control to"},{"line_number":95,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":96,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":97,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":98,"context_line":"code enforces the scope check."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"The following changes are required to enable the RBAC check:"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_57217cfb","line":98,"range":{"start_line":97,"start_character":60,"end_line":98,"end_character":29},"updated":"2016-12-08 22:44:30.000000000","message":"It\u0027s worth noting that the scope check often involves a role check, so role checks will at least sometimes be done in both places. The most common example is \"admin_or_owner\" that checks whether you have the admin role first, then only if you don\u0027t proceeds to check your scope.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":100,"context_line":""},{"line_number":101,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"  * Create a persisted entity in Keystone that contain"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"    - the service name"},{"line_number":106,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_97f79458","line":103,"range":{"start_line":103,"start_character":47,"end_line":103,"end_character":54},"updated":"2016-12-08 22:44:30.000000000","message":"contains","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":108,"context_line":""},{"line_number":109,"context_line":"    - the URL pattern"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"    - a single required role"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":114,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_17a2a44b","line":111,"range":{"start_line":111,"start_character":6,"end_line":111,"end_character":28},"updated":"2016-12-08 22:44:30.000000000","message":"this should be a list, not single. If any role in the list is satisfied then the operation is allowed to proceed.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":113,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":114,"context_line":"    include bulk upload per service."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"  * Deduce the values from the Documented APIs to Create instances via"},{"line_number":117,"context_line":"    the above APIs"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"  * Perform a Role check in keystonemiddleware after the token validation"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d733cc11","line":116,"range":{"start_line":116,"start_character":4,"end_line":116,"end_character":46},"updated":"2016-12-08 22:44:30.000000000","message":"there are numerous doc bugs where APIs are not documented, so be careful here.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":113,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":114,"context_line":"    include bulk upload per service."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"  * Deduce the values from the Documented APIs to Create instances via"},{"line_number":117,"context_line":"    the above APIs"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"  * Perform a Role check in keystonemiddleware after the token validation"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_b33d522d","line":116,"range":{"start_line":116,"start_character":4,"end_line":116,"end_character":46},"in_reply_to":"3a71b18c_d733cc11","updated":"2021-09-24 20:29:41.000000000","message":"Noted.  Defaults are specifically defined below.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":132,"context_line":""},{"line_number":133,"context_line":"   curl -H \"X-Auth-Token: adb5c708a55f\" \\"},{"line_number":134,"context_line":"     -H \"Content-type: application/json\" \\"},{"line_number":135,"context_line":"     PUT https://nova1:8774:/v2.1/2497f6/servers/83cbdc \\"},{"line_number":136,"context_line":"     -d @new_values.json"},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"With the body of the request inside the @new_values.json file."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_2241203a","line":135,"range":{"start_line":135,"start_character":27,"end_line":135,"end_character":28},"updated":"2016-12-08 22:44:30.000000000","message":"s/://","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":163,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"After the token has been validated via a call to Keystone, the"},{"line_number":166,"context_line":"middleware will fetch the RBAC specific data via python-keystoneclient"},{"line_number":167,"context_line":"which calls the API."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_62e79840","line":166,"range":{"start_line":166,"start_character":16,"end_line":166,"end_character":44},"updated":"2016-12-08 22:44:30.000000000","message":"and I assume we would implement some kind of caching so we\u0027re not doing this on every API call, right?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":163,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"After the token has been validated via a call to Keystone, the"},{"line_number":166,"context_line":"middleware will fetch the RBAC specific data via python-keystoneclient"},{"line_number":167,"context_line":"which calls the API."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d3d80e21","line":166,"range":{"start_line":166,"start_character":16,"end_line":166,"end_character":44},"in_reply_to":"3a71b18c_62e79840","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":178,"context_line":"      \u0027service\u0027: \u0027compute\u0027,"},{"line_number":179,"context_line":"      \u0027api_roles\u0027: ["},{"line_number":180,"context_line":"         {"},{"line_number":181,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":182,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","},{"line_number":183,"context_line":"            roles\u003d[\"Member\", \"admin\"],"},{"line_number":184,"context_line":"            admin_project_only\u003dFalse"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_42c53c3b","line":181,"range":{"start_line":181,"start_character":19,"end_line":181,"end_character":24},"updated":"2016-12-08 22:44:30.000000000","message":"there is no GET for this API :)","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":179,"context_line":"      \u0027api_roles\u0027: ["},{"line_number":180,"context_line":"         {"},{"line_number":181,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":182,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","},{"line_number":183,"context_line":"            roles\u003d[\"Member\", \"admin\"],"},{"line_number":184,"context_line":"            admin_project_only\u003dFalse"},{"line_number":185,"context_line":"         },"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_a2b530d1","line":182,"range":{"start_line":182,"start_character":12,"end_line":182,"end_character":49},"updated":"2016-12-08 22:44:30.000000000","message":"this particular API is a good example of where a role check in middleware isn\u0027t going to be particularly helpful. There are a lot of different actions that the user could be requesting via this API, by specifying different things in the request body. Those different actions will require different roles. But that will have to continue to be checked in policy.json as it is today, because the middleware isn\u0027t going to parse the request body. So if someone wants to change what roles are allowed for one of these actions, they are going to have to edit policy.json... they can\u0027t simply call the new api_roles API proposed here.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":180,"context_line":"         {"},{"line_number":181,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":182,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","},{"line_number":183,"context_line":"            roles\u003d[\"Member\", \"admin\"],"},{"line_number":184,"context_line":"            admin_project_only\u003dFalse"},{"line_number":185,"context_line":"         },"},{"line_number":186,"context_line":"         {"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_82ecb4f4","line":183,"range":{"start_line":183,"start_character":12,"end_line":183,"end_character":37},"updated":"2016-12-08 22:44:30.000000000","message":"I like how this example includes a list rather than a single role, contrary to what is stated above but in line with what I think we must do. :)","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"4e96e9cf917d26a16422c3300b85201389f5affe","unresolved":false,"context_lines":[{"line_number":181,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":182,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","},{"line_number":183,"context_line":"            roles\u003d[\"Member\", \"admin\"],"},{"line_number":184,"context_line":"            admin_project_only\u003dFalse"},{"line_number":185,"context_line":"         },"},{"line_number":186,"context_line":"         {"},{"line_number":187,"context_line":"             verbs\u003d[\"POST\"],"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_622078f8","line":184,"range":{"start_line":184,"start_character":12,"end_line":184,"end_character":36},"updated":"2016-12-08 22:44:30.000000000","message":"this is a scope check, not an RBAC check, and therefore does not belong.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":191,"context_line":"         },"},{"line_number":192,"context_line":"         {"},{"line_number":193,"context_line":"             verbs\u003d[\"PUT\"],"},{"line_number":194,"context_line":"             pattern\u003d\"/v2.{subversion}/{tenant_id}​/servers/​{server_id}\""},{"line_number":195,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":196,"context_line":"             admin_project_only\u003dFalse"},{"line_number":197,"context_line":"         }"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_562b2594","line":194,"range":{"start_line":194,"start_character":50,"end_line":194,"end_character":51},"updated":"2016-12-09 13:57:24.000000000","message":"what are the red dots here for?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":191,"context_line":"         },"},{"line_number":192,"context_line":"         {"},{"line_number":193,"context_line":"             verbs\u003d[\"PUT\"],"},{"line_number":194,"context_line":"             pattern\u003d\"/v2.{subversion}/{tenant_id}​/servers/​{server_id}\""},{"line_number":195,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":196,"context_line":"             admin_project_only\u003dFalse"},{"line_number":197,"context_line":"         }"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_13d1a657","line":194,"range":{"start_line":194,"start_character":50,"end_line":194,"end_character":51},"in_reply_to":"3a71b18c_562b2594","updated":"2021-09-24 20:29:41.000000000","message":"I cut and pasted them from the api-ref docs, and it somehow decided that there was invisible whitespace in there.  Not sure what character it is.  Removed.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":213,"context_line":"keystonemiddleware.auth_token will use python-keystoneclient to make a remote"},{"line_number":214,"context_line":"query against the keystone `api_role` API passing in the parameter"},{"line_number":215,"context_line":"`service` to get the approprate set of rules. Due to caching needs,"},{"line_number":216,"context_line":"this result will be stored in cache so that the reposne can also be loaded"},{"line_number":217,"context_line":"directly from it\u0027s JSON representation."},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_3bf214d3","line":216,"range":{"start_line":216,"start_character":48,"end_line":216,"end_character":55},"updated":"2016-12-09 13:57:24.000000000","message":"spelling, s/reposne/response/","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":210,"context_line":"inference rules in the token response is disabled. This will minimize"},{"line_number":211,"context_line":"the token response data size as the number of defined roles increases."},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"keystonemiddleware.auth_token will use python-keystoneclient to make a remote"},{"line_number":214,"context_line":"query against the keystone `api_role` API passing in the parameter"},{"line_number":215,"context_line":"`service` to get the approprate set of rules. Due to caching needs,"},{"line_number":216,"context_line":"this result will be stored in cache so that the reposne can also be loaded"},{"line_number":217,"context_line":"directly from it\u0027s JSON representation."},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":220,"context_line":"URL will have been processed by the WSGI pipeline, removing the"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_7b12ccb5","line":217,"range":{"start_line":213,"start_character":0,"end_line":217,"end_character":39},"updated":"2016-12-09 13:57:24.000000000","message":"this is all about fetching the data, and so belongs in the previous section rather than here.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":218,"context_line":""},{"line_number":219,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":220,"context_line":"URL will have been processed by the WSGI pipeline, removing the"},{"line_number":221,"context_line":"Hostname and port. The remainder of the URL will most likely start"},{"line_number":222,"context_line":"with the version information in the pattern /v[0-9.]*/."},{"line_number":223,"context_line":"In our example, this leaves: `/v2.1/2497f6/servers/83cbdc`."},{"line_number":224,"context_line":"The pattern matching will be run against this sub-url."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_3babf41e","line":221,"range":{"start_line":221,"start_character":44,"end_line":221,"end_character":60},"updated":"2016-12-09 13:57:24.000000000","message":"\"will most likely\" is a stretch, since glance, neutron, ceilometer, etc. do not follow that pattern, and there\u0027s hope that nova/cinder won\u0027t for much longer. Maybe \"may\"?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":218,"context_line":""},{"line_number":219,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":220,"context_line":"URL will have been processed by the WSGI pipeline, removing the"},{"line_number":221,"context_line":"Hostname and port. The remainder of the URL will most likely start"},{"line_number":222,"context_line":"with the version information in the pattern /v[0-9.]*/."},{"line_number":223,"context_line":"In our example, this leaves: `/v2.1/2497f6/servers/83cbdc`."},{"line_number":224,"context_line":"The pattern matching will be run against this sub-url."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_33ef821f","line":221,"range":{"start_line":221,"start_character":44,"end_line":221,"end_character":60},"in_reply_to":"3a71b18c_3babf41e","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":227,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":228,"context_line":"match the pattern"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"GET /v2.1/{tenant_id}/servers/{server_id}​"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":233,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_961bfd7f","line":230,"range":{"start_line":230,"start_character":41,"end_line":230,"end_character":42},"updated":"2016-12-09 13:57:24.000000000","message":"another odd red dot","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":227,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":228,"context_line":"match the pattern"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"GET /v2.1/{tenant_id}/servers/{server_id}​"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":233,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_73f57aeb","line":230,"range":{"start_line":230,"start_character":41,"end_line":230,"end_character":42},"in_reply_to":"3a71b18c_961bfd7f","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":229,"context_line":""},{"line_number":230,"context_line":"GET /v2.1/{tenant_id}/servers/{server_id}​"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":233,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":236,"context_line":"contain a role from the set specified by the pattern, validation"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_1b21d8b4","line":233,"range":{"start_line":232,"start_character":0,"end_line":233,"end_character":70},"updated":"2016-12-09 13:57:24.000000000","message":"another place that refers to a list of roles, which I agree we need but contrary to other places in this spec that say this will be a single role.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":229,"context_line":""},{"line_number":230,"context_line":"GET /v2.1/{tenant_id}/servers/{server_id}​"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":233,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":236,"context_line":"contain a role from the set specified by the pattern, validation"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_93de966b","line":233,"range":{"start_line":232,"start_character":0,"end_line":233,"end_character":70},"in_reply_to":"3a71b18c_1b21d8b4","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":237,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"After the token and RBAC validation is completed successfuly, there is"},{"line_number":240,"context_line":"no change to existing processing. The auth_token middleware adds"},{"line_number":241,"context_line":"several additional headers to the request and completes. The WSGI"},{"line_number":242,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":243,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"},{"line_number":244,"context_line":"library to enforce policy as specified by either the Nova annotations"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_366309de","line":241,"range":{"start_line":240,"start_character":35,"end_line":241,"end_character":26},"updated":"2016-12-09 13:57:24.000000000","message":"what headers? Why?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":237,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"After the token and RBAC validation is completed successfuly, there is"},{"line_number":240,"context_line":"no change to existing processing. The auth_token middleware adds"},{"line_number":241,"context_line":"several additional headers to the request and completes. The WSGI"},{"line_number":242,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":243,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"},{"line_number":244,"context_line":"library to enforce policy as specified by either the Nova annotations"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_f3b34a4b","line":241,"range":{"start_line":240,"start_character":35,"end_line":241,"end_character":26},"in_reply_to":"3a71b18c_366309de","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":254,"context_line":"Service: Indexable String, matches the values from the service catalog"},{"line_number":255,"context_line":"Pattern: Long String (\u003e255 chars) that contains the patterns."},{"line_number":256,"context_line":"role_id: UUID index to the role table"},{"line_number":257,"context_line":"admin_project_only: Boolean"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"Additional Details"},{"line_number":260,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_f696f192","line":257,"range":{"start_line":257,"start_character":0,"end_line":257,"end_character":27},"updated":"2016-12-09 13:57:24.000000000","message":"should not be here, as commented elsewhere.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":259,"context_line":"Additional Details"},{"line_number":260,"context_line":"------------------"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"A catch all rule will indicate how to handle unspecified APIs. These"},{"line_number":263,"context_line":"will be of the form:"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":".. code-block:: json"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"    { pattern: \"ANY\", verb: \"ANY\" role: \"\u003crole\u003e\"}"},{"line_number":268,"context_line":""},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"A special value of None for the role will indicate that the no Role is"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_16c0cd7b","line":267,"range":{"start_line":262,"start_character":0,"end_line":267,"end_character":49},"updated":"2016-12-09 13:57:24.000000000","message":"I prefer the \"default\" section from the example above, since it removes the element of user error specifying this exact pattern.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":259,"context_line":"Additional Details"},{"line_number":260,"context_line":"------------------"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"A catch all rule will indicate how to handle unspecified APIs. These"},{"line_number":263,"context_line":"will be of the form:"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":".. code-block:: json"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"    { pattern: \"ANY\", verb: \"ANY\" role: \"\u003crole\u003e\"}"},{"line_number":268,"context_line":""},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"A special value of None for the role will indicate that the no Role is"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_6ab663fa","line":267,"range":{"start_line":262,"start_character":0,"end_line":267,"end_character":49},"in_reply_to":"3a71b18c_16c0cd7b","updated":"2021-09-24 20:29:41.000000000","message":"that cannot be stored in the same schema, and I want this database manageable.  REdid this whole section based on that.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":270,"context_line":"A special value of None for the role will indicate that the no Role is"},{"line_number":271,"context_line":"required, and that the entire token role check can be skipped.  This"},{"line_number":272,"context_line":"will allow operations that do not require a token, or that are allowed"},{"line_number":273,"context_line":"to work with and unscoped token, to procede. This example shows how to"},{"line_number":274,"context_line":"allow version discovery to procede."},{"line_number":275,"context_line":""},{"line_number":276,"context_line":".. code-block:: json"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_b63b99ea","line":273,"range":{"start_line":273,"start_character":13,"end_line":273,"end_character":16},"updated":"2016-12-09 13:57:24.000000000","message":"an","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":275,"context_line":""},{"line_number":276,"context_line":".. code-block:: json"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"    { pattern: \"/v\", verb: \"GET\" role: \"None\"}"},{"line_number":279,"context_line":"    { pattern: \"/v3\", verb: \"GET\" role: \"None\"}"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"The initial rule is that APIs require the `Member` role. However, once"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d10c9f3d","line":278,"range":{"start_line":278,"start_character":16,"end_line":278,"end_character":19},"updated":"2016-12-09 13:57:24.000000000","message":"this seems to give the impression that we\u0027re only going to check that the URL startswith the pattern, rather than is a full match. Is that the case, and if so why?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":275,"context_line":""},{"line_number":276,"context_line":".. code-block:: json"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"    { pattern: \"/v\", verb: \"GET\" role: \"None\"}"},{"line_number":279,"context_line":"    { pattern: \"/v3\", verb: \"GET\" role: \"None\"}"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"The initial rule is that APIs require the `Member` role. However, once"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_6adf433a","line":278,"range":{"start_line":278,"start_character":16,"end_line":278,"end_character":19},"in_reply_to":"3a71b18c_d10c9f3d","updated":"2021-09-24 20:29:41.000000000","message":"the above comment shows it is for version discovery. This is the full URL.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":278,"context_line":"    { pattern: \"/v\", verb: \"GET\" role: \"None\"}"},{"line_number":279,"context_line":"    { pattern: \"/v3\", verb: \"GET\" role: \"None\"}"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"The initial rule is that APIs require the `Member` role. However, once"},{"line_number":282,"context_line":"appropriate hardening has been performed, this default should be set"},{"line_number":283,"context_line":"to the `admin` role instead."},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"If an API should be reserved for cloud admin, the pattern match will"},{"line_number":286,"context_line":"have an additional Boolean field `is_admin_project`. If this field is"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_f168bbbc","line":283,"range":{"start_line":281,"start_character":0,"end_line":283,"end_character":28},"updated":"2016-12-09 13:57:24.000000000","message":"this makes no sense. First, there is no \"Member\" role in many deployments. That is not an OpenStack-defined role. It is something that some deployments use in practice, but we should exercise caution promoting this to OpenStack-defined by coding to it. Instead I think you need to use \"None\" as the initial default. Second, I think you\u0027re referring to what you called the \"catch all rule\" above, but you have something else between that and this, so the flow of understanding is lost.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":278,"context_line":"    { pattern: \"/v\", verb: \"GET\" role: \"None\"}"},{"line_number":279,"context_line":"    { pattern: \"/v3\", verb: \"GET\" role: \"None\"}"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"The initial rule is that APIs require the `Member` role. However, once"},{"line_number":282,"context_line":"appropriate hardening has been performed, this default should be set"},{"line_number":283,"context_line":"to the `admin` role instead."},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"If an API should be reserved for cloud admin, the pattern match will"},{"line_number":286,"context_line":"have an additional Boolean field `is_admin_project`. If this field is"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_aae5db09","line":283,"range":{"start_line":281,"start_character":0,"end_line":283,"end_character":28},"in_reply_to":"3a71b18c_f168bbbc","updated":"2021-09-24 20:29:41.000000000","message":"GOing to default to None instead.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":282,"context_line":"appropriate hardening has been performed, this default should be set"},{"line_number":283,"context_line":"to the `admin` role instead."},{"line_number":284,"context_line":""},{"line_number":285,"context_line":"If an API should be reserved for cloud admin, the pattern match will"},{"line_number":286,"context_line":"have an additional Boolean field `is_admin_project`. If this field is"},{"line_number":287,"context_line":"set, only tokens with auth_data that includes `is_admin_project\u003dTrue`"},{"line_number":288,"context_line":"will match. This is considered hardening; in order to allow"},{"line_number":289,"context_line":"implementation without breaking existing deployments,"},{"line_number":290,"context_line":"`is_admin_project` will default to `False`."},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"Bulk Upload and Query of API Roles"},{"line_number":293,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_b1f3a309","line":290,"range":{"start_line":285,"start_character":0,"end_line":290,"end_character":43},"updated":"2016-12-09 13:57:24.000000000","message":"this is a scope check, not a role check, and therefore belongs in the individual services rather than here.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":292,"context_line":"Bulk Upload and Query of API Roles"},{"line_number":293,"context_line":"----------------------------------"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Initialization of a system requires a set of rules for each of the"},{"line_number":296,"context_line":"services. These rules should be maintained by the core team for each"},{"line_number":297,"context_line":"service, and modified by the end deployer. The value of"},{"line_number":298,"context_line":"`admin_project_only` is optional and will default to False."},{"line_number":299,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_31c95379","line":296,"range":{"start_line":295,"start_character":0,"end_line":296,"end_character":8},"updated":"2016-12-09 13:57:24.000000000","message":"does it have to be an all-or-none thing? I would have thought we\u0027d support using this for some services and not for others.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":292,"context_line":"Bulk Upload and Query of API Roles"},{"line_number":293,"context_line":"----------------------------------"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Initialization of a system requires a set of rules for each of the"},{"line_number":296,"context_line":"services. These rules should be maintained by the core team for each"},{"line_number":297,"context_line":"service, and modified by the end deployer. The value of"},{"line_number":298,"context_line":"`admin_project_only` is optional and will default to False."},{"line_number":299,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_8ade5f6b","line":296,"range":{"start_line":295,"start_character":0,"end_line":296,"end_character":8},"in_reply_to":"3a71b18c_31c95379","updated":"2021-09-24 20:29:41.000000000","message":"With good defaults, it does not have to be all or none.  Will make that clearer.  Just that the core teams should manage their own rules.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Initialization of a system requires a set of rules for each of the"},{"line_number":296,"context_line":"services. These rules should be maintained by the core team for each"},{"line_number":297,"context_line":"service, and modified by the end deployer. The value of"},{"line_number":298,"context_line":"`admin_project_only` is optional and will default to False."},{"line_number":299,"context_line":""},{"line_number":300,"context_line":""},{"line_number":301,"context_line":"A sample of a subset of"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_71a10ba9","line":298,"range":{"start_line":297,"start_character":42,"end_line":298,"end_character":59},"updated":"2016-12-09 13:57:24.000000000","message":"can remove this per comments elsewhere.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":294,"context_line":""},{"line_number":295,"context_line":"Initialization of a system requires a set of rules for each of the"},{"line_number":296,"context_line":"services. These rules should be maintained by the core team for each"},{"line_number":297,"context_line":"service, and modified by the end deployer. The value of"},{"line_number":298,"context_line":"`admin_project_only` is optional and will default to False."},{"line_number":299,"context_line":""},{"line_number":300,"context_line":""},{"line_number":301,"context_line":"A sample of a subset of"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_aadb1b7b","line":298,"range":{"start_line":297,"start_character":42,"end_line":298,"end_character":59},"in_reply_to":"3a71b18c_71a10ba9","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":312,"context_line":"      \u0027role\u0027: \u0027member\u0027"},{"line_number":313,"context_line":"      },"},{"line_number":314,"context_line":"      {"},{"line_number":315,"context_line":"      \u0027pattern\u0027: \u0027/v2/images/{image_id}\u0027,"},{"line_number":316,"context_line":"      \u0027verbs\u0027: [\u0027GET\u0027,\u0027PATCH\u0027,\u0027DELETE\u0027],"},{"line_number":317,"context_line":"      \u0027role\u0027: \u0027member\u0027"},{"line_number":318,"context_line":"      },"},{"line_number":319,"context_line":"      {"},{"line_number":320,"context_line":"      \u0027pattern\u0027: \u0027/v2/images/{image_id}/deactivate\u0027,"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_9192274a","line":317,"range":{"start_line":315,"start_character":0,"end_line":317,"end_character":22},"updated":"2016-12-09 13:57:24.000000000","message":"just to be clear, we will allow you to specify a pattern twice, so that you can require one set of roles for GET and another for DELETE, right? That must be possible. We need to see that explicitly.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":312,"context_line":"      \u0027role\u0027: \u0027member\u0027"},{"line_number":313,"context_line":"      },"},{"line_number":314,"context_line":"      {"},{"line_number":315,"context_line":"      \u0027pattern\u0027: \u0027/v2/images/{image_id}\u0027,"},{"line_number":316,"context_line":"      \u0027verbs\u0027: [\u0027GET\u0027,\u0027PATCH\u0027,\u0027DELETE\u0027],"},{"line_number":317,"context_line":"      \u0027role\u0027: \u0027member\u0027"},{"line_number":318,"context_line":"      },"},{"line_number":319,"context_line":"      {"},{"line_number":320,"context_line":"      \u0027pattern\u0027: \u0027/v2/images/{image_id}/deactivate\u0027,"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_2aa1cbf8","line":317,"range":{"start_line":315,"start_character":0,"end_line":317,"end_character":22},"in_reply_to":"3a71b18c_9192274a","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":329,"context_line":"      ],"},{"line_number":330,"context_line":"      \u0027default\u0027: {"},{"line_number":331,"context_line":"          roles\u003d[\"Member\", \"admin\"],"},{"line_number":332,"context_line":"          admin_project_only\u003dFalse"},{"line_number":333,"context_line":"      },"},{"line_number":334,"context_line":"   }"},{"line_number":335,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_71b66bdd","line":332,"range":{"start_line":332,"start_character":10,"end_line":332,"end_character":34},"updated":"2016-12-09 13:57:24.000000000","message":"another place to remove this.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":329,"context_line":"      ],"},{"line_number":330,"context_line":"      \u0027default\u0027: {"},{"line_number":331,"context_line":"          roles\u003d[\"Member\", \"admin\"],"},{"line_number":332,"context_line":"          admin_project_only\u003dFalse"},{"line_number":333,"context_line":"      },"},{"line_number":334,"context_line":"   }"},{"line_number":335,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_8a69ffc0","line":332,"range":{"start_line":332,"start_character":10,"end_line":332,"end_character":34},"in_reply_to":"3a71b18c_71b66bdd","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":362,"context_line":"     }]"},{"line_number":363,"context_line":"   }"},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"And show they needto delegate the `auditor` role. Assuming the role"},{"line_number":366,"context_line":"inference rule that states `Member` implies `auditor`, a user with the"},{"line_number":367,"context_line":"`Member` role can then create a trust with the implied `auditor` rule"},{"line_number":368,"context_line":"for the remote service."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_91e067ce","line":365,"range":{"start_line":365,"start_character":4,"end_line":365,"end_character":8},"updated":"2016-12-09 13:57:24.000000000","message":"determine","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":362,"context_line":"     }]"},{"line_number":363,"context_line":"   }"},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"And show they needto delegate the `auditor` role. Assuming the role"},{"line_number":366,"context_line":"inference rule that states `Member` implies `auditor`, a user with the"},{"line_number":367,"context_line":"`Member` role can then create a trust with the implied `auditor` rule"},{"line_number":368,"context_line":"for the remote service."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_51c08f2a","line":365,"range":{"start_line":365,"start_character":14,"end_line":365,"end_character":20},"updated":"2016-12-09 13:57:24.000000000","message":"missing space","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":362,"context_line":"     }]"},{"line_number":363,"context_line":"   }"},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"And show they needto delegate the `auditor` role. Assuming the role"},{"line_number":366,"context_line":"inference rule that states `Member` implies `auditor`, a user with the"},{"line_number":367,"context_line":"`Member` role can then create a trust with the implied `auditor` rule"},{"line_number":368,"context_line":"for the remote service."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_0a75ef96","line":365,"range":{"start_line":365,"start_character":4,"end_line":365,"end_character":8},"in_reply_to":"3a71b18c_91e067ce","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":368,"context_line":"for the remote service."},{"line_number":369,"context_line":""},{"line_number":370,"context_line":"For a Web UI like Horizon, this method could be used to customize the"},{"line_number":371,"context_line":"User interface, to determin if a class of resources should be shown,"},{"line_number":372,"context_line":"and whether or not they are editable, based on the roles of the user"},{"line_number":373,"context_line":"and the APIs needed to populate that page."},{"line_number":374,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_f1f8bb7e","line":371,"range":{"start_line":371,"start_character":19,"end_line":371,"end_character":27},"updated":"2016-12-09 13:57:24.000000000","message":"spelling","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":368,"context_line":"for the remote service."},{"line_number":369,"context_line":""},{"line_number":370,"context_line":"For a Web UI like Horizon, this method could be used to customize the"},{"line_number":371,"context_line":"User interface, to determin if a class of resources should be shown,"},{"line_number":372,"context_line":"and whether or not they are editable, based on the roles of the user"},{"line_number":373,"context_line":"and the APIs needed to populate that page."},{"line_number":374,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_ea451343","line":371,"range":{"start_line":371,"start_character":19,"end_line":371,"end_character":27},"in_reply_to":"3a71b18c_f1f8bb7e","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":390,"context_line":"the domain structure from Nova was duplicated in the Keystone"},{"line_number":391,"context_line":"Database."},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"The current approach to scoping policy can be described as \"all"},{"line_number":394,"context_line":"resources of the same type withing a project have the same access"},{"line_number":395,"context_line":"control.\" Several projects, most notably around credentials in"},{"line_number":396,"context_line":"Barbican and Keystone, have attempted to enforce more fine grained"},{"line_number":397,"context_line":"policy than the current approach, specifically, based on the user that"},{"line_number":398,"context_line":"created the object. However this has been shown to be problematic at"},{"line_number":399,"context_line":"cloud scale. Any delegations created that attempt to use those"},{"line_number":400,"context_line":"objects must now use impersonation, which is dangerous. To clean up"},{"line_number":401,"context_line":"these resources, should that user not be present is to escalate it to"},{"line_number":402,"context_line":"an administrator."},{"line_number":403,"context_line":""},{"line_number":404,"context_line":"The RBAC approach described here does not prescribe"},{"line_number":405,"context_line":"such an approach, it just takes a more pragmatic and scalable approach"},{"line_number":406,"context_line":"first. This approach better matches the OpenStack design."},{"line_number":407,"context_line":""},{"line_number":408,"context_line":"Other specs that have addressed this are listed in references."},{"line_number":409,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_51732f15","line":406,"range":{"start_line":393,"start_character":0,"end_line":406,"end_character":57},"updated":"2016-12-09 13:57:24.000000000","message":"I don\u0027t really understand why this is here... It talks about scoping, and this spec is only about roles and NOT about scoping.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":390,"context_line":"the domain structure from Nova was duplicated in the Keystone"},{"line_number":391,"context_line":"Database."},{"line_number":392,"context_line":""},{"line_number":393,"context_line":"The current approach to scoping policy can be described as \"all"},{"line_number":394,"context_line":"resources of the same type withing a project have the same access"},{"line_number":395,"context_line":"control.\" Several projects, most notably around credentials in"},{"line_number":396,"context_line":"Barbican and Keystone, have attempted to enforce more fine grained"},{"line_number":397,"context_line":"policy than the current approach, specifically, based on the user that"},{"line_number":398,"context_line":"created the object. However this has been shown to be problematic at"},{"line_number":399,"context_line":"cloud scale. Any delegations created that attempt to use those"},{"line_number":400,"context_line":"objects must now use impersonation, which is dangerous. To clean up"},{"line_number":401,"context_line":"these resources, should that user not be present is to escalate it to"},{"line_number":402,"context_line":"an administrator."},{"line_number":403,"context_line":""},{"line_number":404,"context_line":"The RBAC approach described here does not prescribe"},{"line_number":405,"context_line":"such an approach, it just takes a more pragmatic and scalable approach"},{"line_number":406,"context_line":"first. This approach better matches the OpenStack design."},{"line_number":407,"context_line":""},{"line_number":408,"context_line":"Other specs that have addressed this are listed in references."},{"line_number":409,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_6a22e3a4","line":406,"range":{"start_line":393,"start_character":0,"end_line":406,"end_character":57},"in_reply_to":"3a71b18c_51732f15","updated":"2021-09-24 20:29:41.000000000","message":"It has been given as an alternative to this approach, and I felt it worth addressing.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":407,"context_line":""},{"line_number":408,"context_line":"Other specs that have addressed this are listed in references."},{"line_number":409,"context_line":""},{"line_number":410,"context_line":"If the number of implied roles increases significantly, it will be"},{"line_number":411,"context_line":"impractical to continue to expand them in the token validation"},{"line_number":412,"context_line":"bodies, as this will greatly increase the size of the response."},{"line_number":413,"context_line":"Instead, the expansion of implied roles can happen in a modified"},{"line_number":414,"context_line":"response for list URL Api_Roles. The matching logic will be the same,"},{"line_number":415,"context_line":"but the token validations role list will only have specified roles."},{"line_number":416,"context_line":""},{"line_number":417,"context_line":"Example:"},{"line_number":418,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_71958be2","line":415,"range":{"start_line":410,"start_character":0,"end_line":415,"end_character":67},"updated":"2016-12-09 13:57:24.000000000","message":"I think this breaks the caching done by clients today. I believe you\u0027re saying the response would be different on a per-api basis, making it necessary to shift from the current per-token caching to per-api-per-token caching. That is not practical.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":410,"context_line":"If the number of implied roles increases significantly, it will be"},{"line_number":411,"context_line":"impractical to continue to expand them in the token validation"},{"line_number":412,"context_line":"bodies, as this will greatly increase the size of the response."},{"line_number":413,"context_line":"Instead, the expansion of implied roles can happen in a modified"},{"line_number":414,"context_line":"response for list URL Api_Roles. The matching logic will be the same,"},{"line_number":415,"context_line":"but the token validations role list will only have specified roles."},{"line_number":416,"context_line":""},{"line_number":417,"context_line":"Example:"},{"line_number":418,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_2cf2dcd2","line":415,"range":{"start_line":413,"start_character":9,"end_line":415,"end_character":66},"updated":"2016-12-09 13:57:24.000000000","message":"you\u0027re proposing another change here, and I think you mean it to fall under this spec. The alternatives section isn\u0027t the right place to do that. In fact, I think this needs to be an entirely different spec. It doesn\u0027t really belong here. There\u0027s nothing about doing role checks in middleware that necessitates this implied roles change, which is going to be more controversial.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":407,"context_line":""},{"line_number":408,"context_line":"Other specs that have addressed this are listed in references."},{"line_number":409,"context_line":""},{"line_number":410,"context_line":"If the number of implied roles increases significantly, it will be"},{"line_number":411,"context_line":"impractical to continue to expand them in the token validation"},{"line_number":412,"context_line":"bodies, as this will greatly increase the size of the response."},{"line_number":413,"context_line":"Instead, the expansion of implied roles can happen in a modified"},{"line_number":414,"context_line":"response for list URL Api_Roles. The matching logic will be the same,"},{"line_number":415,"context_line":"but the token validations role list will only have specified roles."},{"line_number":416,"context_line":""},{"line_number":417,"context_line":"Example:"},{"line_number":418,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_e729cc9c","line":415,"range":{"start_line":410,"start_character":0,"end_line":415,"end_character":67},"in_reply_to":"3a71b18c_71958be2","updated":"2021-09-24 20:29:41.000000000","message":"Changing this to always expand implied roles in the response, and just mention disabling the config option.  I will put that under deployer impact.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":467,"context_line":"it misbehaves, the administrator could create a role called"},{"line_number":468,"context_line":"`compute_delete_server` specific to the API `DELETE"},{"line_number":469,"context_line":"/v2.1/{tenant_id}/servers/{server_id}` as well as a role inference"},{"line_number":470,"context_line":"rules"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":""},{"line_number":473,"context_line":"Here is an example"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_cca888de","line":470,"range":{"start_line":470,"start_character":0,"end_line":470,"end_character":5},"updated":"2016-12-09 13:57:24.000000000","message":"s/rules/rule./","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":507,"context_line":""},{"line_number":508,"context_line":"There would be a small, but non-zero impact in the remote service due"},{"line_number":509,"context_line":"to the need to fetch and cache the RBAC data. Since the API matching"},{"line_number":510,"context_line":"rules fetched from in the Keystone server will likely be cached in"},{"line_number":511,"context_line":"the remote server, there should be minimal impact on the Keystone side"},{"line_number":512,"context_line":"due to database lookups."},{"line_number":513,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_ccb7a8f3","line":510,"range":{"start_line":510,"start_character":19,"end_line":510,"end_character":21},"updated":"2016-12-09 13:57:24.000000000","message":"s/in //","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":507,"context_line":""},{"line_number":508,"context_line":"There would be a small, but non-zero impact in the remote service due"},{"line_number":509,"context_line":"to the need to fetch and cache the RBAC data. Since the API matching"},{"line_number":510,"context_line":"rules fetched from in the Keystone server will likely be cached in"},{"line_number":511,"context_line":"the remote server, there should be minimal impact on the Keystone side"},{"line_number":512,"context_line":"due to database lookups."},{"line_number":513,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_676f7cfc","line":510,"range":{"start_line":510,"start_character":19,"end_line":510,"end_character":21},"in_reply_to":"3a71b18c_ccb7a8f3","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":511,"context_line":"the remote server, there should be minimal impact on the Keystone side"},{"line_number":512,"context_line":"due to database lookups."},{"line_number":513,"context_line":""},{"line_number":514,"context_line":"Evaluating the rules would require a linear match, much the same way"},{"line_number":515,"context_line":"that a router does in Keystone. The longer the set of roles, the"},{"line_number":516,"context_line":"longer it will take to match. More complex matching schemes based on"},{"line_number":517,"context_line":"the API roles rules can potentially optimize this if it proves to be a"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_8c077080","line":514,"range":{"start_line":514,"start_character":21,"end_line":514,"end_character":49},"updated":"2016-12-09 13:57:24.000000000","message":"I don\u0027t think that\u0027s strictly true. APIs are inherently hierarchical, and the matching could be optimized using the same hierarchy. And/or you could categorize the rules by verb so that you only check rules with the matching verb.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":511,"context_line":"the remote server, there should be minimal impact on the Keystone side"},{"line_number":512,"context_line":"due to database lookups."},{"line_number":513,"context_line":""},{"line_number":514,"context_line":"Evaluating the rules would require a linear match, much the same way"},{"line_number":515,"context_line":"that a router does in Keystone. The longer the set of roles, the"},{"line_number":516,"context_line":"longer it will take to match. More complex matching schemes based on"},{"line_number":517,"context_line":"the API roles rules can potentially optimize this if it proves to be a"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_07640820","line":514,"range":{"start_line":514,"start_character":21,"end_line":514,"end_character":49},"in_reply_to":"3a71b18c_8c077080","updated":"2021-09-24 20:29:41.000000000","message":"I think what I said here is strictly true worst case, but you are right, much of this could be optimized.  I\u0027m aiming for a conservative estimate.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":512,"context_line":"due to database lookups."},{"line_number":513,"context_line":""},{"line_number":514,"context_line":"Evaluating the rules would require a linear match, much the same way"},{"line_number":515,"context_line":"that a router does in Keystone. The longer the set of roles, the"},{"line_number":516,"context_line":"longer it will take to match. More complex matching schemes based on"},{"line_number":517,"context_line":"the API roles rules can potentially optimize this if it proves to be a"},{"line_number":518,"context_line":"problem."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_0c91a052","line":515,"range":{"start_line":515,"start_character":54,"end_line":515,"end_character":59},"updated":"2016-12-09 13:57:24.000000000","message":"s/roles/rules/","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":512,"context_line":"due to database lookups."},{"line_number":513,"context_line":""},{"line_number":514,"context_line":"Evaluating the rules would require a linear match, much the same way"},{"line_number":515,"context_line":"that a router does in Keystone. The longer the set of roles, the"},{"line_number":516,"context_line":"longer it will take to match. More complex matching schemes based on"},{"line_number":517,"context_line":"the API roles rules can potentially optimize this if it proves to be a"},{"line_number":518,"context_line":"problem."}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_a7aef42b","line":515,"range":{"start_line":515,"start_character":54,"end_line":515,"end_character":59},"in_reply_to":"3a71b18c_0c91a052","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":529,"context_line":"Deployers will now be able to deploy their own policies for just the"},{"line_number":530,"context_line":"RBAC stage. Since this requires configuration changes to activate, no"},{"line_number":531,"context_line":"change in behavior will happen until the changes are made. It is"},{"line_number":532,"context_line":"assumed that changes would be made to the Keystone server that allow"},{"line_number":533,"context_line":"it to ignore the additional parameters passed by middleware, so that"},{"line_number":534,"context_line":"middleware can safely be upgraded."},{"line_number":535,"context_line":""},{"line_number":536,"context_line":"Once the code changes are in place, the deployer will have to load the"},{"line_number":537,"context_line":"rules to the Keystone server before relying on this mechanism. They"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_6c185485","line":534,"range":{"start_line":532,"start_character":13,"end_line":534,"end_character":33},"updated":"2016-12-09 13:57:24.000000000","message":"shouldn\u0027t this be contained in the middleware? If the middleware calls the api_roles API and gets a 404 from keystone, it should skip the role check. We should try to avoid making changes in middleware that will break if run against an older keystone version, since that would cause us to have to go back and cap middleware version requirements for newton, mitaka, etc.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":529,"context_line":"Deployers will now be able to deploy their own policies for just the"},{"line_number":530,"context_line":"RBAC stage. Since this requires configuration changes to activate, no"},{"line_number":531,"context_line":"change in behavior will happen until the changes are made. It is"},{"line_number":532,"context_line":"assumed that changes would be made to the Keystone server that allow"},{"line_number":533,"context_line":"it to ignore the additional parameters passed by middleware, so that"},{"line_number":534,"context_line":"middleware can safely be upgraded."},{"line_number":535,"context_line":""},{"line_number":536,"context_line":"Once the code changes are in place, the deployer will have to load the"},{"line_number":537,"context_line":"rules to the Keystone server before relying on this mechanism. They"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_87b1f891","line":534,"range":{"start_line":532,"start_character":13,"end_line":534,"end_character":33},"in_reply_to":"3a71b18c_6c185485","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":539,"context_line":"the patch verb to upload modified URL-Pattern to role mappings for a"},{"line_number":540,"context_line":"subset of the URLs."},{"line_number":541,"context_line":""},{"line_number":542,"context_line":"The API will limit the URL-pattern to a single Role. The preferred"},{"line_number":543,"context_line":"mechanism for managing what the required roles for an operation is to"},{"line_number":544,"context_line":"define `implied-roles` that map from Admin or Member to an operation"},{"line_number":545,"context_line":"specific role. These changes can be made without modifying individual"},{"line_number":546,"context_line":"role assignments."},{"line_number":547,"context_line":""},{"line_number":548,"context_line":"As an example, assume a site wants to implement a specific role for"},{"line_number":549,"context_line":"reading only operations, and to start, wants to implem,ent it for the"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_125616d2","line":546,"range":{"start_line":542,"start_character":0,"end_line":546,"end_character":17},"updated":"2016-12-09 13:57:24.000000000","message":"I wholeheartedly disagree with this. There are no convincing arguments here as to why that should be the case. On the contrary, doing so will cause problems whenever roles are not true superset/subsets, as they often are not. If the answer is to create more roles, there are all kinds of problems with that. This is also the wrong section to be covering this.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":539,"context_line":"the patch verb to upload modified URL-Pattern to role mappings for a"},{"line_number":540,"context_line":"subset of the URLs."},{"line_number":541,"context_line":""},{"line_number":542,"context_line":"The API will limit the URL-pattern to a single Role. The preferred"},{"line_number":543,"context_line":"mechanism for managing what the required roles for an operation is to"},{"line_number":544,"context_line":"define `implied-roles` that map from Admin or Member to an operation"},{"line_number":545,"context_line":"specific role. These changes can be made without modifying individual"},{"line_number":546,"context_line":"role assignments."},{"line_number":547,"context_line":""},{"line_number":548,"context_line":"As an example, assume a site wants to implement a specific role for"},{"line_number":549,"context_line":"reading only operations, and to start, wants to implem,ent it for the"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_279bc419","line":546,"range":{"start_line":542,"start_character":0,"end_line":546,"end_character":17},"in_reply_to":"3a71b18c_125616d2","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":546,"context_line":"role assignments."},{"line_number":547,"context_line":""},{"line_number":548,"context_line":"As an example, assume a site wants to implement a specific role for"},{"line_number":549,"context_line":"reading only operations, and to start, wants to implem,ent it for the"},{"line_number":550,"context_line":"glance image GET operation. Assuming they started with the rule"},{"line_number":551,"context_line":"above for the `image`service and `pattern` of"},{"line_number":552,"context_line":"`/v2/images/{image_id}`, which is initialized to the member role the"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d2f9fec9","line":549,"range":{"start_line":549,"start_character":48,"end_line":549,"end_character":58},"updated":"2016-12-09 13:57:24.000000000","message":"spelling","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":548,"context_line":"As an example, assume a site wants to implement a specific role for"},{"line_number":549,"context_line":"reading only operations, and to start, wants to implem,ent it for the"},{"line_number":550,"context_line":"glance image GET operation. Assuming they started with the rule"},{"line_number":551,"context_line":"above for the `image`service and `pattern` of"},{"line_number":552,"context_line":"`/v2/images/{image_id}`, which is initialized to the member role the"},{"line_number":553,"context_line":"deployer would do the following:"},{"line_number":554,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_121b761c","line":551,"range":{"start_line":551,"start_character":33,"end_line":551,"end_character":42},"updated":"2016-12-09 13:57:24.000000000","message":"don\u0027t need the ticks here","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":548,"context_line":"As an example, assume a site wants to implement a specific role for"},{"line_number":549,"context_line":"reading only operations, and to start, wants to implem,ent it for the"},{"line_number":550,"context_line":"glance image GET operation. Assuming they started with the rule"},{"line_number":551,"context_line":"above for the `image`service and `pattern` of"},{"line_number":552,"context_line":"`/v2/images/{image_id}`, which is initialized to the member role the"},{"line_number":553,"context_line":"deployer would do the following:"},{"line_number":554,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_32ff92ab","line":551,"range":{"start_line":551,"start_character":14,"end_line":551,"end_character":28},"updated":"2016-12-09 13:57:24.000000000","message":"missing space","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":578,"context_line":"Developer Impact"},{"line_number":579,"context_line":"----------------"},{"line_number":580,"context_line":""},{"line_number":581,"context_line":"The first pass of generating the new RBAC rules can be done using the"},{"line_number":582,"context_line":"API documentation, as that lists the calls in the expected format."},{"line_number":583,"context_line":"Eventually, these documents should be managed by the individual"},{"line_number":584,"context_line":"service git repos."},{"line_number":585,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d2dbbeeb","line":582,"range":{"start_line":581,"start_character":0,"end_line":582,"end_character":66},"updated":"2016-12-09 13:57:24.000000000","message":"note that there are some bugs such that certain APIs aren\u0027t documented, so be prepared for this to get you 98% of the way there but not 100%.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":578,"context_line":"Developer Impact"},{"line_number":579,"context_line":"----------------"},{"line_number":580,"context_line":""},{"line_number":581,"context_line":"The first pass of generating the new RBAC rules can be done using the"},{"line_number":582,"context_line":"API documentation, as that lists the calls in the expected format."},{"line_number":583,"context_line":"Eventually, these documents should be managed by the individual"},{"line_number":584,"context_line":"service git repos."},{"line_number":585,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_a7527465","line":582,"range":{"start_line":581,"start_character":0,"end_line":582,"end_character":66},"in_reply_to":"3a71b18c_d2dbbeeb","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":580,"context_line":""},{"line_number":581,"context_line":"The first pass of generating the new RBAC rules can be done using the"},{"line_number":582,"context_line":"API documentation, as that lists the calls in the expected format."},{"line_number":583,"context_line":"Eventually, these documents should be managed by the individual"},{"line_number":584,"context_line":"service git repos."},{"line_number":585,"context_line":""},{"line_number":586,"context_line":""},{"line_number":587,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_f2ab5a1c","line":584,"range":{"start_line":583,"start_character":0,"end_line":584,"end_character":18},"updated":"2016-12-09 13:57:24.000000000","message":"I would argue that they should be there from the start. And that that\u0027s perfectly doable because their existence isn\u0027t required to make this work, since a default of allowing any role should be used in the absence of api_roles for a given service.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":580,"context_line":""},{"line_number":581,"context_line":"The first pass of generating the new RBAC rules can be done using the"},{"line_number":582,"context_line":"API documentation, as that lists the calls in the expected format."},{"line_number":583,"context_line":"Eventually, these documents should be managed by the individual"},{"line_number":584,"context_line":"service git repos."},{"line_number":585,"context_line":""},{"line_number":586,"context_line":""},{"line_number":587,"context_line":"Implementation"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_4757e059","line":584,"range":{"start_line":583,"start_character":0,"end_line":584,"end_character":18},"in_reply_to":"3a71b18c_f2ab5a1c","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":608,"context_line":"  * Logic to match the current URL to the pattern and perform the"},{"line_number":609,"context_line":"    role check implemented in python-keystoneclient"},{"line_number":610,"context_line":"  * Composition of the default rules."},{"line_number":611,"context_line":"  * Extensions to the Token Validation API to allow for new parameters"},{"line_number":612,"context_line":"  * Modification of keystonemiddleware.auth_token to perform in"},{"line_number":613,"context_line":"    process validation."},{"line_number":614,"context_line":"  * Modification of keystonemiddleware.auth_token to add the"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_f220bab2","line":611,"range":{"start_line":611,"start_character":4,"end_line":611,"end_character":70},"updated":"2016-12-09 13:57:24.000000000","message":"what new parameters? Is this a relic from an older version of the spec? I don\u0027t think we\u0027re changing that API, are we, or did I miss it?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":608,"context_line":"  * Logic to match the current URL to the pattern and perform the"},{"line_number":609,"context_line":"    role check implemented in python-keystoneclient"},{"line_number":610,"context_line":"  * Composition of the default rules."},{"line_number":611,"context_line":"  * Extensions to the Token Validation API to allow for new parameters"},{"line_number":612,"context_line":"  * Modification of keystonemiddleware.auth_token to perform in"},{"line_number":613,"context_line":"    process validation."},{"line_number":614,"context_line":"  * Modification of keystonemiddleware.auth_token to add the"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_6785bccd","line":611,"range":{"start_line":611,"start_character":4,"end_line":611,"end_character":70},"in_reply_to":"3a71b18c_f220bab2","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":609,"context_line":"    role check implemented in python-keystoneclient"},{"line_number":610,"context_line":"  * Composition of the default rules."},{"line_number":611,"context_line":"  * Extensions to the Token Validation API to allow for new parameters"},{"line_number":612,"context_line":"  * Modification of keystonemiddleware.auth_token to perform in"},{"line_number":613,"context_line":"    process validation."},{"line_number":614,"context_line":"  * Modification of keystonemiddleware.auth_token to add the"},{"line_number":615,"context_line":"    parameters to the validation call if activated."},{"line_number":616,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_5526b8ba","line":613,"range":{"start_line":612,"start_character":61,"end_line":613,"end_character":23},"updated":"2016-12-09 13:57:24.000000000","message":"what is meant here?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":609,"context_line":"    role check implemented in python-keystoneclient"},{"line_number":610,"context_line":"  * Composition of the default rules."},{"line_number":611,"context_line":"  * Extensions to the Token Validation API to allow for new parameters"},{"line_number":612,"context_line":"  * Modification of keystonemiddleware.auth_token to perform in"},{"line_number":613,"context_line":"    process validation."},{"line_number":614,"context_line":"  * Modification of keystonemiddleware.auth_token to add the"},{"line_number":615,"context_line":"    parameters to the validation call if activated."},{"line_number":616,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_277f44e1","line":613,"range":{"start_line":612,"start_character":61,"end_line":613,"end_character":23},"in_reply_to":"3a71b18c_5526b8ba","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":611,"context_line":"  * Extensions to the Token Validation API to allow for new parameters"},{"line_number":612,"context_line":"  * Modification of keystonemiddleware.auth_token to perform in"},{"line_number":613,"context_line":"    process validation."},{"line_number":614,"context_line":"  * Modification of keystonemiddleware.auth_token to add the"},{"line_number":615,"context_line":"    parameters to the validation call if activated."},{"line_number":616,"context_line":""},{"line_number":617,"context_line":""},{"line_number":618,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_d513a85a","line":615,"range":{"start_line":614,"start_character":4,"end_line":615,"end_character":51},"updated":"2016-12-09 13:57:24.000000000","message":"I think this should be to call api_roles, not to add parameters to the validation call.","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":611,"context_line":"  * Extensions to the Token Validation API to allow for new parameters"},{"line_number":612,"context_line":"  * Modification of keystonemiddleware.auth_token to perform in"},{"line_number":613,"context_line":"    process validation."},{"line_number":614,"context_line":"  * Modification of keystonemiddleware.auth_token to add the"},{"line_number":615,"context_line":"    parameters to the validation call if activated."},{"line_number":616,"context_line":""},{"line_number":617,"context_line":""},{"line_number":618,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_077a48f1","line":615,"range":{"start_line":614,"start_character":4,"end_line":615,"end_character":51},"in_reply_to":"3a71b18c_d513a85a","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"f6d7ec2fa6022ce050384ac455c091826498b5ed","unresolved":false,"context_lines":[{"line_number":624,"context_line":"Documentation Impact"},{"line_number":625,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":626,"context_line":""},{"line_number":627,"context_line":"Documentation is required of the new APIs, the extension to the"},{"line_number":628,"context_line":"exciting API, and the rules regarding role validation."},{"line_number":629,"context_line":""},{"line_number":630,"context_line":""},{"line_number":631,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":19,"id":"3a71b18c_9520509d","line":628,"range":{"start_line":627,"start_character":41,"end_line":628,"end_character":13},"updated":"2016-12-09 13:57:24.000000000","message":"what extension?","commit_id":"65ba4ab026691a5d8600de63a73f31e66c6be34d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":51,"context_line":"coordination between keystone and the service configuration. Certain"},{"line_number":52,"context_line":"operations require other operations in order to be successful, so if"},{"line_number":53,"context_line":"the policy fails on a downstream operation the whole operation"},{"line_number":54,"context_line":"fails. This is too high a risk for most deployment."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Implementing a dynamic RBAC policy mechanism inside OpenStack has to"},{"line_number":57,"context_line":"work within the restrictions of a distributed development model. Any"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_48220bbb","line":54,"updated":"2016-12-12 17:11:19.000000000","message":"This sounds like a prerequisite cross project spec to start working on getting all operations mapped out. I was personally a fan of that approach a while back, where each operation consisted of a set of other operations (i.e. nova boot would require glance fetch). I think having this done before hand would make fixing policy a lot easier.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":51,"context_line":"coordination between keystone and the service configuration. Certain"},{"line_number":52,"context_line":"operations require other operations in order to be successful, so if"},{"line_number":53,"context_line":"the policy fails on a downstream operation the whole operation"},{"line_number":54,"context_line":"fails. This is too high a risk for most deployment."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Implementing a dynamic RBAC policy mechanism inside OpenStack has to"},{"line_number":57,"context_line":"work within the restrictions of a distributed development model. Any"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_197cd971","line":54,"in_reply_to":"1a6eadb0_48220bbb","updated":"2016-12-12 23:09:56.000000000","message":"Yeah, but it is not only impossible within Openstack, it does not include third party services that build on top of Open Stack but are not part of the big tent.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":66,"context_line":"user has the admin role, or that the user has any role on the"},{"line_number":67,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":68,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":69,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":72,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_e234d84b","line":69,"updated":"2016-12-12 17:11:19.000000000","message":"Well - I think this spec gives us a reason to modify the policy files. Right now the RBAC check and the scope check are both done using the policy files. If the RBAC check moves somewhere else, then I think it should be refactored out of the policy files to avoid confusion and duplication.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fafb7f0cf74406246b1b5adbd199cf63b6aad80a","unresolved":false,"context_lines":[{"line_number":66,"context_line":"user has the admin role, or that the user has any role on the"},{"line_number":67,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":68,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":69,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":72,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_b41dacbf","line":69,"in_reply_to":"1a6eadb0_79c14d80","updated":"2016-12-13 00:03:28.000000000","message":"My concern is a usability concern. You\u0027re proposing that we move a section of policy into another piece of software, and in doing so we\u0027re duplicating information.\n\nDoes the role information in the various policy.json files matter if a service is deployed with keystonemiddleware using this feature?","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"f1aa1838d8dab5a2e725df503b36ad5c3dab0443","unresolved":false,"context_lines":[{"line_number":66,"context_line":"user has the admin role, or that the user has any role on the"},{"line_number":67,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":68,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":69,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":72,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_7fd84df0","line":69,"in_reply_to":"1a6eadb0_79c14d80","updated":"2016-12-13 00:28:53.000000000","message":"We have to at least define what it will look like or how we want it to look. The roles checks are here, the policy check are here and this is how we do that with the default policy rules we have today.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"3b656ccc07513b507c479e2611c6b90d2663bde1","unresolved":false,"context_lines":[{"line_number":66,"context_line":"user has the admin role, or that the user has any role on the"},{"line_number":67,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":68,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":69,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":72,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_35f255d3","line":69,"in_reply_to":"1a6eadb0_7fd84df0","updated":"2016-12-13 15:10:20.000000000","message":"Leave the role out of policy.  In general, deployers should not be touching policy.  Chosing to modify policy requires a much higher commitment than tweaking roles for an API","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":66,"context_line":"user has the admin role, or that the user has any role on the"},{"line_number":67,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":68,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":69,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":72,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_79c14d80","line":69,"in_reply_to":"1a6eadb0_e234d84b","updated":"2016-12-12 23:09:56.000000000","message":"Its an impossible task. I\u0027ve spent the past several years trying to accomplishi things along those lines.\n\nThis is a a cross cutting concern, and should not be held up by any one projects intransigence, which is the case today.  We should not require a unanimous decision by all projects to lock down a securtiy mechanism.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":90,"context_line":"--------"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"Perform a role check in keystonemiddleware after the token validation"},{"line_number":93,"context_line":"by using a set of rules that map from VERB + URL Patterns to a small"},{"line_number":94,"context_line":"set of roles, and then expanding that to a full set of roles via the"},{"line_number":95,"context_line":"role inference rules."},{"line_number":96,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_629368fb","line":93,"updated":"2016-12-12 17:11:19.000000000","message":"Define small, what does this mean? If you\u0027re allowing more than one role per pattern, I could make this as big as I want. Also - if I have the ability to do that, is there a reason for me to use role inference?","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":90,"context_line":"--------"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"Perform a role check in keystonemiddleware after the token validation"},{"line_number":93,"context_line":"by using a set of rules that map from VERB + URL Patterns to a small"},{"line_number":94,"context_line":"set of roles, and then expanding that to a full set of roles via the"},{"line_number":95,"context_line":"role inference rules."},{"line_number":96,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_f9e1ddd1","line":93,"in_reply_to":"1a6eadb0_629368fb","updated":"2016-12-12 23:09:56.000000000","message":"Yes, but that is not the expected approach. It should be one role per seperatly delgatable operation.  I assume most will be Member, with a handful being more find grained.  \n\nIf the number of roles expands, we can do follow on work to make them more manageable.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":98,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":99,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":100,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":101,"context_line":"code enforces the scope check."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_0d73c5b2","line":101,"updated":"2016-12-12 17:11:19.000000000","message":"What if, in the future, the scope check and the role checks differ? What if the role check fails before the scope check passes?\n\nFrom previous discussions it doesn\u0027t sound like this isn\u0027t possible today, but I want to make sure we don\u0027t prevent ourselves from allowing that type of policy.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":98,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":99,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":100,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":101,"context_line":"code enforces the scope check."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_190f79e2","line":101,"in_reply_to":"1a6eadb0_0d73c5b2","updated":"2016-12-12 23:09:56.000000000","message":"If the role check fails before the scope check passes, access is denied, and this is correct.  There is nothing to \"differ\" as one is checking that the project matches between token and resource.  If there is no project, then only the role will be relevant for the API.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fafb7f0cf74406246b1b5adbd199cf63b6aad80a","unresolved":false,"context_lines":[{"line_number":98,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":99,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":100,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":101,"context_line":"code enforces the scope check."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_9406f01e","line":101,"in_reply_to":"1a6eadb0_190f79e2","updated":"2016-12-13 00:03:28.000000000","message":"As a deployer if I come up with a policy that has a complex scope check and a broad role check, am I wrong? Say I want to have specific things considered in a scope check based on various attributes of a resource (even though policy across OpenStack doesn\u0027t really have that today), but my role check only requires admin. How can you ensure my scope check is going to be honored for non-admin users?\n\nI wouldn\u0027t say that specific case is wrong. It would only be wrong because we prevent it from happening by using two separate pieces of software to check policy. Just because we can\u0027t accomplish this today doesn\u0027t mean we shouldn\u0027t aim for that type of usability in the future.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"3b656ccc07513b507c479e2611c6b90d2663bde1","unresolved":false,"context_lines":[{"line_number":98,"context_line":"the service specific code. Leave the current oslo-policy based access"},{"line_number":99,"context_line":"checks in place, using the existing policy.json files. This leads to a"},{"line_number":100,"context_line":"separation of concerns: Middleware enforces the role check, source"},{"line_number":101,"context_line":"code enforces the scope check."},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_953169a5","line":101,"in_reply_to":"1a6eadb0_9406f01e","updated":"2016-12-13 15:10:20.000000000","message":"Deployers should not be changing the scope checks.  They require object specific knowledge.  Keeping deployers out of the policy files is a way to ensure they don\u0027t inadvertantly break their own systems.\n\nYes, a deployer with a dedicated engineering team could make this happen, but it is a high risk operation.  Splitting RBAC out of policy is designed to clearly delineate what they should and should not be customizing in their deployments.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  * Create persisted entiies in Keystone that contain"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    - the service name"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_6d6279da","line":105,"updated":"2016-12-12 17:11:19.000000000","message":"entities*","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  * Create persisted entiies in Keystone that contain"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    - the service name"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_d92b4132","line":105,"in_reply_to":"1a6eadb0_6d6279da","updated":"2016-12-12 23:09:56.000000000","message":"Done","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":170,"context_line":"After the token has been validated via a call to Keystone, the"},{"line_number":171,"context_line":"middleware will fetch the RBAC specific data via python-keystoneclient"},{"line_number":172,"context_line":"which calls the API. Due to caching needs, this result will be stored"},{"line_number":173,"context_line":"in cache so that the reposne can also be loaded directly from it\u0027s"},{"line_number":174,"context_line":"JSON representation."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_6dbef900","line":173,"updated":"2016-12-12 17:11:19.000000000","message":"response* its*","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":170,"context_line":"After the token has been validated via a call to Keystone, the"},{"line_number":171,"context_line":"middleware will fetch the RBAC specific data via python-keystoneclient"},{"line_number":172,"context_line":"which calls the API. Due to caching needs, this result will be stored"},{"line_number":173,"context_line":"in cache so that the reposne can also be loaded directly from it\u0027s"},{"line_number":174,"context_line":"JSON representation."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_5920114a","line":173,"in_reply_to":"1a6eadb0_6dbef900","updated":"2016-12-12 23:09:56.000000000","message":"Done","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"01eddcfe57128b0e1bfe9a51e1dbd56a1f843b35","unresolved":false,"context_lines":[{"line_number":196,"context_line":"         },"},{"line_number":197,"context_line":"         {"},{"line_number":198,"context_line":"             verbs\u003d[\"GET\", \"PUT\"],"},{"line_number":199,"context_line":"             pattern\u003d\"/v2.{subversion}/{tenant_id}/servers/{server_id}\""},{"line_number":200,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":201,"context_line":"         }"},{"line_number":202,"context_line":"      ],"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_ceb6193d","line":199,"updated":"2016-12-12 22:35:33.000000000","message":"I not entirely sold on using the URL for the pattern. What if a service has an operation that is available across more than one API? That would require more than one api_role for each api + operation combination. From the perspective of the policy writer, I just want to make sure all list_server calls require the `reader` role. We\u0027re making the policy writer duplicate policy for every operation that happens to be supported across multiple APIs. What happens if they are inconsistent (user-experience will be terrible)? If they are ever out of sync, there would be inconsistent RBAC enforcement based on whatever version of the service API a user accessed. A user would be allowed to do an operation using one version of an API but not on another. If we default operations to requiring `Member` we could be exposing privileged operations to people who don\u0027t have the required role if the operator hasn\u0027t updated *all* versions of their api_roles in keystone. On the contrary, if we default to using `admin` for all non-specified operations then we make it impossible for users to do basic things if they just happen to be using a service API that was just released. What happens when a service rolls out a new version of an API? Are developers for that service going to have to script migrations to add api_roles to keystone that deployers are required to run before opening up a new API?\n\nAs a deployer, if I want change the policy for a specific operation, I\u0027ll have to make sure that I\u0027ve updated *each* api_role for all API versions a service has as well as make changes to my policy.json files. This feels like we\u0027re making it more complicated to modify policy by introducing more things for deployers to admin through an API.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":196,"context_line":"         },"},{"line_number":197,"context_line":"         {"},{"line_number":198,"context_line":"             verbs\u003d[\"GET\", \"PUT\"],"},{"line_number":199,"context_line":"             pattern\u003d\"/v2.{subversion}/{tenant_id}/servers/{server_id}\""},{"line_number":200,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":201,"context_line":"         }"},{"line_number":202,"context_line":"      ],"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_f98c7d37","line":199,"in_reply_to":"1a6eadb0_ceb6193d","updated":"2016-12-12 23:09:56.000000000","message":"There is no choice, however, for the requirements.  Today there is no way to tell what role is required for an API.  If we can automate the mapping from Policy rules to APIs on a project agnostic bases, we could consider that, but today it is not possible. It also implies that all of the services involved are going to be part of the discussion, and third party apps don\u0027t fall into that group.\n\nIt is entirely possible to have two different APIs which affect the same subsystem.  But, if there is any difference between those APIs, then they would have to have different roles anyway.\n\nThe current setup is making it impossible to do any real RBAC without significant deployer specific engineering effort.  This design is the result of multiple iterations trying to solve the problems with in the constraints.\n\nWe can\u0027t do this within policy.json.  We tried, really really hard.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"f1aa1838d8dab5a2e725df503b36ad5c3dab0443","unresolved":false,"context_lines":[{"line_number":196,"context_line":"         },"},{"line_number":197,"context_line":"         {"},{"line_number":198,"context_line":"             verbs\u003d[\"GET\", \"PUT\"],"},{"line_number":199,"context_line":"             pattern\u003d\"/v2.{subversion}/{tenant_id}/servers/{server_id}\""},{"line_number":200,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":201,"context_line":"         }"},{"line_number":202,"context_line":"      ],"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_bfa7454e","line":199,"in_reply_to":"1a6eadb0_f98c7d37","updated":"2016-12-13 00:28:53.000000000","message":"What do you mean \u0027there is no way to tell what role is required for an API\u0027? If you say operation, which is what people understand, then it shouldn\u0027t be that hard. I agree we can\u0027t do it now, but I can\u0027t see why that\u0027s hard. It\u0027s just parsing the policy file a little bit...doesn\u0027t horizon do something like this already?","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":238,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"After the token and RBAC validation is completed successfuly, there is"},{"line_number":241,"context_line":"no change to existing processing. There is not change to the set of"},{"line_number":242,"context_line":"additional headers that middleware adds to the context. The WSGI"},{"line_number":243,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":244,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_6dc43940","line":241,"updated":"2016-12-12 17:11:19.000000000","message":"no*","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":238,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"After the token and RBAC validation is completed successfuly, there is"},{"line_number":241,"context_line":"no change to existing processing. There is not change to the set of"},{"line_number":242,"context_line":"additional headers that middleware adds to the context. The WSGI"},{"line_number":243,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":244,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_79794d2f","line":241,"in_reply_to":"1a6eadb0_6dc43940","updated":"2016-12-12 23:09:56.000000000","message":"Done","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":250,"context_line":"The new entity stored in the database would have the following layout."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"api"},{"line_number":253,"context_line":"~~~"},{"line_number":254,"context_line":"ID: Autogenerated UUID"},{"line_number":255,"context_line":"Service: Indexable String, matches the values from the service catalog"},{"line_number":256,"context_line":"Pattern: Long String (\u003e255 chars) that contains the patterns."}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_8d7435fe","line":253,"updated":"2016-12-12 17:11:19.000000000","message":"Why do you need `api` and `api_role`?","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":250,"context_line":"The new entity stored in the database would have the following layout."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"api"},{"line_number":253,"context_line":"~~~"},{"line_number":254,"context_line":"ID: Autogenerated UUID"},{"line_number":255,"context_line":"Service: Indexable String, matches the values from the service catalog"},{"line_number":256,"context_line":"Pattern: Long String (\u003e255 chars) that contains the patterns."}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_d98ee126","line":253,"in_reply_to":"1a6eadb0_8d7435fe","updated":"2016-12-12 23:09:56.000000000","message":"because Matt E is insisting that we need to be able to directly assign multiple roles to a single URL pattern. It was that way in the original desingn, but I cut it down to exactly one.  We can to it with exactly one, but he feels it will be too hard to maintain.\n\nCompromise.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":289,"context_line":"    { \"service\": \"identity\", \"pattern\": \"/v3\", \"verb\": \"GET\" role: None}"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"A global catch all rule can bedefined for requests for services that"},{"line_number":293,"context_line":"have not been yet defined."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":".. code-block:: json"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_6de519a7","line":292,"updated":"2016-12-12 17:11:19.000000000","message":"be defined*","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":289,"context_line":"    { \"service\": \"identity\", \"pattern\": \"/v3\", \"verb\": \"GET\" role: None}"},{"line_number":290,"context_line":""},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"A global catch all rule can bedefined for requests for services that"},{"line_number":293,"context_line":"have not been yet defined."},{"line_number":294,"context_line":""},{"line_number":295,"context_line":".. code-block:: json"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_1999396f","line":292,"in_reply_to":"1a6eadb0_6de519a7","updated":"2016-12-12 23:09:56.000000000","message":"Done","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":403,"context_line":""},{"line_number":404,"context_line":"The main reason for not pursuing this approach is that it is very hard"},{"line_number":405,"context_line":"to abstract it while continuing to provide the full set of data"},{"line_number":406,"context_line":"required. For example, project Moon (see references) was able to make"},{"line_number":407,"context_line":"a check work based on the URL only, it did not actually have the"},{"line_number":408,"context_line":"Server data from the database at middleware time. Also, the amount of"},{"line_number":409,"context_line":"administration, especially the definition of attributes, meant that"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_cd354df8","line":406,"updated":"2016-12-12 17:11:19.000000000","message":"Just make Moon a link.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":403,"context_line":""},{"line_number":404,"context_line":"The main reason for not pursuing this approach is that it is very hard"},{"line_number":405,"context_line":"to abstract it while continuing to provide the full set of data"},{"line_number":406,"context_line":"required. For example, project Moon (see references) was able to make"},{"line_number":407,"context_line":"a check work based on the URL only, it did not actually have the"},{"line_number":408,"context_line":"Server data from the database at middleware time. Also, the amount of"},{"line_number":409,"context_line":"administration, especially the definition of attributes, meant that"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_399ef556","line":406,"in_reply_to":"1a6eadb0_cd354df8","updated":"2016-12-12 23:09:56.000000000","message":"Removed.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":495,"context_line":"      \u0027role\u0027: \u0027r7\u0027,"},{"line_number":496,"context_line":"      },"},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"The implementation implementation will have an api_role response that"},{"line_number":499,"context_line":"looks like this:"},{"line_number":500,"context_line":""},{"line_number":501,"context_line":".. code-block:: json"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_e8591790","line":498,"updated":"2016-12-12 17:11:19.000000000","message":"remove one of the implementations.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":495,"context_line":"      \u0027role\u0027: \u0027r7\u0027,"},{"line_number":496,"context_line":"      },"},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"The implementation implementation will have an api_role response that"},{"line_number":499,"context_line":"looks like this:"},{"line_number":500,"context_line":""},{"line_number":501,"context_line":".. code-block:: json"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_b91a056d","line":498,"in_reply_to":"1a6eadb0_e8591790","updated":"2016-12-12 23:09:56.000000000","message":"Done","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":551,"context_line":"the patch verb to upload modified URL-Pattern to role mappings for a"},{"line_number":552,"context_line":"subset of the URLs."},{"line_number":553,"context_line":""},{"line_number":554,"context_line":"While the API allow assigning multiple roles per API, the preferred"},{"line_number":555,"context_line":"mechanism for managing what the required roles for an operation is to"},{"line_number":556,"context_line":"define `implied-roles` that map from Admin or Member to an operation"},{"line_number":557,"context_line":"specific role. These changes can be made without modifying individual"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_2896af94","line":554,"updated":"2016-12-12 17:11:19.000000000","message":"allows*","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":551,"context_line":"the patch verb to upload modified URL-Pattern to role mappings for a"},{"line_number":552,"context_line":"subset of the URLs."},{"line_number":553,"context_line":""},{"line_number":554,"context_line":"While the API allow assigning multiple roles per API, the preferred"},{"line_number":555,"context_line":"mechanism for managing what the required roles for an operation is to"},{"line_number":556,"context_line":"define `implied-roles` that map from Admin or Member to an operation"},{"line_number":557,"context_line":"specific role. These changes can be made without modifying individual"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_593ad1ce","line":554,"in_reply_to":"1a6eadb0_2896af94","updated":"2016-12-12 23:09:56.000000000","message":"Done","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":558,"context_line":"role assignments."},{"line_number":559,"context_line":""},{"line_number":560,"context_line":"As an example, assume a site wants to implement a specific role for"},{"line_number":561,"context_line":"reading only operations, and to start, wants to implement it for the"},{"line_number":562,"context_line":"glance image GET operation. Assuming they started with the rule"},{"line_number":563,"context_line":"above for the `image` service and `pattern` of"},{"line_number":564,"context_line":"`/v2/images/{image_id}`, which is initialized to the member role the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_6890a796","line":561,"updated":"2016-12-12 17:11:19.000000000","message":"read-only*","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":558,"context_line":"role assignments."},{"line_number":559,"context_line":""},{"line_number":560,"context_line":"As an example, assume a site wants to implement a specific role for"},{"line_number":561,"context_line":"reading only operations, and to start, wants to implement it for the"},{"line_number":562,"context_line":"glance image GET operation. Assuming they started with the rule"},{"line_number":563,"context_line":"above for the `image` service and `pattern` of"},{"line_number":564,"context_line":"`/v2/images/{image_id}`, which is initialized to the member role the"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_19577903","line":561,"in_reply_to":"1a6eadb0_6890a796","updated":"2016-12-12 23:09:56.000000000","message":"Done","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"650e721b0a9a0958700c9e5239d4c8b29f28c6cc","unresolved":false,"context_lines":[{"line_number":584,"context_line":"      \u0027verbs\u0027: [\u0027get\u0027],"},{"line_number":585,"context_line":"      \u0027role\u0027: \u0027reader\u0027"},{"line_number":586,"context_line":"      },"},{"line_number":587,"context_line":"  }"},{"line_number":588,"context_line":""},{"line_number":589,"context_line":""},{"line_number":590,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_28e78f13","line":587,"updated":"2016-12-12 17:11:19.000000000","message":"What about the policy.json file? This should also require an update to the policy file to require \u0027reader\u0027 instead of \u0027member\u0027 in the policy.json file for glance. Otherwise the two mechanisms are out of sync and confusing to understand, even though one is handling the role check and the other is handling the scope check. We need to be extremely clear about which one handles each, otherwise it\u0027s just going to be terrible deployer experience, especially if they thinks it\u0027s already hard to modify policy.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"12df4c83b162db67ce6369992800cf54a8f4bb06","unresolved":false,"context_lines":[{"line_number":584,"context_line":"      \u0027verbs\u0027: [\u0027get\u0027],"},{"line_number":585,"context_line":"      \u0027role\u0027: \u0027reader\u0027"},{"line_number":586,"context_line":"      },"},{"line_number":587,"context_line":"  }"},{"line_number":588,"context_line":""},{"line_number":589,"context_line":""},{"line_number":590,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_9962a9d7","line":587,"in_reply_to":"1a6eadb0_28e78f13","updated":"2016-12-12 23:09:56.000000000","message":"There should be no role check inside the policy files.  The Glance policy file only checks that the projects matches.  That is the way it works today, and they will not be out of step.","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"f1aa1838d8dab5a2e725df503b36ad5c3dab0443","unresolved":false,"context_lines":[{"line_number":584,"context_line":"      \u0027verbs\u0027: [\u0027get\u0027],"},{"line_number":585,"context_line":"      \u0027role\u0027: \u0027reader\u0027"},{"line_number":586,"context_line":"      },"},{"line_number":587,"context_line":"  }"},{"line_number":588,"context_line":""},{"line_number":589,"context_line":""},{"line_number":590,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":20,"id":"1a6eadb0_1f3bd9ec","line":587,"in_reply_to":"1a6eadb0_9962a9d7","updated":"2016-12-13 00:28:53.000000000","message":"How do you create a rule like \u0027role:admin in domain or (role:Member and resource owner)\u0027 (I purposely made the rule a little more English-like) in this new world?","commit_id":"92533be8072af57a09c7b8515b20c021b6ac9b95"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":46,"context_line":"and even discouraged in the official documentation."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"There are numerous challenges to updating the current policy"},{"line_number":49,"context_line":"files. Changing policy now requires redeploying configuration files"},{"line_number":50,"context_line":"for each node in the service. Applying changes to a role requires"},{"line_number":51,"context_line":"coordination between keystone and the service configuration. Certain"},{"line_number":52,"context_line":"operations require other operations in order to be successful, so if"},{"line_number":53,"context_line":"the policy fails on a downstream operation the whole operation"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_c80afa78","line":50,"range":{"start_line":49,"start_character":7,"end_line":50,"end_character":29},"updated":"2017-01-05 12:30:11.000000000","message":"To be clear, that is done with configuration files, its really not a big problem. As a deployer, its my preference to not rely on a remote data store for configuration. Certainly not one that isn\u0027t included in my existing change management systems.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":53,"context_line":"the policy fails on a downstream operation the whole operation"},{"line_number":54,"context_line":"fails. This is too high a risk for most deployment."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Implementing a dynamic RBAC policy mechanism inside OpenStack has to"},{"line_number":57,"context_line":"work within the restrictions of a distributed development model. Any"},{"line_number":58,"context_line":"approach which requires changes to every project has little to no"},{"line_number":59,"context_line":"chance of succeeding. Thus, RBAC enforcement needs to be encapsulated"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_28546651","line":56,"range":{"start_line":56,"start_character":15,"end_line":56,"end_character":22},"updated":"2017-01-05 12:30:11.000000000","message":"What is the need for dynamic RBAC? Surely all changes would need to be fully tested before applied to production anyway?","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":82,"context_line":"  * The requested URL, to include the understanding of which service"},{"line_number":83,"context_line":"    or endpoint the URL implements."},{"line_number":84,"context_line":"  * The Data returned from the Token"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Proposed Change"},{"line_number":87,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":88,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_0805e244","line":85,"updated":"2017-01-05 12:30:11.000000000","message":"As a deployer I don\u0027t see any problems that resonate with me, apart form policy is hard to modify.\n\nProblems I have faced (and others based on the previous operator sessions, etc) are:\n* what are changes in policy defaults for this release?\n* what changes do I need to make to my existing overrides?\n* are there new policy rules or new APIs I should worry about now?\n* how can I check if I got the policy correct for a specific set of users?\n\nNova is moving towards fixing those by (I admin this runs the risk of incrementalism):\n* Move defaults into the code, like with configuration\n* Deployer only needs to specify over-rides, by default there doesn\u0027t have to be any policy file in place\n* On upgrade its now clear what the deployer has changed previously, and by default all new policy rules just run with their defaults\n* nova-policy CLI tool to help test if you have setup your policy rules correctly, by doing dry run checks\n\nNow there is much more work to do on this particular journey:\n* add more richness into the default policy (more clearly scoped users, read-only users, support users, non-destructive actions users)\n* better support for hierarchical projects (largely a quota effort, but it helps stop many policy hacks done today)\n* once we have hierarchical projects, we can hard code the scope in the code (project vs user, \"admin/global_scope\" override), and remove the current confusing no op default policy rules.\n* better docs so its clear what the policy rules affect\n* ability to rename / alias policy rules so we can meet our upgrade promises, similar to what is done with configuration\n* evolve the existing rules into ones that more closely matches how deployers think about the API and its policy, without breaking existing policy modification folks\n* add more hierarchy, so its easy to just disable resize or disable live-migration, you disable all the related API operations in one rule.\n\nI will keep reading though, maybe this fixes my problems too...","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"297d5745866a210feef6c1fd3a4c242a5d16a528","unresolved":false,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"The following changes are required to enable the RBAC check:"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  * Create persisted entities in Keystone that contain"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    - the service name"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"    - the HTTP Verb of the Request"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"    - the URL pattern"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"    - a minimum of a single required role"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":116,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":21,"id":"da4df55a_d5670ce7","line":113,"range":{"start_line":105,"start_character":0,"end_line":113,"end_character":41},"updated":"2016-12-26 12:07:21.000000000","message":"I much prefer this idea for very consistent REST APIs.\nHowever it is difficult to apply this way for Nova API because Nova API itself is not consistent at all.\n\nThere are 2 problems here against Nova API.\nNova API has action APIs which are different by different request body on the same URL and the same HTTP method(POST, PUT).\nFor example, there are normal-user APIs and administrative APIs on /servers/{server_id}/action with POST method like\n\n non-admin: Reboot a server\n admin: Migrate a server\n\nhttp://developer.openstack.org/api-ref/compute/?expanded\u003devacuate-server-evacuate-action-detail\n\nAnd we need to define different policies on the above APIs.\nCurrent this spec cannot cover this case.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"7141458be5ff653c674a2dd0098759c5ce402172","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":"    - the URL pattern"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"    - a minimum of a single required role"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":116,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_c329468b","line":113,"in_reply_to":"ba5201f7_5e10d2a8","updated":"2017-01-03 19:28:13.000000000","message":"Thanks for your response, Lance :)\n\n \u003e Does nova use different operation names in policy for these actions? \n\nYes, right. Nova uses different operation names in policy on the same URL/method like\n\nmigrate/migrate_live action policies (admin action):\n\nhttps://github.com/openstack/nova/blob/master/nova/policies/migrate_server.py#L24\n\n migrate_server_policies \u003d [\n     policy.RuleDefault(\n         name\u003dPOLICY_ROOT % \u0027migrate\u0027,\n         check_str\u003dbase.RULE_ADMIN_API),\n     policy.RuleDefault(\n         name\u003dPOLICY_ROOT % \u0027discoverable\u0027,\n         check_str\u003dbase.RULE_ANY),\n     policy.RuleDefault(\n         name\u003dPOLICY_ROOT % \u0027migrate_live\u0027,\n         check_str\u003dbase.RULE_ADMIN_API),\n ]\n\nreboot action policy (admin_or_owner action):\n\nhttps://github.com/openstack/nova/blob/master/nova/policies/servers.py#L40\n\n policy.RuleDefault(SERVERS % \u0027reboot\u0027, RULE_AOO),\n\nBasically I prefer this spec direction. That would be useful for consistent REST API services. I think this mismatch is due to Nova API design, Nova\u0027s action APIs are always problematic. And I think the microversion also makes this spec application difficult because we can set different policy on the same URL, method and request body.\nAPI behaviors can be switched with different microversions.\n\n \u003e  Would you be interested in swinging by our weekly policy meeting to discuss?\n\nYeah, I can join if I could be available on the time for the meeting. When is the meeting?","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":"    - the URL pattern"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"    - a minimum of a single required role"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":116,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_034223ae","line":113,"in_reply_to":"ba5201f7_c329468b","updated":"2017-01-05 12:30:11.000000000","message":"Yeah, in Nova, the post payload helps pick the policy right now. You could consider it as a query string parameter, but the information only lives in the body of the request. Its different for different URL end points.\n\nAlso, yes, a microversion can enable, remove and change what that URL does, and what policy you might want for it. Now thats more in theory than in practice, but its certainly possible. I don\u0027t see that happening in the current list for Nova: http://docs.openstack.org/developer/nova/api_microversion_history.html","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"63858b7cae452af73e00409ba4a07a74f89aede7","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":"    - the URL pattern"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"    - a minimum of a single required role"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":116,"context_line":"    include bulk upload per service."}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_5e10d2a8","line":113,"in_reply_to":"da4df55a_d5670ce7","updated":"2017-01-03 16:39:22.000000000","message":"Does nova use different operation names in policy for these actions? Would you be interested in swinging by our weekly policy meeting to discuss?\n\nThanks for weighing in, Ken\u0027ichi!","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":113,"context_line":"    - a minimum of a single required role"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":116,"context_line":"    include bulk upload per service."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"  * Deduce the values from the Documented APIs to Create instances via"},{"line_number":119,"context_line":"    the above APIs."}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_6345afb1","line":116,"updated":"2017-01-05 12:30:11.000000000","message":"What happens by default, if the deployer doesn\u0027t set any rules?\n\nHow can I tell what is the default vs what the operators has set?\n\nHow does this work across upgrade as things change slightly? As an operator do I need to keep updating rules.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":115,"context_line":"  * Create an API for upload and modification of these entities, to"},{"line_number":116,"context_line":"    include bulk upload per service."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"  * Deduce the values from the Documented APIs to Create instances via"},{"line_number":119,"context_line":"    the above APIs."},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"  * Perform a Role check in keystonemiddleware after the token validation"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_a38077c1","line":118,"range":{"start_line":118,"start_character":4,"end_line":118,"end_character":21},"updated":"2017-01-05 12:30:11.000000000","message":"Sorry, not sure what this means? Who is deducing the values?","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":187,"context_line":"         {"},{"line_number":188,"context_line":"            verbs\u003d[\"POST\"],"},{"line_number":189,"context_line":"            pattern\u003d\"/servers/{server_id}/action\","},{"line_number":190,"context_line":"            roles\u003d[\"Member\", \"admin\"],"},{"line_number":191,"context_line":"         },"},{"line_number":192,"context_line":"         {"},{"line_number":193,"context_line":"             verbs\u003d[\"POST\"],"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_be6c0cd1","line":190,"range":{"start_line":190,"start_character":18,"end_line":190,"end_character":37},"updated":"2017-01-05 12:30:11.000000000","message":"I assume this is an OR? how do you do AND? I guess you just have to create a new role?","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":196,"context_line":"         },"},{"line_number":197,"context_line":"         {"},{"line_number":198,"context_line":"             verbs\u003d[\"GET\", \"PUT\"],"},{"line_number":199,"context_line":"             pattern\u003d\"/v2.{subversion}/{tenant_id}/servers/{server_id}\""},{"line_number":200,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":201,"context_line":"         }"},{"line_number":202,"context_line":"      ],"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_5e47a04a","line":199,"range":{"start_line":199,"start_character":21,"end_line":199,"end_character":38},"updated":"2017-01-05 12:30:11.000000000","message":"I am confused. we have /versions and /v2.0 and /v2.1 at the top level. Anyways, this is just an example, its just confusing me.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":196,"context_line":"         },"},{"line_number":197,"context_line":"         {"},{"line_number":198,"context_line":"             verbs\u003d[\"GET\", \"PUT\"],"},{"line_number":199,"context_line":"             pattern\u003d\"/v2.{subversion}/{tenant_id}/servers/{server_id}\""},{"line_number":200,"context_line":"             roles\u003d[\"Member\", \"admin\"],"},{"line_number":201,"context_line":"         }"},{"line_number":202,"context_line":"      ],"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_1e96f892","line":199,"range":{"start_line":199,"start_character":39,"end_line":199,"end_character":50},"updated":"2017-01-05 12:30:11.000000000","message":"The tenant is now optional in the URL, not sure how that gets represented here. I guess you just have both mappings?","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":222,"context_line":"Hostname and port. The remainder of the URL may start"},{"line_number":223,"context_line":"with the version information in the pattern /v[0-9.]*/."},{"line_number":224,"context_line":"In our example, this leaves: `/v2.1/2497f6/servers/83cbdc`."},{"line_number":225,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"keystonemiddleware will iterate through the set of api_roles,"},{"line_number":228,"context_line":"attempting a match against each one. The URL remainder above will"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_1eafd8e2","line":225,"updated":"2017-01-05 12:30:11.000000000","message":"There is a /versions endpoint, but that is not protected by the middlewear I guess, so I suppose its not relevant here.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":243,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":244,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"},{"line_number":245,"context_line":"library to enforce policy as specified by either the Nova annotations"},{"line_number":246,"context_line":"or the overloads provided in the policy.json or policy.yaml files."},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"Object Schema"},{"line_number":249,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_fe74d468","line":246,"updated":"2017-01-05 12:30:11.000000000","message":"This seems a little complicated. The dynamic policy can only be more restrictive than the policy.json/yaml files contain.\n\nSo you will have to loose things in the policy file, if you want to be more flexible after that.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":390,"context_line":"For a Web UI like Horizon, this method could be used to customize the"},{"line_number":391,"context_line":"User interface, to determine if a class of resources should be shown,"},{"line_number":392,"context_line":"and whether or not they are editable, based on the roles of the user"},{"line_number":393,"context_line":"and the APIs needed to populate that page."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":""},{"line_number":396,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_fee934e7","line":393,"updated":"2017-01-05 12:30:11.000000000","message":"Except that doesn\u0027t take into account if the system is able to do that operation at all (i.e. it uses a driver that supports the requested operation), and it doesn\u0027t talk into account the information in policy.json?","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0da85fe5d8db3efc3abb09e873ffc002e7fa987d","unresolved":false,"context_lines":[{"line_number":390,"context_line":"For a Web UI like Horizon, this method could be used to customize the"},{"line_number":391,"context_line":"User interface, to determine if a class of resources should be shown,"},{"line_number":392,"context_line":"and whether or not they are editable, based on the roles of the user"},{"line_number":393,"context_line":"and the APIs needed to populate that page."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":""},{"line_number":396,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_f985c4ce","line":393,"in_reply_to":"ba5201f7_fee934e7","updated":"2017-01-05 16:58:13.000000000","message":"I would expect a UI to ask a capabilities API for this kind of information. I would also expect a capabilities API to have some correlation with RBAC to answer the \"does this user have the right permissions to do this thing?\" question. RBAC is only part of the answer in this case.\n\nIf a user has the right permissions to do live migrations, but is operating within an Ironic context/environment, showing those options through the interface doesn\u0027t really help us (since live migrations in bare metal deployments doesn\u0027t really make sense).","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":414,"context_line":"resources of the same type withing a project have the same access"},{"line_number":415,"context_line":"control.\" Several projects, most notably around credentials in"},{"line_number":416,"context_line":"Barbican and Keystone, have attempted to enforce more fine grained"},{"line_number":417,"context_line":"policy than the current approach, specifically, based on the user that"},{"line_number":418,"context_line":"created the object. However this has been shown to be problematic at"},{"line_number":419,"context_line":"cloud scale. Any delegations created that attempt to use those"},{"line_number":420,"context_line":"objects must now use impersonation, which is dangerous. To clean up"},{"line_number":421,"context_line":"these resources, should that user not be present is to escalate it to"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_de38f03f","line":418,"range":{"start_line":417,"start_character":48,"end_line":418,"end_character":18},"updated":"2017-01-05 12:30:11.000000000","message":"Nova\u0027s keypairs are owned by the user and not the project also.\n\nThere are admin APIs to do clean up, as you mention.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":425,"context_line":"such an approach, it just takes a more pragmatic and scalable approach"},{"line_number":426,"context_line":"first. This approach better matches the OpenStack design."},{"line_number":427,"context_line":""},{"line_number":428,"context_line":"Other specs that have addressed this are listed in references."},{"line_number":429,"context_line":""},{"line_number":430,"context_line":""},{"line_number":431,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_e885fe06","line":428,"updated":"2017-01-05 12:30:11.000000000","message":"In terms of \"policy\" discovery, Nova and Cinder are currently pushing towards this quite different capability based approach:\nhttps://review.openstack.org/#/c/386555\n\nOur API users really want to know if they can do operation X within the scope of Y. The above API WG spec is a proposal to go that direction.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"058e0db48431d4051eef9d8fda01fc9849cd49c3","unresolved":false,"context_lines":[{"line_number":456,"context_line":""},{"line_number":457,"context_line":"Since the Nova policy file only checks that the project ID matches, and"},{"line_number":458,"context_line":"does not do any explicit role check, the nova policy file would remain"},{"line_number":459,"context_line":"unchanged."},{"line_number":460,"context_line":""},{"line_number":461,"context_line":""},{"line_number":462,"context_line":"Notifications Impact"}],"source_content_type":"text/x-rst","patch_set":21,"id":"ba5201f7_3eac9c8b","line":459,"updated":"2017-01-05 12:30:11.000000000","message":"The project id check is actually a no op, but thats really not clear until you read a lot of the code around all that.\n\nThe check is hardcoded in the DB layer. Yes, yuck.\n\nLot of legacy to clear up here.","commit_id":"79f3b56ffac5957b0223ef789aa9b096b88ee727"}],"specs/keystone/ongoing/role-check-fromp-middleware.rst":[{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"911bb570b25eb36adc7f669d9f9fac66a07e49ad","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem Description"},{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"The authorization data associated with Keystone tokens contains a set"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_3cc88374","line":29,"updated":"2016-11-30 15:04:42.000000000","message":"Could we create a simple usecase showing the role check and policy check that could happen on a request? I\u0027m having trouble coming up with good examples on my own.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"4534e29078702ee365e1591ded0cadab77ab0a8a","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem Description"},{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"The authorization data associated with Keystone tokens contains a set"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_13cbb573","line":29,"in_reply_to":"5a74a57a_13ac95ec","updated":"2016-11-30 15:31:25.000000000","message":"I forgot to say how I wanted to protect it.... I was admin to be able to get any credential (ignore security implications here) and users to be able to get their own. Like our \u0027admin_or_owner\u0027 rule.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem Description"},{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"The authorization data associated with Keystone tokens contains a set"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_d0767d3d","line":29,"in_reply_to":"5a74a57a_13cbb573","updated":"2021-09-24 20:29:41.000000000","message":"The rules for Credentials would be:\n\n{ verbs\u003d[\"POST\"], url_pattern\u003d\"/v2.0/users/{userId}/OS-KSADM/credentials\" role\u003d\"Member\" },\n{ verbs\u003d[\"GET\",\"DELETE\", \"POST\"], url_pattern\u003d\"/v2.0/users/{userId}/OS-KSADM/credentials\" role\u003d\"Member\" },\n{ verbs\u003d[\"GET\"], url_pattern\u003d\"/v2.0/users/{userId}/OS-KSADM/credentials/OS-KSEC2:ec2Credentials\" role\u003d\"Member\" },\n{ verbs\u003d[\"GET\"], url_pattern\u003d\"/v2.0/users/{userId}/OS-KSADM/credentials/OS-KSEC2:ec2Credentials/{type}\" role\u003d\"Member\" },\n\n\nNone of them would be limited to admin.  However, these curretly have  User_id based policy rules, and would match the userID in the existing policy.json files.  These are bad examples, as they are one of the few resources owned by an actual user.  Keystone and Barbican have a few of those.  This RBAC will not change or help those cases.\n\nThe use case below is for a Nova operation, and is more like what we expect to support.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"8e681386c62ec6e9a71a864165351c6e1d4ea424","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem Description"},{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"The authorization data associated with Keystone tokens contains a set"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_13ac95ec","line":29,"in_reply_to":"5a74a57a_3cc88374","updated":"2016-11-30 15:26:17.000000000","message":"Let\u0027s say, for example, that we want to protect \u0027identity:get_credential\u0027 in keystone using this new model. (I don\u0027t know the URL offhand) What is in the new keystone api vs. the service policy file?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"    - the original requested URL"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":106,"context_line":"    contain"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_3b932dfc","line":105,"updated":"2016-11-30 14:40:16.000000000","message":"How do these get updated? For example, when nova is upgraded will it also have to have an update-keystone script? What happens to customizations and will it be easy to discover new things before deploying?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":102,"context_line":""},{"line_number":103,"context_line":"    - the original requested URL"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":106,"context_line":"    contain"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_70b3e9e9","line":105,"in_reply_to":"5a74a57a_3b932dfc","updated":"2021-09-24 20:29:41.000000000","message":"Yes.  I think the work flow would be:\n\n1.  Dump the existing rules\n2.  Upload the new rules from the update\n3.  Patch the old rules over the new rules to get the old  behavior.\n\nPerhaps we need a flag to say whether a particular rule has been customized or not, and to ignore overwrites if it has been?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":134,"context_line":""},{"line_number":135,"context_line":"   curl -H \"X-Auth-Token: adb5c708a55f\"  \\"},{"line_number":136,"context_line":"     -H \"Content-type: application/json\" \\"},{"line_number":137,"context_line":"     PUT https://nova1:8774:/v2.1/2497f6​/servers/​83cbdc \\"},{"line_number":138,"context_line":"     -d @new_values.json"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"With the body of the request inside the @new_values.json file."}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_765dbceb","line":137,"updated":"2016-11-30 14:40:16.000000000","message":"Are there spaces here?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":134,"context_line":""},{"line_number":135,"context_line":"   curl -H \"X-Auth-Token: adb5c708a55f\"  \\"},{"line_number":136,"context_line":"     -H \"Content-type: application/json\" \\"},{"line_number":137,"context_line":"     PUT https://nova1:8774:/v2.1/2497f6​/servers/​83cbdc \\"},{"line_number":138,"context_line":"     -d @new_values.json"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"With the body of the request inside the @new_values.json file."}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_123482f9","line":137,"in_reply_to":"5a74a57a_765dbceb","updated":"2021-09-24 20:29:41.000000000","message":"No.  Don\u0027t know how they got in there.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":165,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"After the token has been validated via a call to Keystone, the"},{"line_number":168,"context_line":"middleware will fetch the RBAC specific data via python-keystone"},{"line_number":169,"context_line":"client which calls the API."},{"line_number":170,"context_line":""},{"line_number":171,"context_line":".. code-block:: bash"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_f6954c88","line":168,"updated":"2016-11-30 14:40:16.000000000","message":"(nit) space between keystone and client?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   {"},{"line_number":181,"context_line":"      \u0027service\u0027: \u0027compute\u0027,"},{"line_number":182,"context_line":"      \u0027patterns\u0027: ["},{"line_number":183,"context_line":"         {"},{"line_number":184,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":185,"context_line":"            url_pattern\u003d\"/servers/{server_id}/action\","}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_d65bf02c","line":182,"updated":"2016-11-30 14:40:16.000000000","message":"This gets a bit down into the implementation, but I wish that the middleware could preprocess this into a dictionary for fast lookup. You don\u0027t want to be scanning a potentially long list for every request, but I realize in the current design we can\u0027t do that.\n\n{url: {verb: [roles, admin_project_only]}}","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":179,"context_line":""},{"line_number":180,"context_line":"   {"},{"line_number":181,"context_line":"      \u0027service\u0027: \u0027compute\u0027,"},{"line_number":182,"context_line":"      \u0027patterns\u0027: ["},{"line_number":183,"context_line":"         {"},{"line_number":184,"context_line":"            verbs\u003d[\"GET\", \"POST\"],"},{"line_number":185,"context_line":"            url_pattern\u003d\"/servers/{server_id}/action\","}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_a6c54f3e","line":182,"in_reply_to":"5a74a57a_d65bf02c","updated":"2021-09-24 20:29:41.000000000","message":"IO think we can build a custom pattern matching mechanism that turns the Urls in to a tree, and matches at each level, but that is complex, and more than we want to do for a first implementation.  We saw how complex it can get in the revocation code.  Linear search is OK for small number of rules, especially with \"fail fast\" semantics.  That might be an argument to split the version out, though, and match that first.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":210,"context_line":"Role check"},{"line_number":211,"context_line":"~~~~~~~~~~"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":214,"context_line":"inference rules in the token response is disabled. This will minimize"},{"line_number":215,"context_line":"the token response data size as the number of defined roles increases."},{"line_number":216,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_16ac88ec","line":213,"updated":"2016-11-30 14:40:16.000000000","message":"Will this be the general recommendation then?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":210,"context_line":"Role check"},{"line_number":211,"context_line":"~~~~~~~~~~"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":214,"context_line":"inference rules in the token response is disabled. This will minimize"},{"line_number":215,"context_line":"the token response data size as the number of defined roles increases."},{"line_number":216,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_26e05fcc","line":213,"in_reply_to":"5a74a57a_16ac88ec","updated":"2021-09-24 20:29:41.000000000","message":"Yes, I think so.  Otherwise, we will get a huge number of roles in the tokens.  They can be better expaned in the rules, and then the hit is taken only once.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f771f1fe56e45b5022693d7b92f76ffcefb00d5","unresolved":false,"context_lines":[{"line_number":212,"context_line":""},{"line_number":213,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":214,"context_line":"inference rules in the token response is disabled. This will minimize"},{"line_number":215,"context_line":"the token response data size as the number of defined roles increases."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"Keystone middleware will use python-keystoneclient to make a remote"},{"line_number":218,"context_line":"query against the keystone URL pattern API passing in the parameter"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_01f8c07b","line":215,"updated":"2016-11-30 14:53:07.000000000","message":"That and the mapping of url to role breaks if there is more than one role specified. The entire idea of this spec relies on using inherited roles.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f771f1fe56e45b5022693d7b92f76ffcefb00d5","unresolved":false,"context_lines":[{"line_number":214,"context_line":"inference rules in the token response is disabled. This will minimize"},{"line_number":215,"context_line":"the token response data size as the number of defined roles increases."},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"Keystone middleware will use python-keystoneclient to make a remote"},{"line_number":218,"context_line":"query against the keystone URL pattern API passing in the parameter"},{"line_number":219,"context_line":"`service` to get the approprate set of rules.   Due to caching needs,"},{"line_number":220,"context_line":"this result will be stored in cache.  query can also be loaded"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_a12f0cf5","line":217,"updated":"2016-11-30 14:53:07.000000000","message":"python-keystoneclient or keystonemiddleware?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":217,"context_line":"Keystone middleware will use python-keystoneclient to make a remote"},{"line_number":218,"context_line":"query against the keystone URL pattern API passing in the parameter"},{"line_number":219,"context_line":"`service` to get the approprate set of rules.   Due to caching needs,"},{"line_number":220,"context_line":"this result will be stored in cache.  query can also be loaded"},{"line_number":221,"context_line":"directly from itsJSON representation."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_56bb600e","line":220,"updated":"2016-11-30 14:40:16.000000000","message":"The query","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":218,"context_line":"query against the keystone URL pattern API passing in the parameter"},{"line_number":219,"context_line":"`service` to get the approprate set of rules.   Due to caching needs,"},{"line_number":220,"context_line":"this result will be stored in cache.  query can also be loaded"},{"line_number":221,"context_line":"directly from itsJSON representation."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":224,"context_line":"URL will hae been processed by the WSGI pipeline, removing the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_d645b017","line":221,"updated":"2016-11-30 14:40:16.000000000","message":"its JSON","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":222,"context_line":""},{"line_number":223,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":224,"context_line":"URL will hae been processed by the WSGI pipeline, removing the"},{"line_number":225,"context_line":"Hostname and port. The remainder of the URL will most likely  start"},{"line_number":226,"context_line":"wityhthe verssion information in the pattern /v[0-9.]*/."},{"line_number":227,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":228,"context_line":"The pattern matching will be run against this sub-url."}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_b60e74e3","line":225,"updated":"2016-11-30 14:40:16.000000000","message":"(nit)extra space?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":223,"context_line":"By the time the code has passed to Keystonemiddleware, the complete"},{"line_number":224,"context_line":"URL will hae been processed by the WSGI pipeline, removing the"},{"line_number":225,"context_line":"Hostname and port. The remainder of the URL will most likely  start"},{"line_number":226,"context_line":"wityhthe verssion information in the pattern /v[0-9.]*/."},{"line_number":227,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":228,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":229,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_360344ba","line":226,"updated":"2016-11-30 14:40:16.000000000","message":"with the version","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":227,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":228,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"keystonemiddleware will iterate through the set of patterns,"},{"line_number":231,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":232,"context_line":"match the pattern"},{"line_number":233,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_d62a102c","line":230,"updated":"2016-11-30 14:40:16.000000000","message":"Won\u0027t this take a long time? How many do we anticipate scanning through for each request?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":227,"context_line":"In our example, this leaves: `/v2.1/2497f6​/servers/​83cbdc`."},{"line_number":228,"context_line":"The pattern matching will be run against this sub-url."},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"keystonemiddleware will iterate through the set of patterns,"},{"line_number":231,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":232,"context_line":"match the pattern"},{"line_number":233,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_cbf24c9a","line":230,"in_reply_to":"5a74a57a_d62a102c","updated":"2021-09-24 20:29:41.000000000","message":"Should be no longer than the existing URL parsing.  For Identity and ComputeI did a quick test and it looks like we have: about 250 for each, but I did not put the VERBS all into the same rule.  Probably a little lower.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":231,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":232,"context_line":"match the pattern"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"GET /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":237,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_b6dcb447","line":234,"updated":"2016-11-30 14:40:16.000000000","message":"So the URL patterns will actually be regexes?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":231,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":232,"context_line":"match the pattern"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"GET /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":237,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_3007b182","line":234,"in_reply_to":"5a74a57a_b6dcb447","updated":"2021-09-24 20:29:41.000000000","message":"Yes, a limited regex.   Using the Routes module in Python","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":236,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":237,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":240,"context_line":"contain a role from the set specified by the pattern, validation"},{"line_number":241,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":242,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_36ad0489","line":239,"updated":"2016-11-30 14:40:16.000000000","message":"Would we ever have a pattern like /v2.1/12345/servers/{server_id}?\n\nThe last time I implemented a RBACish like we used the name of the resource (not URL), operation and context. For example, setting rules for `creating servers`, `creating servers {project: 12345}`, etc. Are we working toward that?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":236,"context_line":"Since the token response will have the role \"Member\" which matches the"},{"line_number":237,"context_line":"set of roles: `roles\u003d[\"Member\", \"admin\"]` the validation will succeed."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":240,"context_line":"contain a role from the set specified by the pattern, validation"},{"line_number":241,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":242,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_f0ed39b8","line":239,"in_reply_to":"5a74a57a_36ad0489","updated":"2021-09-24 20:29:41.000000000","message":"We have Urls like the one you show those in Compute, and that is in the example below.  That maps to /v2.1/{tenant_id}/servers/{server_id}?\n\nWe are not working toward a resource based API, but explicitly want to use the URL.  The end user knows the URL.  If they have that _ the the rules, they can deduce what role to delegate to another user (trusts etc) instead of the grand level of roles.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f771f1fe56e45b5022693d7b92f76ffcefb00d5","unresolved":false,"context_lines":[{"line_number":238,"context_line":""},{"line_number":239,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":240,"context_line":"contain a role from the set specified by the pattern, validation"},{"line_number":241,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"After the token and RBAC validation is completed, auth_token"},{"line_number":244,"context_line":"middleware adds several additional headers to the request and"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_41e558a6","line":241,"updated":"2016-11-30 14:53:07.000000000","message":"So this is moving the policy decision point from oslo-policy into keystonemiddleware (or python-keystoneclient)?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":238,"context_line":""},{"line_number":239,"context_line":"If none of the URLs match, or if the auth-data does not"},{"line_number":240,"context_line":"contain a role from the set specified by the pattern, validation"},{"line_number":241,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"After the token and RBAC validation is completed, auth_token"},{"line_number":244,"context_line":"middleware adds several additional headers to the request and"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_b03ae132","line":241,"in_reply_to":"5a74a57a_41e558a6","updated":"2021-09-24 20:29:41.000000000","message":"Yes.  Well, not moving, but adding an additional one.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":241,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"After the token and RBAC validation is completed, auth_token"},{"line_number":244,"context_line":"middleware adds several additional headers to the request and"},{"line_number":245,"context_line":"completes. The WSGI middleware pipeline continues, eventually calling"},{"line_number":246,"context_line":"into the Nova server specific code. Inside this code, Nova will call"},{"line_number":247,"context_line":"the oslo-policy library to enforce policy as specified by either the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_16ce485a","line":244,"updated":"2016-11-30 14:40:16.000000000","message":"What information will be in the headers?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f771f1fe56e45b5022693d7b92f76ffcefb00d5","unresolved":false,"context_lines":[{"line_number":241,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"After the token and RBAC validation is completed, auth_token"},{"line_number":244,"context_line":"middleware adds several additional headers to the request and"},{"line_number":245,"context_line":"completes. The WSGI middleware pipeline continues, eventually calling"},{"line_number":246,"context_line":"into the Nova server specific code. Inside this code, Nova will call"},{"line_number":247,"context_line":"the oslo-policy library to enforce policy as specified by either the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_21513c63","line":244,"in_reply_to":"5a74a57a_16ce485a","updated":"2016-11-30 14:53:07.000000000","message":"++ I had this same question on patch set 9. Are these new headers or existing ones? If they are new, what\u0027s the reason for adding them? What else uses them?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":241,"context_line":"fails. The failure path will be similar to a failed token validation."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"After the token and RBAC validation is completed, auth_token"},{"line_number":244,"context_line":"middleware adds several additional headers to the request and"},{"line_number":245,"context_line":"completes. The WSGI middleware pipeline continues, eventually calling"},{"line_number":246,"context_line":"into the Nova server specific code. Inside this code, Nova will call"},{"line_number":247,"context_line":"the oslo-policy library to enforce policy as specified by either the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_700f6988","line":244,"in_reply_to":"5a74a57a_21513c63","updated":"2021-09-24 20:29:41.000000000","message":"Sorry, I should make this clearer.  This is what already happens.  No new headers are added.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f771f1fe56e45b5022693d7b92f76ffcefb00d5","unresolved":false,"context_lines":[{"line_number":244,"context_line":"middleware adds several additional headers to the request and"},{"line_number":245,"context_line":"completes. The WSGI middleware pipeline continues, eventually calling"},{"line_number":246,"context_line":"into the Nova server specific code. Inside this code, Nova will call"},{"line_number":247,"context_line":"the oslo-policy library to enforce policy as specified by either the"},{"line_number":248,"context_line":"Nova annotations or the overloads provided in the policy.json or"},{"line_number":249,"context_line":"policy.yaml files."},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_e1eca491","line":247,"updated":"2016-11-30 14:53:07.000000000","message":"This piece is going to be duplicating the check we already did in middleware (er, python-keystoneclient?). I\u0027d like to have this clarified since it would be super confusing to operators if a URL pattern somehow differs from it\u0027s policy.json counterpart and the entire call failed in one of the checks. I like the approach that Nova took with this where they codified their policy into oslo-policy and consolidated their policy.json.\nWhy can\u0027t we keep the policy enforcement for roles in oslo-policy since Nova has to use it for the scope check anyway?","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":244,"context_line":"middleware adds several additional headers to the request and"},{"line_number":245,"context_line":"completes. The WSGI middleware pipeline continues, eventually calling"},{"line_number":246,"context_line":"into the Nova server specific code. Inside this code, Nova will call"},{"line_number":247,"context_line":"the oslo-policy library to enforce policy as specified by either the"},{"line_number":248,"context_line":"Nova annotations or the overloads provided in the policy.json or"},{"line_number":249,"context_line":"policy.yaml files."},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_708689dc","line":247,"in_reply_to":"5a74a57a_e1eca491","updated":"2021-09-24 20:29:41.000000000","message":"This is the split.  In Middleare, we check the role. In policy we check the scope.  As I pointed out earlier in the spec, policy does not check the role, with very few exceptions.\n\nI\u0027ll try to make these few points clearer.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":261,"context_line":"admin_project_only: Boolean"},{"line_number":262,"context_line":""},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"additional details"},{"line_number":265,"context_line":"------------------"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"A catch all rule will indicate how to handle unspecified APIs. The"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_564b60b0","line":264,"updated":"2016-11-30 14:40:16.000000000","message":"A/D","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":261,"context_line":"admin_project_only: Boolean"},{"line_number":262,"context_line":""},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"additional details"},{"line_number":265,"context_line":"------------------"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"A catch all rule will indicate how to handle unspecified APIs. The"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_2ba4a0b7","line":264,"in_reply_to":"5a74a57a_564b60b0","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":7725,"name":"David Stanek","email":"dstanek@dstanek.com","username":"dstanek"},"change_message_id":"2b7bf96a301ca086769c4e5436b4f9546b5cc4f6","unresolved":false,"context_lines":[{"line_number":287,"context_line":"A sample of a subset of"},{"line_number":288,"context_line":"the rules for glance could look like this:"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":".. code-block:: json"},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"   {"},{"line_number":293,"context_line":"   \u0027service\u0027: \u0027image\u0027,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_7694dce7","line":290,"updated":"2016-11-30 14:40:16.000000000","message":"These verbs are lowercase and the above example uses uppercase.","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":287,"context_line":"A sample of a subset of"},{"line_number":288,"context_line":"the rules for glance could look like this:"},{"line_number":289,"context_line":""},{"line_number":290,"context_line":".. code-block:: json"},{"line_number":291,"context_line":""},{"line_number":292,"context_line":"   {"},{"line_number":293,"context_line":"   \u0027service\u0027: \u0027image\u0027,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5a74a57a_b04f41bd","line":290,"in_reply_to":"5a74a57a_7694dce7","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"1e14332661785f8cc9ffeccad6680e86294d1b91"}],"specs/keystone/ongoing/token-verify-role-check.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a6878031258e0a30b204b49b62803a8d559c5953","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"  * the service name"},{"line_number":78,"context_line":"  * the original requested URL"},{"line_number":79,"context_line":"  * the HTTP verb of the request"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"The Keystone server will add an additional check at the end of the"},{"line_number":82,"context_line":"token validation process.  Using the additioanl information provided,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ba5da102_0bd34d05","line":79,"updated":"2016-10-31 14:29:51.000000000","message":"This would be the method, right?","commit_id":"c6c10b414949ebc22e092fc22ec34afe72cd05d2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"4304740fa358d6b8d2c4212c674ce4dd323c6697","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"  * the service name"},{"line_number":78,"context_line":"  * the original requested URL"},{"line_number":79,"context_line":"  * the HTTP verb of the request"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"The Keystone server will add an additional check at the end of the"},{"line_number":82,"context_line":"token validation process.  Using the additioanl information provided,"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ba5da102_0b27cdca","line":79,"in_reply_to":"ba5da102_0bd34d05","updated":"2016-10-31 14:39:54.000000000","message":"Yes:  GET POST PUT DELETE PATCH etc","commit_id":"c6c10b414949ebc22e092fc22ec34afe72cd05d2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a6878031258e0a30b204b49b62803a8d559c5953","unresolved":false,"context_lines":[{"line_number":85,"context_line":"to confirm that the token used in the request contains one of the"},{"line_number":86,"context_line":"roles required by the API."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"The existing policy checks in the services will still be performed."},{"line_number":89,"context_line":"However, with the exception of the existing \u0027admin\u0027 checks, these"},{"line_number":90,"context_line":"policy checks will not match roles against the token auth data."},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"ba5da102_6bc1292e","line":88,"updated":"2016-10-31 14:29:51.000000000","message":"If we\u0027re moving the policy check into keystone, why would the service still need to have the check?","commit_id":"c6c10b414949ebc22e092fc22ec34afe72cd05d2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"4304740fa358d6b8d2c4212c674ce4dd323c6697","unresolved":false,"context_lines":[{"line_number":85,"context_line":"to confirm that the token used in the request contains one of the"},{"line_number":86,"context_line":"roles required by the API."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"The existing policy checks in the services will still be performed."},{"line_number":89,"context_line":"However, with the exception of the existing \u0027admin\u0027 checks, these"},{"line_number":90,"context_line":"policy checks will not match roles against the token auth data."},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"ba5da102_765f4c0e","line":88,"in_reply_to":"ba5da102_6bc1292e","updated":"2016-10-31 14:39:54.000000000","message":"Only services know how to do the scope check (reource.project_id \u003d\u003d token.project id) plus they have other, additional policy checks...see Neutrons policy file for the most detailed checks.  These checks cannot happen in Middleware.","commit_id":"c6c10b414949ebc22e092fc22ec34afe72cd05d2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a6878031258e0a30b204b49b62803a8d559c5953","unresolved":false,"context_lines":[{"line_number":131,"context_line":"fetch the service specific policy file."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"As a default, the Keystone server should have a single policy file"},{"line_number":134,"context_line":"with all the rules for all the URLs."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"The RBAC check in the Keystone token validation will be controlled by"},{"line_number":137,"context_line":"a configuration value."}],"source_content_type":"text/x-rst","patch_set":2,"id":"ba5da102_6b1da9bc","line":134,"updated":"2016-10-31 14:29:51.000000000","message":"If there is going to be a copy of the policy file, known as the rules, in keystone and copy for the service - is there a way to keep them in sync? What happens if the service policy changes in a way that requires an update to the keystone rules?","commit_id":"c6c10b414949ebc22e092fc22ec34afe72cd05d2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"4304740fa358d6b8d2c4212c674ce4dd323c6697","unresolved":false,"context_lines":[{"line_number":131,"context_line":"fetch the service specific policy file."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"As a default, the Keystone server should have a single policy file"},{"line_number":134,"context_line":"with all the rules for all the URLs."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"The RBAC check in the Keystone token validation will be controlled by"},{"line_number":137,"context_line":"a configuration value."}],"source_content_type":"text/x-rst","patch_set":2,"id":"ba5da102_b6780491","line":134,"in_reply_to":"ba5da102_6b1da9bc","updated":"2016-10-31 14:39:54.000000000","message":"We can always upload a service specific RBAC file for a service is something more specific comes out.  We probably need to make the check such that, if there is no match in the service specific, it falls back to the default policy.\n\nIn general, the service default policy files hould stick to doing only the scope check, and only the role check should be in Keystone.  An audit of the existing rules show this is likely to work now.\n\nhttp://adam.younglogic.com/2016/09/distinct-rbac-policy-rules/","commit_id":"c6c10b414949ebc22e092fc22ec34afe72cd05d2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":"The goals:"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":" * Allow operator assignment of the roles to operations"},{"line_number":21,"context_line":" * Provide a means to report what role is required for an operation"},{"line_number":22,"context_line":" * Allow fine grained delegations down to individual operations"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_b34ae1aa","line":20,"updated":"2016-11-08 22:48:51.000000000","message":"Operators can already do this by customizing the policy file. Do we mean allowing operators to do it through the API?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":"The goals:"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":" * Allow operator assignment of the roles to operations"},{"line_number":21,"context_line":" * Provide a means to report what role is required for an operation"},{"line_number":22,"context_line":" * Allow fine grained delegations down to individual operations"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_c0a819de","line":20,"in_reply_to":"9a629dbe_b34ae1aa","updated":"2016-11-17 15:06:43.000000000","message":"Right now, the modification of the policy files is discouraged in the documentation, which means we do not support it.  So, while anything is possible via code, this effectively prevents it from being done in practice.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Problem Description"},{"line_number":28,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_535fc540","line":30,"updated":"2016-11-08 22:48:51.000000000","message":"nit: keystone*","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cfde0fb17df0c8d2113fa64a0fc105e9aeaa5ca2","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Problem Description"},{"line_number":28,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_6743c642","line":30,"in_reply_to":"7a77a97e_a0f15d03","updated":"2016-11-17 22:33:09.000000000","message":"From a project perspective, we use the lowercase tense.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Problem Description"},{"line_number":28,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_a0f15d03","line":30,"in_reply_to":"9a629dbe_535fc540","updated":"2016-11-17 15:06:43.000000000","message":"lowercase?  Keystone is a proper name and should be capitalized.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_4a5ded77","line":33,"range":{"start_line":33,"start_character":22,"end_line":33,"end_character":30},"updated":"2016-11-10 19:22:15.000000000","message":"I don\u0027t think \"repeated\" is the right word here. I\u0027m not exactly sure what you\u0027re trying to convey. I would have just said they\u0027re scoped to the projects.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_2acfd929","line":33,"range":{"start_line":33,"start_character":35,"end_line":33,"end_character":37},"updated":"2016-11-10 19:22:15.000000000","message":"nit: extra space","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_ca1bbdc8","line":33,"range":{"start_line":33,"start_character":12,"end_line":33,"end_character":17},"updated":"2016-11-10 19:22:15.000000000","message":"you mean role assignments, not roles.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":30,"context_line":"The authorization data associated with Keystone tokens contains a set"},{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_60d2e55d","line":33,"range":{"start_line":33,"start_character":22,"end_line":33,"end_character":30},"in_reply_to":"9a629dbe_4a5ded77","updated":"2016-11-17 15:06:43.000000000","message":"\u0027role names are reused\u0027  is clearer.  Will use that.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC. The"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_0ae4d5de","line":34,"range":{"start_line":34,"start_character":41,"end_line":34,"end_character":46},"updated":"2016-11-10 19:22:15.000000000","message":"s/grant/have/","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":31,"context_line":"of roles that can be used to enforce access control.  This is a"},{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC. The"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_c0cd79b8","line":34,"range":{"start_line":34,"start_character":41,"end_line":34,"end_character":46},"in_reply_to":"9a629dbe_0ae4d5de","updated":"2016-11-17 15:06:43.000000000","message":"argue that out with Henry :)","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d49c7420ed28de29dbaca0b67f189fb4739e22ab","unresolved":false,"context_lines":[{"line_number":32,"context_line":"departure from the NIST definition of Role Based Access Control (RBAC)"},{"line_number":33,"context_line":"in that the roles are repeated, and  scoped to the projects.  A user"},{"line_number":34,"context_line":"assigned a role in one project would not grant access to a resource in"},{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC. The"},{"line_number":38,"context_line":"role \u0027admin\" is the only role that is explicitly checked in most of"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_e5305da1","line":35,"range":{"start_line":35,"start_character":18,"end_line":35,"end_character":50},"updated":"2016-11-07 14:20:52.000000000","message":"++ A great way of describing it.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":35,"context_line":"another project.  Thus, we call this `Scoped RBAC`."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC. The"},{"line_number":38,"context_line":"role \u0027admin\" is the only role that is explicitly checked in most of"},{"line_number":39,"context_line":"the default policy files are included with the projects. The \u0027admin\u0027 role"},{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_ce26ccb9","line":38,"updated":"2016-11-08 22:48:51.000000000","message":"nit: use either single or double quotes: \n\n  \u0027admin\u0027\n  \"admin\"","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC. The"},{"line_number":38,"context_line":"role \u0027admin\" is the only role that is explicitly checked in most of"},{"line_number":39,"context_line":"the default policy files are included with the projects. The \u0027admin\u0027 role"},{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"},{"line_number":42,"context_line":"configuration files, and editable by the end deployers, the reality is"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_8e4cd471","line":39,"updated":"2016-11-08 22:48:51.000000000","message":"This sentence reads a little strange, but I\u0027m not quite sure what it\u0027s missing... Maybe something like: \n\nThe \u0027admin\u0027 role is the only role that is explicitly checked across various OpenStack project policy files.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC. The"},{"line_number":38,"context_line":"role \u0027admin\" is the only role that is explicitly checked in most of"},{"line_number":39,"context_line":"the default policy files are included with the projects. The \u0027admin\u0027 role"},{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"},{"line_number":42,"context_line":"configuration files, and editable by the end deployers, the reality is"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_cae01d99","line":39,"range":{"start_line":39,"start_character":25,"end_line":39,"end_character":28},"updated":"2016-11-10 19:22:15.000000000","message":"s/are/that are/ or just s/are//","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":36,"context_line":""},{"line_number":37,"context_line":"The default OpenStack deployments make very little use of RBAC. The"},{"line_number":38,"context_line":"role \u0027admin\" is the only role that is explicitly checked in most of"},{"line_number":39,"context_line":"the default policy files are included with the projects. The \u0027admin\u0027 role"},{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"},{"line_number":42,"context_line":"configuration files, and editable by the end deployers, the reality is"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_60910547","line":39,"in_reply_to":"9a629dbe_8e4cd471","updated":"2016-11-17 15:06:43.000000000","message":"Done","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":38,"context_line":"role \u0027admin\" is the only role that is explicitly checked in most of"},{"line_number":39,"context_line":"the default policy files are included with the projects. The \u0027admin\u0027 role"},{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"},{"line_number":42,"context_line":"configuration files, and editable by the end deployers, the reality is"},{"line_number":43,"context_line":"that this is difficult, and even discouraged in the official documentation."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_ee9e30b7","line":41,"updated":"2016-11-08 22:48:51.000000000","message":"nit: We should enclose file names in back ticks.\n\n  `policy.json`","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":38,"context_line":"role \u0027admin\" is the only role that is explicitly checked in most of"},{"line_number":39,"context_line":"the default policy files are included with the projects. The \u0027admin\u0027 role"},{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"},{"line_number":42,"context_line":"configuration files, and editable by the end deployers, the reality is"},{"line_number":43,"context_line":"that this is difficult, and even discouraged in the official documentation."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_ca7c9db7","line":41,"range":{"start_line":41,"start_character":33,"end_line":41,"end_character":35},"updated":"2016-11-10 19:22:15.000000000","message":"nit: extra space","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"},{"line_number":42,"context_line":"configuration files, and editable by the end deployers, the reality is"},{"line_number":43,"context_line":"that this is difficult, and even discouraged in the official documentation."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Implementing a dynamic RBAC policy mechanism inside OpenStack has to"},{"line_number":46,"context_line":"work within the restrictions of a distributed development model.  Any"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_0e10c400","line":43,"updated":"2016-11-08 22:48:51.000000000","message":"We should give a short list of reasons as to *why* they are difficult to modify\n\n- it requires redeploying configuration files for each node in the service\n- applying changes to a role requires coordination between keystone and the service configuration\n- certain operations require other operations in order to be successful, if the policy fails on a downstream operation the whole operation fails\n- etc...","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":40,"context_line":"has been unclearly scoped to both global and project scoped"},{"line_number":41,"context_line":"operations. While the policy.json  files are supposed to be"},{"line_number":42,"context_line":"configuration files, and editable by the end deployers, the reality is"},{"line_number":43,"context_line":"that this is difficult, and even discouraged in the official documentation."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Implementing a dynamic RBAC policy mechanism inside OpenStack has to"},{"line_number":46,"context_line":"work within the restrictions of a distributed development model.  Any"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_20754d31","line":43,"in_reply_to":"9a629dbe_0e10c400","updated":"2016-11-17 15:06:43.000000000","message":"Done","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":46,"context_line":"work within the restrictions of a distributed development model.  Any"},{"line_number":47,"context_line":"approach which requires changes to every project has little to no"},{"line_number":48,"context_line":"chance of succeeding.  Thus, RBAC enforcement needs to be encapsulated"},{"line_number":49,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":50,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":51,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":52,"context_line":"from a database to check attributes."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_aeffd8a8","line":49,"updated":"2016-11-08 22:48:51.000000000","message":"nit: keystone* keystonemiddleware*","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"We can leave the current policy.json files in place, and add an RBAC"},{"line_number":61,"context_line":"check before keystonemiddleware passes control to the service specific"},{"line_number":62,"context_line":"code. This leads to a separation of concerns:  Middleware enforces the"},{"line_number":63,"context_line":"role check, source code enforces the scope check."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"It would be possible to have an additional call to oslo-policy"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_ee98f01d","line":62,"updated":"2016-11-08 22:48:51.000000000","message":"An example here would clarify this even further.\n\nIn front of each service, keystonemiddleware would ensure the user associated with the token has the role required to perform the operation and keystone would ensure that the user has the required role on the project.\n\n\nReading it that way almost makes it seem like keystone is doing a bit more than just a scope check. To me, a scope check is simply \"is this token scoped to this project/domain?\", but what we\u0027re actually checking in keystone token validation path is \"is this token scoped to this project/domain with *this* specific role?\".","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":66,"context_line":"from keystonemiddleware to check only the roles.  However, that leaves"},{"line_number":67,"context_line":"additional questions unsolved:  how do make the role checks easily"},{"line_number":68,"context_line":"editable, but still distributed to all of the services?  We"},{"line_number":69,"context_line":"would have to  build a whole mechanism for distribution and caching."},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_7ee6f215","line":67,"range":{"start_line":67,"start_character":36,"end_line":67,"end_character":43},"updated":"2016-11-10 19:22:15.000000000","message":"s/do make/do we make/","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":64,"context_line":""},{"line_number":65,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":66,"context_line":"from keystonemiddleware to check only the roles.  However, that leaves"},{"line_number":67,"context_line":"additional questions unsolved:  how do make the role checks easily"},{"line_number":68,"context_line":"editable, but still distributed to all of the services?  We"},{"line_number":69,"context_line":"would have to  build a whole mechanism for distribution and caching."},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_60df450d","line":67,"range":{"start_line":67,"start_character":36,"end_line":67,"end_character":43},"in_reply_to":"9a629dbe_7ee6f215","updated":"2016-11-17 15:06:43.000000000","message":"Done","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":62,"context_line":"code. This leads to a separation of concerns:  Middleware enforces the"},{"line_number":63,"context_line":"role check, source code enforces the scope check."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":66,"context_line":"from keystonemiddleware to check only the roles.  However, that leaves"},{"line_number":67,"context_line":"additional questions unsolved:  how do make the role checks easily"},{"line_number":68,"context_line":"editable, but still distributed to all of the services?  We"},{"line_number":69,"context_line":"would have to  build a whole mechanism for distribution and caching."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":72,"context_line":"scope check.  While the scope check requires attributes off a resource"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_9e4ca6c9","line":69,"range":{"start_line":65,"start_character":0,"end_line":69,"end_character":68},"updated":"2016-11-10 19:22:15.000000000","message":"move this to the alternatives section","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":66,"context_line":"from keystonemiddleware to check only the roles.  However, that leaves"},{"line_number":67,"context_line":"additional questions unsolved:  how do make the role checks easily"},{"line_number":68,"context_line":"editable, but still distributed to all of the services?  We"},{"line_number":69,"context_line":"would have to  build a whole mechanism for distribution and caching."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":72,"context_line":"scope check.  While the scope check requires attributes off a resource"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_de061ecd","line":69,"range":{"start_line":69,"start_character":13,"end_line":69,"end_character":15},"updated":"2016-11-10 19:22:15.000000000","message":"nit: extra space","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":62,"context_line":"code. This leads to a separation of concerns:  Middleware enforces the"},{"line_number":63,"context_line":"role check, source code enforces the scope check."},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":66,"context_line":"from keystonemiddleware to check only the roles.  However, that leaves"},{"line_number":67,"context_line":"additional questions unsolved:  how do make the role checks easily"},{"line_number":68,"context_line":"editable, but still distributed to all of the services?  We"},{"line_number":69,"context_line":"would have to  build a whole mechanism for distribution and caching."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":72,"context_line":"scope check.  While the scope check requires attributes off a resource"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_8032a15d","line":69,"range":{"start_line":65,"start_character":0,"end_line":69,"end_character":68},"in_reply_to":"9a629dbe_9e4ca6c9","updated":"2016-11-17 15:06:43.000000000","message":"Just removed, as this proposal now coveres that approach.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":84,"context_line":"Overview"},{"line_number":85,"context_line":"--------"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"  * Add additional parameters to the token validation API call:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"    - the service name"},{"line_number":90,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_1eb41680","line":87,"range":{"start_line":87,"start_character":8,"end_line":87,"end_character":18},"updated":"2016-11-10 19:22:15.000000000","message":"redundant","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":84,"context_line":"Overview"},{"line_number":85,"context_line":"--------"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"  * Add additional parameters to the token validation API call:"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"    - the service name"},{"line_number":90,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_8067014c","line":87,"range":{"start_line":87,"start_character":8,"end_line":87,"end_character":18},"in_reply_to":"9a629dbe_1eb41680","updated":"2016-11-17 15:06:43.000000000","message":"Done","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"    - the service name"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"    - the original requested URL"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"    - the HTTP verb of the request"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":96,"context_line":"    contain"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_1e3976f2","line":93,"range":{"start_line":91,"start_character":0,"end_line":93,"end_character":34},"updated":"2016-11-10 19:22:15.000000000","message":"swap the order of these 2 so that the flow is more natural and to match the next bullet","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"    - the service name"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"    - the original requested URL"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"    - the HTTP verb of the request"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":96,"context_line":"    contain"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_6062e53f","line":93,"range":{"start_line":91,"start_character":0,"end_line":93,"end_character":34},"in_reply_to":"9a629dbe_1e3976f2","updated":"2016-11-17 15:06:43.000000000","message":"Done","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"    - the HTTP verb of the request"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":96,"context_line":"    contain"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_8e59345d","line":95,"updated":"2016-11-08 22:48:51.000000000","message":"An entity in the resource backend? So a project or a domain with a URL pattern? Or are we talking about something else here?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":92,"context_line":""},{"line_number":93,"context_line":"    - the HTTP verb of the request"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":96,"context_line":"    contain"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    - the service name"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_40e16999","line":95,"in_reply_to":"9a629dbe_8e59345d","updated":"2016-11-17 15:06:43.000000000","message":"No, a two new entities: url_patterns, and role_to_url_patterns.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":95,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":96,"context_line":"    contain"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    - the service name"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"    - the HTTP Verb of the Request"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - the URL pattern"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"  * create an API for upload and modification or URL patterns, to"},{"line_number":105,"context_line":"    include bulk upload per service"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_54c66f9a","line":102,"range":{"start_line":98,"start_character":0,"end_line":102,"end_character":21},"updated":"2016-11-10 19:22:15.000000000","message":"This isn\u0027t going to be sufficient to cover things like nova\u0027s POST /servers/{server_id}/action API, which uses different policy checks depending on the *body* of the request.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":95,"context_line":"  * Create an entity in the resource backend for URL Patterns that"},{"line_number":96,"context_line":"    contain"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"    - the service name"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"    - the HTTP Verb of the Request"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - the URL pattern"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"  * create an API for upload and modification or URL patterns, to"},{"line_number":105,"context_line":"    include bulk upload per service"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_e0b27593","line":102,"range":{"start_line":98,"start_character":0,"end_line":102,"end_character":21},"in_reply_to":"9a629dbe_54c66f9a","updated":"2016-11-17 15:06:43.000000000","message":"Understood, and We will have to accept that limitation for now.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - the URL pattern"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"  * create an API for upload and modification or URL patterns, to"},{"line_number":105,"context_line":"    include bulk upload per service"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"  * extend the implied roles mechanism to support role to URL Pattern"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_be2a4a8e","line":104,"range":{"start_line":104,"start_character":46,"end_line":104,"end_character":48},"updated":"2016-11-10 19:22:15.000000000","message":"of","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":101,"context_line":""},{"line_number":102,"context_line":"    - the URL pattern"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"  * create an API for upload and modification or URL patterns, to"},{"line_number":105,"context_line":"    include bulk upload per service"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"  * extend the implied roles mechanism to support role to URL Pattern"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_604ca59e","line":104,"range":{"start_line":104,"start_character":46,"end_line":104,"end_character":48},"in_reply_to":"9a629dbe_be2a4a8e","updated":"2016-11-17 15:06:43.000000000","message":"Done","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":125,"context_line":""},{"line_number":126,"context_line":"With the body of the request inside the @new_values.json file."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Middleware"},{"line_number":131,"context_line":"~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_21553ff9","line":128,"updated":"2016-11-10 19:22:15.000000000","message":"What does this have to do with \"RBAC Check Flow\"? You\u0027re either missing text here or have misnamed the section, or both.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":126,"context_line":"With the body of the request inside the @new_values.json file."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Middleware"},{"line_number":131,"context_line":"~~~~~~~~~~"},{"line_number":132,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_81dc4b74","line":129,"updated":"2016-11-10 19:22:15.000000000","message":"too many blank lines","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Inside the web server, the WSGI application runs through a set of"},{"line_number":134,"context_line":"middleware classes until it reaches `keystonemiddleware.auth_token`."},{"line_number":135,"context_line":"The auth_token class reads the [keystone_authtoken] section of the provided"},{"line_number":136,"context_line":"configuration file.  A new key has been added: `service`."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_493b96d1","line":136,"updated":"2016-11-08 22:48:51.000000000","message":"This `service` value *has* to be the value of the service as keystone knows about it, right? For example, if I set\n\n  [keystone_authtoken]\n  ...\n  service \u003d nova\n\nBut in my service catalog I have compute as the service type, this whole thing breaks right? If that\u0027s true, does this require all the service entries to be created before a service can be deployed (I feel there is some sort of coordination here between the service and keystone).","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Inside the web server, the WSGI application runs through a set of"},{"line_number":134,"context_line":"middleware classes until it reaches `keystonemiddleware.auth_token`."},{"line_number":135,"context_line":"The auth_token class reads the [keystone_authtoken] section of the provided"},{"line_number":136,"context_line":"configuration file.  A new key has been added: `service`."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_6ad9e321","line":136,"in_reply_to":"9a629dbe_01a83b8c","updated":"2016-11-17 15:06:43.000000000","message":"correct.  But the assumption is that you set up Keystone first, and then nova.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Inside the web server, the WSGI application runs through a set of"},{"line_number":134,"context_line":"middleware classes until it reaches `keystonemiddleware.auth_token`."},{"line_number":135,"context_line":"The auth_token class reads the [keystone_authtoken] section of the provided"},{"line_number":136,"context_line":"configuration file.  A new key has been added: `service`."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_01a83b8c","line":136,"in_reply_to":"9a629dbe_493b96d1","updated":"2016-11-10 19:22:15.000000000","message":"If I understand correctly, you\u0027d have to set this in the nova.conf before telling keystone about it, but nova wouldn\u0027t actually be usable until you\u0027d set it up in keystone. We should document the service deployment flow as well as the API request flow.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Inside the web server, the WSGI application runs through a set of"},{"line_number":134,"context_line":"middleware classes until it reaches `keystonemiddleware.auth_token`."},{"line_number":135,"context_line":"The auth_token class reads the [keystone_authtoken] section of the provided"},{"line_number":136,"context_line":"configuration file.  A new key has been added: `service`."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_ea097385","line":136,"in_reply_to":"9a629dbe_493b96d1","updated":"2016-11-17 15:06:43.000000000","message":"if it does not match, the RBAC checks will have nothing to match.  Default to fail.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":136,"context_line":"configuration file.  A new key has been added: `service`."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":""},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Here is an example"},{"line_number":141,"context_line":".. code-block:: ini"},{"line_number":142,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_e1d18758","line":139,"updated":"2016-11-10 19:22:15.000000000","message":"too many blank lines","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":149,"context_line":"   service\u003dcompute"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"The auth_token middleware will pass these configuration options to the"},{"line_number":152,"context_line":"keystoneauth to create an auth plugin.  This plugin is used when"},{"line_number":153,"context_line":"keystonemiddleware then makes the call to validate the token."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"validation"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_096fdec5","line":152,"updated":"2016-11-08 22:48:51.000000000","message":"So keystoneauth will have to support service types in order to make sure it validates tokens properly, right?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":156,"context_line":"~~~~~~~~~~"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"The presence of the service configuration value will trigger logic to"},{"line_number":159,"context_line":"include the service and request URL in the request to validate the token."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"The call is comparable to the following CURL invocation:"},{"line_number":162,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_e105077a","line":159,"range":{"start_line":159,"start_character":12,"end_line":159,"end_character":35},"updated":"2016-11-10 19:22:15.000000000","message":"and the HTTP verb","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":166,"context_line":"     -H \"X-Auth-Token:    3d0b48b7bcdd\"  \\"},{"line_number":167,"context_line":"     -H \"X-Subject-Token: adb5c708a55f\"  \\"},{"line_number":168,"context_line":"     -H \"Content-type: application/json\" \\"},{"line_number":169,"context_line":"     -H \"X-Request-URL: https://nova1:8774/v2.1/2497f6​/servers/​83cbdc \\"},{"line_number":170,"context_line":"     GET \\"},{"line_number":171,"context_line":"     https://keystone1:35357/v3/auth/tokens?service\u003dcompute\u0026verb\u003dPUT\u0026nocatalog\u003dTrue"},{"line_number":172,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_e9854a59","line":169,"updated":"2016-11-08 22:48:51.000000000","message":"nit: end this line with a double quote \"","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":17645,"name":"Shan Guo","email":"guoshan.jolie@gmail.com","username":"guoshan"},"change_message_id":"125a4caa040b2ee223e322c6824d115685eba23d","unresolved":false,"context_lines":[{"line_number":174,"context_line":"The service is passed as a query parameter, which is the preferred"},{"line_number":175,"context_line":"mechanism for passing values such as this.  The URL is passed as an"},{"line_number":176,"context_line":"additional header due to the possibility of it containing sensitive"},{"line_number":177,"context_line":"information.  This will also make the marshalled parameters inside"},{"line_number":178,"context_line":"the original request URL easier to read."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_2cf1d095","line":177,"range":{"start_line":177,"start_character":38,"end_line":177,"end_character":59},"updated":"2016-11-10 07:37:23.000000000","message":"what marshaled parameters refer to? little confused.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":174,"context_line":"The service is passed as a query parameter, which is the preferred"},{"line_number":175,"context_line":"mechanism for passing values such as this.  The URL is passed as an"},{"line_number":176,"context_line":"additional header due to the possibility of it containing sensitive"},{"line_number":177,"context_line":"information.  This will also make the marshalled parameters inside"},{"line_number":178,"context_line":"the original request URL easier to read."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_612817e3","line":177,"range":{"start_line":177,"start_character":38,"end_line":177,"end_character":59},"in_reply_to":"9a629dbe_2cf1d095","updated":"2016-11-10 19:22:15.000000000","message":"I think he means the query parameters. I suggest using that terminology to make things clearer here.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":9237,"name":"Kevin Fox","email":"kevin@efox.cc","username":"kfox1111"},"change_message_id":"76689741c67eb453e8f28a81ca922e4853f13e56","unresolved":false,"context_lines":[{"line_number":176,"context_line":"additional header due to the possibility of it containing sensitive"},{"line_number":177,"context_line":"information.  This will also make the marshalled parameters inside"},{"line_number":178,"context_line":"the original request URL easier to read."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"ba5da102_8d8a8362","line":179,"updated":"2016-11-03 20:27:24.000000000","message":"I think the full url should not be included. it may run into parsing issues, when load balancers are involved, services are embeded in webservers, or multiple endpoints are bound to a single url via something like haproxy with different prefixes.\n\nservice\u003dcompute url\u003d/v2/.... should be enough I think?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":176,"context_line":"additional header due to the possibility of it containing sensitive"},{"line_number":177,"context_line":"information.  This will also make the marshalled parameters inside"},{"line_number":178,"context_line":"the original request URL easier to read."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_aa613b3b","line":179,"in_reply_to":"9a629dbe_14079718","updated":"2016-11-17 15:06:43.000000000","message":"Nova\u0027s current policy would still be in effect, and it does not check a specific role yet.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"c5a018f33fd0f28820299ee1357486c4b514e996","unresolved":false,"context_lines":[{"line_number":176,"context_line":"additional header due to the possibility of it containing sensitive"},{"line_number":177,"context_line":"information.  This will also make the marshalled parameters inside"},{"line_number":178,"context_line":"the original request URL easier to read."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"ba5da102_d4cf9b26","line":179,"in_reply_to":"ba5da102_8d8a8362","updated":"2016-11-04 02:39:12.000000000","message":"I thought of that, and it might be bogus, but something has to parse out the Host name + port.  If we send the whole thing, there is the future possibility of matching against an endpoint URL.  I should make that explicit.\n\nWe could start with the short form, though, and go to the full URL if we decide we need it later.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":176,"context_line":"additional header due to the possibility of it containing sensitive"},{"line_number":177,"context_line":"information.  This will also make the marshalled parameters inside"},{"line_number":178,"context_line":"the original request URL easier to read."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_14079718","line":179,"in_reply_to":"ba5da102_d4cf9b26","updated":"2016-11-10 19:22:15.000000000","message":"ideally there would be a 1-to-1 mapping of policy check to API verb + base URL (not including query parametes), but that\u0027s not the case today. E.g. nova\u0027s GET /servers call will typically be allowed for numerous roles *unless* you add the all_tenants query parameter, in which case it has to be restricted to admins. Maybe with that example nova could start hardcoding that restriction, but it\u0027s just one example and they would have to all be discovered and assessed.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":9237,"name":"Kevin Fox","email":"kevin@efox.cc","username":"kfox1111"},"change_message_id":"76689741c67eb453e8f28a81ca922e4853f13e56","unresolved":false,"context_lines":[{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"No part of the original request payload will be passed to the Keystone server."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Keystone will validate the token and compose the authorization data"}],"source_content_type":"text/x-rst","patch_set":6,"id":"ba5da102_ad3907a6","line":182,"updated":"2016-11-03 20:27:24.000000000","message":"Would this allow the resource being acted upon to have rbac rules added to them in keystone? I\u0027d really really like the ability for a trust to associate only a single resource in a tenant rather then all.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"No part of the original request payload will be passed to the Keystone server."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Keystone will validate the token and compose the authorization data"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_0ad4efba","line":182,"in_reply_to":"9a629dbe_ef1cbc79","updated":"2016-11-17 15:06:43.000000000","message":"We had a proposal upon those lines last year.  It is what lead to this design.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":12542,"name":"Johannes Grassler","email":"jgr-launchpad@btw23.de","username":"jgrassler"},"change_message_id":"75db706707d3abb1ca5e1101a5be7c3cc7c6deba","unresolved":false,"context_lines":[{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"No part of the original request payload will be passed to the Keystone server."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Keystone will validate the token and compose the authorization data"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_ef1cbc79","line":182,"in_reply_to":"ba5da102_3400d733","updated":"2016-11-07 13:40:06.000000000","message":"Maybe not quite on topic (but I think it\u0027s a good idea to mention it here, lest something almost-but-not-quite-entirely-unlike-it ends up being squeezed into this spec in the horrible way you just outlined), but I\u0027ve given such a tool some thought: \n\nhttps://blueprints.launchpad.net/keystone/+spec/trust-scope-extensions\n\nIt boils down to recording additional restrictions to trusts in Keystone (in terms of oslo.policy targets and UUIDs where applicable) and passing that information to the service in question. There, oslo.policy will use it as an additional check. Would that fit the bill?\n\nI haven\u0027t gotten started on the spec, yet, but here\u0027s an etherpad from the summit that captures most of the discussion: https://etherpad.openstack.org/p/ocata-keystone-authorization","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"c5a018f33fd0f28820299ee1357486c4b514e996","unresolved":false,"context_lines":[{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":181,"context_line":"of brevity in this example."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"No part of the original request payload will be passed to the Keystone server."},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Keystone will validate the token and compose the authorization data"}],"source_content_type":"text/x-rst","patch_set":6,"id":"ba5da102_3400d733","line":182,"in_reply_to":"ba5da102_ad3907a6","updated":"2016-11-04 02:39:12.000000000","message":"No.  We don\u0027t have enough information as this point to do that.  I mean, we could dod something like \"which pattern matches best\" and have people upload explicit-per-instance rules, but that seems like a mistake, and horrible, and likely to cause security holes.\n\nAt  middleware time, we don;\u0027t have the instance data.  This is strictly RBAC, and strictly per project scoping.\n\npersonally, I don;t like the idea of mixing in a single project, and would rather see better tools for sharing objects across projects instead.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":191,"context_line":""},{"line_number":192,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":193,"context_line":"inference rules is disabled. This will minimize the token response"},{"line_number":194,"context_line":"data  size as the number of defined roles increases."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"Keystone will match the URL looking for explicit version information"},{"line_number":197,"context_line":"in the form of the pattern /v[0-9.]*/.  Everything before this pattern"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_b4a8ab78","line":194,"range":{"start_line":194,"start_character":4,"end_line":194,"end_character":6},"updated":"2016-11-10 19:22:15.000000000","message":"nit: extra space","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":191,"context_line":""},{"line_number":192,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":193,"context_line":"inference rules is disabled. This will minimize the token response"},{"line_number":194,"context_line":"data  size as the number of defined roles increases."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"Keystone will match the URL looking for explicit version information"},{"line_number":197,"context_line":"in the form of the pattern /v[0-9.]*/.  Everything before this pattern"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_4ada67e9","line":194,"range":{"start_line":194,"start_character":4,"end_line":194,"end_character":6},"in_reply_to":"9a629dbe_b4a8ab78","updated":"2016-11-17 15:06:43.000000000","message":"Done","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":193,"context_line":"inference rules is disabled. This will minimize the token response"},{"line_number":194,"context_line":"data  size as the number of defined roles increases."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"Keystone will match the URL looking for explicit version information"},{"line_number":197,"context_line":"in the form of the pattern /v[0-9.]*/.  Everything before this pattern"},{"line_number":198,"context_line":"will be removed from the URL, leaving `/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":199,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_3401fb6a","line":196,"range":{"start_line":196,"start_character":49,"end_line":196,"end_character":56},"updated":"2016-11-10 19:22:15.000000000","message":"why is version important? Do some things use different rules for different versions? Nova used to, but not anymore, and I can\u0027t think of any others that I\u0027ve worked with.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":193,"context_line":"inference rules is disabled. This will minimize the token response"},{"line_number":194,"context_line":"data  size as the number of defined roles increases."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"Keystone will match the URL looking for explicit version information"},{"line_number":197,"context_line":"in the form of the pattern /v[0-9.]*/.  Everything before this pattern"},{"line_number":198,"context_line":"will be removed from the URL, leaving `/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":199,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_d7f569cb","line":196,"range":{"start_line":196,"start_character":49,"end_line":196,"end_character":56},"in_reply_to":"9a629dbe_3401fb6a","updated":"2016-11-17 15:06:43.000000000","message":"it is pat of the URL pattern, and means that v2 and V3 will be able to co-exist in the same code base.  It provides a starting point for URL matching.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":9237,"name":"Kevin Fox","email":"kevin@efox.cc","username":"kfox1111"},"change_message_id":"76689741c67eb453e8f28a81ca922e4853f13e56","unresolved":false,"context_lines":[{"line_number":196,"context_line":"Keystone will match the URL looking for explicit version information"},{"line_number":197,"context_line":"in the form of the pattern /v[0-9.]*/.  Everything before this pattern"},{"line_number":198,"context_line":"will be removed from the URL, leaving `/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Keystone will iterate through the set of patterns, attempting a match"},{"line_number":201,"context_line":"against each one. The URL remainder above will match the pattern"},{"line_number":202,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"ba5da102_2d75f762","line":199,"updated":"2016-11-03 20:27:24.000000000","message":"If the url is just the one for the endpoint given from the service, there won\u0027t be a need to try and figure out how to strip off the prefixes.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"c5a018f33fd0f28820299ee1357486c4b514e996","unresolved":false,"context_lines":[{"line_number":196,"context_line":"Keystone will match the URL looking for explicit version information"},{"line_number":197,"context_line":"in the form of the pattern /v[0-9.]*/.  Everything before this pattern"},{"line_number":198,"context_line":"will be removed from the URL, leaving `/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Keystone will iterate through the set of patterns, attempting a match"},{"line_number":201,"context_line":"against each one. The URL remainder above will match the pattern"},{"line_number":202,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"ba5da102_f4a01f44","line":199,"in_reply_to":"ba5da102_2d75f762","updated":"2016-11-04 02:39:12.000000000","message":"True.  But then the middleware code that calls keystone will have to perform the same logic.  And the middleware has all of the same limitiations of load balancers and URL rewriting that you mention above.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":203,"context_line":"GET /v2.1/​{tenant_id}​/servers/​{server_id}​"},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"The Keystone server will expand the role inference rules.  The server"},{"line_number":206,"context_line":"will has the rules"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"Here is an example"},{"line_number":209,"context_line":".. code-block:: bnf"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_c92c064d","line":206,"updated":"2016-11-08 22:48:51.000000000","message":"nit: either remove will or use have instead of has.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":221,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":222,"context_line":"specific code.  Inside this code, Nova will call the oslo-policy"},{"line_number":223,"context_line":"library to enforce policy as specified by either the Nova annotations"},{"line_number":224,"context_line":"or the overloads provided in the policy.json or policy.yaml files."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"additional details"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_a9c4325f","line":224,"updated":"2016-11-08 22:48:51.000000000","message":"Once keystonemiddleware hands control to nova, what does nova have left to check policy wise? The scope check has already been done and it looks like the role check is also being done in keystone.\n\nIf nova has a policy file it is to ensure users with the _member_ role can update instances, but it looks like we\u0027ve already done that through role inference.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":221,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":222,"context_line":"specific code.  Inside this code, Nova will call the oslo-policy"},{"line_number":223,"context_line":"library to enforce policy as specified by either the Nova annotations"},{"line_number":224,"context_line":"or the overloads provided in the policy.json or policy.yaml files."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"additional details"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_57b2f194","line":224,"in_reply_to":"9a629dbe_a9c4325f","updated":"2016-11-10 19:22:15.000000000","message":"I think keystone has only checked role, not scope. E.g. when I try to GET /servers/{server_id}, keystone doesn\u0027t know whether the VM with that server_id is in the project to which the token is scoped, so it will have to defer that scope check to nova. It can get even more complicated when something can optionally be shared across projects, e.g. a glance image. Only glance would know whether that had been done or not and be able to do that scope check properly. There may also be cases where someone wants to restrict scope based on some property of the addressed resource other than its project.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":227,"context_line":"additional details"},{"line_number":228,"context_line":"------------------"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"An admin override will be external to the policy files.  The role"},{"line_number":231,"context_line":"check will not explicitly match if a token has role:admin and"},{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_03a91b90","line":230,"range":{"start_line":230,"start_character":0,"end_line":230,"end_character":17},"updated":"2016-11-10 19:22:15.000000000","message":"What is \"an admin override\"? I think you mean when role:admin and is_admin_project\u003dTrue, but calling that an override would be a gross mischaracterization IMHO.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":227,"context_line":"additional details"},{"line_number":228,"context_line":"------------------"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"An admin override will be external to the policy files.  The role"},{"line_number":231,"context_line":"check will not explicitly match if a token has role:admin and"},{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_230fff88","line":230,"range":{"start_line":230,"start_character":26,"end_line":230,"end_character":54},"updated":"2016-11-10 19:22:15.000000000","message":"and to the policy specified to keystone by API as well, then?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":229,"context_line":""},{"line_number":230,"context_line":"An admin override will be external to the policy files.  The role"},{"line_number":231,"context_line":"check will not explicitly match if a token has role:admin and"},{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"A catch all rule will indicate how to handle unspecified APIs.  The"},{"line_number":235,"context_line":"expected rule is that APIs require the Member rule."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_69913a52","line":232,"updated":"2016-11-08 22:48:51.000000000","message":"Will it always be like this?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":229,"context_line":""},{"line_number":230,"context_line":"An admin override will be external to the policy files.  The role"},{"line_number":231,"context_line":"check will not explicitly match if a token has role:admin and"},{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"A catch all rule will indicate how to handle unspecified APIs.  The"},{"line_number":235,"context_line":"expected rule is that APIs require the Member rule."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_63257707","line":232,"range":{"start_line":232,"start_character":52,"end_line":232,"end_character":61},"updated":"2016-11-10 19:22:15.000000000","message":"where, more specifically?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cfde0fb17df0c8d2113fa64a0fc105e9aeaa5ca2","unresolved":false,"context_lines":[{"line_number":229,"context_line":""},{"line_number":230,"context_line":"An admin override will be external to the policy files.  The role"},{"line_number":231,"context_line":"check will not explicitly match if a token has role:admin and"},{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"A catch all rule will indicate how to handle unspecified APIs.  The"},{"line_number":235,"context_line":"expected rule is that APIs require the Member rule."}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_47296a36","line":232,"in_reply_to":"9a629dbe_63257707","updated":"2016-11-17 22:33:09.000000000","message":"I meant will the \u0027is_admin\u0027 check always be hardcoded in python.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":231,"context_line":"check will not explicitly match if a token has role:admin and"},{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"A catch all rule will indicate how to handle unspecified APIs.  The"},{"line_number":235,"context_line":"expected rule is that APIs require the Member rule."},{"line_number":236,"context_line":""},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Here is an example"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_924737bb","line":235,"range":{"start_line":234,"start_character":64,"end_line":235,"end_character":50},"updated":"2016-11-10 19:22:15.000000000","message":"I think the default should be that it requires admin. Better to be too restrictive and let people open things up than to be too open and end up allowing something unintentionally.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"A catch all rule will indicate how to handle unspecified APIs.  The"},{"line_number":235,"context_line":"expected rule is that APIs require the Member rule."},{"line_number":236,"context_line":""},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Here is an example"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_e992aa4a","line":235,"updated":"2016-11-08 22:48:51.000000000","message":"This is essentially enforcing the default role policy - which is already done using \"default\" \n\nhttps://github.com/openstack/cinder/blob/9b9944a45f28a86068794232e86b1ff0d70573e9/etc/cinder/policy.json#L4","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":232,"context_line":"is_admin_project\u003dTrue.  Instead, this will be coded in python."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"A catch all rule will indicate how to handle unspecified APIs.  The"},{"line_number":235,"context_line":"expected rule is that APIs require the Member rule."},{"line_number":236,"context_line":""},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Here is an example"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_b2d6fbee","line":235,"in_reply_to":"9a629dbe_e992aa4a","updated":"2016-11-10 19:22:15.000000000","message":"The default rule is no longer relevant to nova since they transitioned policy defaults into code, and won\u0027t be for others either as they make the same transition. This is because there is now a hardcoded default for each individual policy check, so that is used instead of the default rule if you don\u0027t override in policy.json.\n\nI think what Adam was saying is different... while there will always be a default policy setting in nova, etc., there may not be a corresponding setting that you\u0027ve made in keystone. You could have overlooked something, or could have intentionally left it out to rely on the default.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":238,"context_line":"Here is an example"},{"line_number":239,"context_line":".. code-block:: bnf"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"   DEFAULT -\u003e role:Member"},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"The admin role implies that the project scoping will still"},{"line_number":244,"context_line":"have to match later."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_b2727b0f","line":241,"range":{"start_line":241,"start_character":19,"end_line":241,"end_character":25},"updated":"2016-11-10 19:22:15.000000000","message":"there is no Member role defined in OpenStack. There\u0027s one in devstack, but that\u0027s not the baseline here. The only role defined by OpenStack is admin. OpenStack either restricts things to admin, allows them to everyone (not the same thing as having a \"Member\" role), or resticts based on some property of the request or resource.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":241,"context_line":"   DEFAULT -\u003e role:Member"},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"The admin role implies that the project scoping will still"},{"line_number":244,"context_line":"have to match later."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"If  an API should be reserved for cloud admin, the pattern match will"},{"line_number":247,"context_line":"have an additional Boolean field `is_admin_project`.  If this filed is"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_c34e436e","line":244,"range":{"start_line":244,"start_character":14,"end_line":244,"end_character":19},"updated":"2016-11-10 19:22:15.000000000","message":"where is \"later\"... when the service does its own oslo_policy check? If this is done by keystonemiddleware, it will need to be able to distinguish between an api that requires admin on the token\u0027s project vs. one that requires admin on the is_admin_project vs. one that requires admin in general. I think you\u0027ve covered the first 2, but not that last one. You wouldn\u0027t have to if you wait for all services to support is_admin_project instead of \"admin in general\", but that is a ways off...","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":243,"context_line":"The admin role implies that the project scoping will still"},{"line_number":244,"context_line":"have to match later."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"If  an API should be reserved for cloud admin, the pattern match will"},{"line_number":247,"context_line":"have an additional Boolean field `is_admin_project`.  If this filed is"},{"line_number":248,"context_line":"set, only tokens with auth_data that includes is_admin_project\u003dTrue"},{"line_number":249,"context_line":"will match."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_c37ac3f0","line":246,"range":{"start_line":246,"start_character":2,"end_line":246,"end_character":4},"updated":"2016-11-10 19:22:15.000000000","message":"nit: extra spaces","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":244,"context_line":"have to match later."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"If  an API should be reserved for cloud admin, the pattern match will"},{"line_number":247,"context_line":"have an additional Boolean field `is_admin_project`.  If this filed is"},{"line_number":248,"context_line":"set, only tokens with auth_data that includes is_admin_project\u003dTrue"},{"line_number":249,"context_line":"will match."},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_afb85176","line":247,"range":{"start_line":247,"start_character":62,"end_line":247,"end_character":67},"updated":"2016-11-10 19:22:15.000000000","message":"s/filed/field/","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":258,"context_line":"   [token]"},{"line_number":259,"context_line":"   verify_role_check\u003dFalse"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"When disabled, Keystone will not  attempt to look up policy files"},{"line_number":262,"context_line":"during token validation."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"When enabled, the failure to find a matching rule will result in a"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_0f585d55","line":261,"range":{"start_line":261,"start_character":32,"end_line":261,"end_character":34},"updated":"2016-11-10 19:22:15.000000000","message":"nit: extra spaces","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":259,"context_line":"   verify_role_check\u003dFalse"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"When disabled, Keystone will not  attempt to look up policy files"},{"line_number":262,"context_line":"during token validation."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"When enabled, the failure to find a matching rule will result in a"},{"line_number":265,"context_line":"token validation returning Forbidden (403)"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_c9dde615","line":262,"updated":"2016-11-08 22:48:51.000000000","message":"This requires that we have part of each services policy file *inside* of keystone, but each service still controls their own policy file? If a change is made to a service\u0027s policy file, what is the deployment order?\n\n- make updates to the role entity in keystone (if necessary)\n- make updates to the policies in keystone that are affected\n- make updates to the policy files for the service\n- redeploy","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":259,"context_line":"   verify_role_check\u003dFalse"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"When disabled, Keystone will not  attempt to look up policy files"},{"line_number":262,"context_line":"during token validation."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"When enabled, the failure to find a matching rule will result in a"},{"line_number":265,"context_line":"token validation returning Forbidden (403)"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_b7de2d6b","line":262,"in_reply_to":"9a629dbe_c9dde615","updated":"2016-11-17 15:06:43.000000000","message":"Not policy files but rather a separate file that gets uploaded at start up time.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":259,"context_line":"   verify_role_check\u003dFalse"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"When disabled, Keystone will not  attempt to look up policy files"},{"line_number":262,"context_line":"during token validation."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"When enabled, the failure to find a matching rule will result in a"},{"line_number":265,"context_line":"token validation returning Forbidden (403)"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_ef2329bb","line":262,"in_reply_to":"9a629dbe_c9dde615","updated":"2016-11-10 19:22:15.000000000","message":"yeah, this gets ugly if there is overlap and/or interdependency between what keystone knows and what is in the service policy.json, which I think there would be.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":259,"context_line":"   verify_role_check\u003dFalse"},{"line_number":260,"context_line":""},{"line_number":261,"context_line":"When disabled, Keystone will not  attempt to look up policy files"},{"line_number":262,"context_line":"during token validation."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"When enabled, the failure to find a matching rule will result in a"},{"line_number":265,"context_line":"token validation returning Forbidden (403)"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_573b199c","line":262,"in_reply_to":"9a629dbe_ef2329bb","updated":"2016-11-17 15:06:43.000000000","message":"policy.json always gets executed in its entirety.  So this would be additional checks on top of that.  Would not open ups security, but it would be possible (although hard) to come up with and API that could not be executed by a non-admuin user due to conflicting checks.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":262,"context_line":"during token validation."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"When enabled, the failure to find a matching rule will result in a"},{"line_number":265,"context_line":"token validation returning Forbidden (403)"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":""},{"line_number":268,"context_line":"Bulk Upload and Query of patterns"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_af14d14c","line":265,"range":{"start_line":265,"start_character":27,"end_line":265,"end_character":42},"updated":"2016-11-10 19:22:15.000000000","message":"I think some APIs may currently return 404 for this case, in which case that would be an API contract change. Or would 404s only come from the scope checks the services still control? I\u0027m not sure.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":273,"context_line":"service, and modified by the end deployer.  A sample of a subset of"},{"line_number":274,"context_line":"the rules for glance could look like this:"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":".. code-block:: json"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"   {"},{"line_number":279,"context_line":"   \u0027service\u0027: \u0027image\u0027,"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_d2160a4b","line":276,"updated":"2016-11-10 19:22:15.000000000","message":"need an example of that is_admin_project boolean here","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":273,"context_line":"service, and modified by the end deployer.  A sample of a subset of"},{"line_number":274,"context_line":"the rules for glance could look like this:"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":".. code-block:: json"},{"line_number":277,"context_line":""},{"line_number":278,"context_line":"   {"},{"line_number":279,"context_line":"   \u0027service\u0027: \u0027image\u0027,"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_d792c99e","line":276,"in_reply_to":"9a629dbe_d2160a4b","updated":"2016-11-17 15:06:43.000000000","message":"Would be external to these rules.  That would be checked in python code.  Since it would pass any rule posted this way, there would be no need to annotate it in the actual RBAC APIs.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"d49c7420ed28de29dbaca0b67f189fb4739e22ab","unresolved":false,"context_lines":[{"line_number":301,"context_line":"     ]"},{"line_number":302,"context_line":"   }"},{"line_number":303,"context_line":""},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Alternatives"},{"line_number":306,"context_line":"------------"},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_a9039fb7","line":304,"updated":"2016-11-07 14:20:52.000000000","message":"So I assume that for a service that has simple rules (i.e. current policy files says, for each action, \"if the scope check passes and you have a given role then you are good to go\", COULD turn into an API programmed role check in keystone and a simple in-code scope check in the service code?  ...hence quickly leading to a dynamic RBAC capability?  It might be worth stating a bit more clearly that this would now be an option for services that wanted to provide that.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":301,"context_line":"     ]"},{"line_number":302,"context_line":"   }"},{"line_number":303,"context_line":""},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Alternatives"},{"line_number":306,"context_line":"------------"},{"line_number":307,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_322f4689","line":304,"in_reply_to":"9a629dbe_a9039fb7","updated":"2016-11-10 19:22:15.000000000","message":"++ YES, scope checks should really be hardcoded in each service, not in policy.json files. Getting there should probably be a separate spec, but it would be nice to mention that end goal here as a future work item, so people see where things are going.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":313,"context_line":"The main reason for not pursuing this approach is that it is very hard"},{"line_number":314,"context_line":"to abstract it while continuing to provide the full set of data"},{"line_number":315,"context_line":"required.  For example, project Moon (see references) was able to make"},{"line_number":316,"context_line":"a check work based on the URL only, it did not actually have the"},{"line_number":317,"context_line":"Server data from the database at middleware time. Also, the amount of"},{"line_number":318,"context_line":"administration, especially the definition of attributes, meant that"},{"line_number":319,"context_line":"the domain structure from Nova was duplicated in the Keystone"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_92c9f2ae","line":316,"range":{"start_line":316,"start_character":36,"end_line":316,"end_character":38},"updated":"2016-11-10 19:22:15.000000000","message":"s/it/but it/ ??","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":320,"context_line":"Database."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"The current approach to scoping policy can be described as \"all"},{"line_number":323,"context_line":"resources of the same type withing a project  have the same access"},{"line_number":324,"context_line":"control.\"  Several projects, most notably Barbican, have attempted to enforce"},{"line_number":325,"context_line":"more fine grained policy than the current approach, specifically,"},{"line_number":326,"context_line":"based on the user that created the object, but this has been shown to"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_72e37ed9","line":323,"range":{"start_line":323,"start_character":44,"end_line":323,"end_character":46},"updated":"2016-11-10 19:22:15.000000000","message":"nit: extra spaces","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":17645,"name":"Shan Guo","email":"guoshan.jolie@gmail.com","username":"guoshan"},"change_message_id":"125a4caa040b2ee223e322c6824d115685eba23d","unresolved":false,"context_lines":[{"line_number":320,"context_line":"Database."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"The current approach to scoping policy can be described as \"all"},{"line_number":323,"context_line":"resources of the same type withing a project  have the same access"},{"line_number":324,"context_line":"control.\"  Several projects, most notably Barbican, have attempted to enforce"},{"line_number":325,"context_line":"more fine grained policy than the current approach, specifically,"},{"line_number":326,"context_line":"based on the user that created the object, but this has been shown to"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_0c3a4ccc","line":323,"range":{"start_line":323,"start_character":27,"end_line":323,"end_character":34},"updated":"2016-11-10 07:37:23.000000000","message":"within?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":319,"context_line":"the domain structure from Nova was duplicated in the Keystone"},{"line_number":320,"context_line":"Database."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"The current approach to scoping policy can be described as \"all"},{"line_number":323,"context_line":"resources of the same type withing a project  have the same access"},{"line_number":324,"context_line":"control.\"  Several projects, most notably Barbican, have attempted to enforce"},{"line_number":325,"context_line":"more fine grained policy than the current approach, specifically,"},{"line_number":326,"context_line":"based on the user that created the object, but this has been shown to"},{"line_number":327,"context_line":"be problematic at cloud scale:  the only option for administration"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_72c0de50","line":324,"range":{"start_line":322,"start_character":59,"end_line":324,"end_character":9},"updated":"2016-11-10 19:22:15.000000000","message":"this is not universally true. E.g. https://github.com/openstack/nova/blob/stable/newton/nova/policies/keypairs.py#L29-L40 or even keystone\u0027s own https://github.com/openstack/keystone/blob/stable/newton/etc/policy.v3cloudsample.json#L68","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":319,"context_line":"the domain structure from Nova was duplicated in the Keystone"},{"line_number":320,"context_line":"Database."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"The current approach to scoping policy can be described as \"all"},{"line_number":323,"context_line":"resources of the same type withing a project  have the same access"},{"line_number":324,"context_line":"control.\"  Several projects, most notably Barbican, have attempted to enforce"},{"line_number":325,"context_line":"more fine grained policy than the current approach, specifically,"},{"line_number":326,"context_line":"based on the user that created the object, but this has been shown to"},{"line_number":327,"context_line":"be problematic at cloud scale:  the only option for administration"}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_05316a05","line":324,"range":{"start_line":322,"start_character":59,"end_line":324,"end_character":9},"in_reply_to":"9a629dbe_72c0de50","updated":"2016-11-17 15:06:43.000000000","message":"I\u0027ll add the nova example to the \"most notably\" clause but it is in keeping with my argument.\n\nThe v3 cloud sample is not the default, as it has many issues that conflict with this proposal.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":322,"context_line":"The current approach to scoping policy can be described as \"all"},{"line_number":323,"context_line":"resources of the same type withing a project  have the same access"},{"line_number":324,"context_line":"control.\"  Several projects, most notably Barbican, have attempted to enforce"},{"line_number":325,"context_line":"more fine grained policy than the current approach, specifically,"},{"line_number":326,"context_line":"based on the user that created the object, but this has been shown to"},{"line_number":327,"context_line":"be problematic at cloud scale:  the only option for administration"},{"line_number":328,"context_line":"should that user not be present is to escalate it to an administrator."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_4955564e","line":325,"updated":"2016-11-08 22:48:51.000000000","message":"++","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":17645,"name":"Shan Guo","email":"guoshan.jolie@gmail.com","username":"guoshan"},"change_message_id":"125a4caa040b2ee223e322c6824d115685eba23d","unresolved":false,"context_lines":[{"line_number":331,"context_line":"it just takes a more pragmatic and scalable approach first.  This"},{"line_number":332,"context_line":"approach better matches the OpenStack design."},{"line_number":333,"context_line":""},{"line_number":334,"context_line":"Other specs that have addressed this are listed in refereces."},{"line_number":335,"context_line":""},{"line_number":336,"context_line":""},{"line_number":337,"context_line":"Security Impact"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_cc8694da","line":334,"range":{"start_line":334,"start_character":51,"end_line":334,"end_character":60},"updated":"2016-11-10 07:37:23.000000000","message":"nit: references","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":344,"context_line":"delegations with only the subset of roles required for the operation."},{"line_number":345,"context_line":"For example, if a user only wants a watchdog program to kill a VM if"},{"line_number":346,"context_line":"it misbehaves, the administrator could create a role called"},{"line_number":347,"context_line":"`compute_delete_server` specific to the API `DELETE"},{"line_number":348,"context_line":"/v2.1/​{tenant_id}​/servers/​{server_id}​` as well as a role inference"},{"line_number":349,"context_line":"rules"},{"line_number":350,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_29d582b8","line":347,"updated":"2016-11-08 22:48:51.000000000","message":"This would need to be duplicated in the nova policy file, right?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"d67bfe7db428d53a74c4c81d8fd49f422bb89dd8","unresolved":false,"context_lines":[{"line_number":344,"context_line":"delegations with only the subset of roles required for the operation."},{"line_number":345,"context_line":"For example, if a user only wants a watchdog program to kill a VM if"},{"line_number":346,"context_line":"it misbehaves, the administrator could create a role called"},{"line_number":347,"context_line":"`compute_delete_server` specific to the API `DELETE"},{"line_number":348,"context_line":"/v2.1/​{tenant_id}​/servers/​{server_id}​` as well as a role inference"},{"line_number":349,"context_line":"rules"},{"line_number":350,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"7a77a97e_e5ac6e37","line":347,"in_reply_to":"9a629dbe_29d582b8","updated":"2016-11-17 15:06:43.000000000","message":"No.  I\u0027ll clarify in the next version","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":362,"context_line":"Notifications Impact"},{"line_number":363,"context_line":"--------------------"},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"Notifications for changes to API patterns will be comparable the"},{"line_number":366,"context_line":"notifications for the Roles API notifications."},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"Notifications due to failed token validations now will also include"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_9282d2c6","line":365,"range":{"start_line":365,"start_character":61,"end_line":365,"end_character":64},"updated":"2016-11-10 19:22:15.000000000","message":"s/the/to the/ ?","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":363,"context_line":"--------------------"},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"Notifications for changes to API patterns will be comparable the"},{"line_number":366,"context_line":"notifications for the Roles API notifications."},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"Notifications due to failed token validations now will also include"},{"line_number":369,"context_line":"those that are from failed RBAC checks."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_d270ca0d","line":366,"range":{"start_line":366,"start_character":32,"end_line":366,"end_character":45},"updated":"2016-11-10 19:22:15.000000000","message":"redundant","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":385,"context_line":"cached in the remote services.  Due to the need to validate more than"},{"line_number":386,"context_line":"just the token validity, but also the role information, now caching"},{"line_number":387,"context_line":"will not be sufficient, as an additional call might have a different"},{"line_number":388,"context_line":"Verb or URL. The caching at a minimum wouldh have to take this into"},{"line_number":389,"context_line":"account, and key the cache on more than just the token ID.  For"},{"line_number":390,"context_line":"Horizon driven use cases, this is likely to have a fairly large"},{"line_number":391,"context_line":"impact, as many of a users calls will be A) different and B) reuse the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_492636cf","line":388,"updated":"2016-11-08 22:48:51.000000000","message":"would*","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":17645,"name":"Shan Guo","email":"guoshan.jolie@gmail.com","username":"guoshan"},"change_message_id":"125a4caa040b2ee223e322c6824d115685eba23d","unresolved":false,"context_lines":[{"line_number":392,"context_line":"same token as cached by Horizon.  This will have less of an impact in"},{"line_number":393,"context_line":"automated work flows, as those tend to get a new token for each operation."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"One postive impact is that, tokens wiht invalid roles,  Code that"},{"line_number":396,"context_line":"would have, in previous cases, called into the database layer of the"},{"line_number":397,"context_line":"services will no longer have to do so.  The RBAC check will go to the"},{"line_number":398,"context_line":"Keystone server prior to the object being fetched from the database."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_f18b31c1","line":395,"range":{"start_line":395,"start_character":4,"end_line":395,"end_character":11},"updated":"2016-11-10 07:37:23.000000000","message":"nit: positive","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":392,"context_line":"same token as cached by Horizon.  This will have less of an impact in"},{"line_number":393,"context_line":"automated work flows, as those tend to get a new token for each operation."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"One postive impact is that, tokens wiht invalid roles,  Code that"},{"line_number":396,"context_line":"would have, in previous cases, called into the database layer of the"},{"line_number":397,"context_line":"services will no longer have to do so.  The RBAC check will go to the"},{"line_number":398,"context_line":"Keystone server prior to the object being fetched from the database."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_72c29eea","line":395,"range":{"start_line":395,"start_character":54,"end_line":395,"end_character":57},"updated":"2016-11-10 19:22:15.000000000","message":"s/  C/ c/","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":392,"context_line":"same token as cached by Horizon.  This will have less of an impact in"},{"line_number":393,"context_line":"automated work flows, as those tend to get a new token for each operation."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"One postive impact is that, tokens wiht invalid roles,  Code that"},{"line_number":396,"context_line":"would have, in previous cases, called into the database layer of the"},{"line_number":397,"context_line":"services will no longer have to do so.  The RBAC check will go to the"},{"line_number":398,"context_line":"Keystone server prior to the object being fetched from the database."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_52bf5a60","line":395,"range":{"start_line":395,"start_character":28,"end_line":395,"end_character":34},"updated":"2016-11-10 19:22:15.000000000","message":"s/tokens/for tokens/","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":392,"context_line":"same token as cached by Horizon.  This will have less of an impact in"},{"line_number":393,"context_line":"automated work flows, as those tend to get a new token for each operation."},{"line_number":394,"context_line":""},{"line_number":395,"context_line":"One postive impact is that, tokens wiht invalid roles,  Code that"},{"line_number":396,"context_line":"would have, in previous cases, called into the database layer of the"},{"line_number":397,"context_line":"services will no longer have to do so.  The RBAC check will go to the"},{"line_number":398,"context_line":"Keystone server prior to the object being fetched from the database."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_e91b8a7e","line":395,"updated":"2016-11-08 22:48:51.000000000","message":"with*","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9d2a088df97544603554ee87feb9abaa4f99c759","unresolved":false,"context_lines":[{"line_number":409,"context_line":"---------------------"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"Deployers will now be able to deploy their own policies for just the"},{"line_number":412,"context_line":"RBAC stage.  Since this requires configuration changes to activate, no"},{"line_number":413,"context_line":"change in behavior will happen until the changes are made.  It is"},{"line_number":414,"context_line":"assumed that changes would be made to the Keystone server that allow"},{"line_number":415,"context_line":"it to ignore the additional parameters passed by middleware, so that"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_44b0dd43","line":412,"updated":"2016-11-08 22:48:51.000000000","message":"This section should probably include what would happen if policy needs to change. What do they need to change in keystone and when do they do that compared to the redeployment of the policy file.","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"c73e9ddc1f4cbb05d69c7351c59c6580c309aaa2","unresolved":false,"context_lines":[{"line_number":413,"context_line":"change in behavior will happen until the changes are made.  It is"},{"line_number":414,"context_line":"assumed that changes would be made to the Keystone server that allow"},{"line_number":415,"context_line":"it to ignore the additional parameters passed by middleware, so that"},{"line_number":416,"context_line":"middleware can safe be upgraded."},{"line_number":417,"context_line":""},{"line_number":418,"context_line":"Once the code changes are in place, the deployer will have to load the"},{"line_number":419,"context_line":"rules to the Keystone server before relying on this mechanism."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_524d9a98","line":416,"range":{"start_line":416,"start_character":15,"end_line":416,"end_character":19},"updated":"2016-11-10 19:22:15.000000000","message":"s/safe/safely/","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":6482,"name":"Steve Martinelli","email":"s.martinelli@gmail.com","username":"stevemar"},"change_message_id":"b43a854722ee5e2dd431705820df53428a3b928c","unresolved":false,"context_lines":[{"line_number":442,"context_line":"  Jamie Lennox jamielennox  jamielennox@gmail.com"},{"line_number":443,"context_line":"  Alexander Makarov amakarov amakarov@mirantis.com"},{"line_number":444,"context_line":"  Henry Nash henrynash henryn@linux.vnet.ibm.com"},{"line_number":445,"context_line":"  Ruan He ruan.he@orange.com"},{"line_number":446,"context_line":""},{"line_number":447,"context_line":""},{"line_number":448,"context_line":"Work Items"}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_f519e17a","line":445,"range":{"start_line":445,"start_character":2,"end_line":445,"end_character":28},"updated":"2016-11-14 12:02:20.000000000","message":"maybe add ruan as a reviewer or let him know about the spec, he hasn\u0027t reviewed it, yet is listed as a contributor.\n\nthis should be a list of people expected to do the work","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":17645,"name":"Shan Guo","email":"guoshan.jolie@gmail.com","username":"guoshan"},"change_message_id":"125a4caa040b2ee223e322c6824d115685eba23d","unresolved":false,"context_lines":[{"line_number":499,"context_line":""},{"line_number":500,"context_line":"  * `Reservations  \u003chttps://review.openstack.org/#/c/330329/\u003e`_."},{"line_number":501,"context_line":"  * `Policy Merge \u003chttps://review.openstack.org/#/c/295049/\u003e`_."},{"line_number":502,"context_line":"  * `Policy Rules Managed froom a Database \u003chttps://review.openstack.org/#/c/133814/\u003e`_."},{"line_number":503,"context_line":"  * `Dynamic RBAC Policy \u003chttps://review.openstack.org/#/c/279379/\u003e`_."},{"line_number":504,"context_line":"  * `Identify policy by hash \u003chttps://review.openstack.org/#/c/297897/\u003e`_."},{"line_number":505,"context_line":"  * `Support RBAC with LDAP in oslo.policy \u003chttps://review.openstack.org/#/c/259418/\u003e`_."}],"source_content_type":"text/x-rst","patch_set":6,"id":"9a629dbe_6c7bc8f5","line":502,"range":{"start_line":502,"start_character":26,"end_line":502,"end_character":31},"updated":"2016-11-10 07:37:23.000000000","message":"nit: from","commit_id":"fd6287da8685d778f623a705fd335c48f52469d6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp token-verify-role-check \u003chttps://blueprints.launchpad.net/keystone/+spec/token-verify-role-check\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Role Based Access Control requires administration of both the roles assigned"},{"line_number":14,"context_line":"to users and the rules that determine what role can perform what action. To"},{"line_number":15,"context_line":"date, OpenStack has made role assignment fairly easy to use, but modification"},{"line_number":16,"context_line":"of policy files has been manual, decentralized, and inconsistent."}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_67d3c604","line":13,"updated":"2016-11-17 23:49:36.000000000","message":"Move the acronym up here since it\u0027s the first usage of the term.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp token-verify-role-check \u003chttps://blueprints.launchpad.net/keystone/+spec/token-verify-role-check\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Role Based Access Control requires administration of both the roles assigned"},{"line_number":14,"context_line":"to users and the rules that determine what role can perform what action. To"},{"line_number":15,"context_line":"date, OpenStack has made role assignment fairly easy to use, but modification"},{"line_number":16,"context_line":"of policy files has been manual, decentralized, and inconsistent."}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_12014b06","line":13,"in_reply_to":"7a77a97e_67d3c604","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":57,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":58,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":59,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":60,"context_line":"from a database to check attributes."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"When looking at most of the policy files, they either check that the"},{"line_number":63,"context_line":"user has the admin role, or that the user has any role on the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_cd159be5","line":60,"updated":"2016-11-17 23:49:36.000000000","message":"We could also expand this statement to include OpenStack current deployment model. Not only do we not encourage modifying the policy files, but once they are modified, we have to redeploy them to the endpoints since that is the policy administration point.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":68,"context_line":"We can leave the current policy.json files in place, and add an RBAC"},{"line_number":69,"context_line":"check before keystonemiddleware passes control to the service specific"},{"line_number":70,"context_line":"code. This leads to a separation of concerns: Middleware enforces the"},{"line_number":71,"context_line":"role check, source code enforces the scope check."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":74,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_cd9afb6d","line":71,"updated":"2016-11-17 23:49:36.000000000","message":"This is essentially what\u0027s being proposed with the specification and could be moved to the section below. I would also expand on this a bit more to be specific about the middleware component and the source code. What source code does the checking? Source code in the service endpoint? Keystone source code?","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":68,"context_line":"We can leave the current policy.json files in place, and add an RBAC"},{"line_number":69,"context_line":"check before keystonemiddleware passes control to the service specific"},{"line_number":70,"context_line":"code. This leads to a separation of concerns: Middleware enforces the"},{"line_number":71,"context_line":"role check, source code enforces the scope check."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":74,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_923d5bdf","line":71,"in_reply_to":"7a77a97e_cd9afb6d","updated":"2021-09-24 20:29:41.000000000","message":"Done","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":73,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":74,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":75,"context_line":"additional questions unsolved: how do we make the role checks easily"},{"line_number":76,"context_line":"editable, but still distributed to all of the services?"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":79,"context_line":"scope check. While the scope check requires attributes off a resource"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_6d7e471a","line":76,"updated":"2016-11-17 23:49:36.000000000","message":"This too is talking about the propose solution, we can move this to the following section.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":73,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":74,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":75,"context_line":"additional questions unsolved: how do we make the role checks easily"},{"line_number":76,"context_line":"editable, but still distributed to all of the services?"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":79,"context_line":"scope check. While the scope check requires attributes off a resource"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_321ba782","line":76,"in_reply_to":"7a77a97e_6d7e471a","updated":"2021-09-24 20:29:41.000000000","message":"No, this is referring explicitly to oslo-policy.  THis justifies why we are not doing it via oslo.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":163,"context_line":"   rbac\u003din_process"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"The `auth_token` middleware will use the `rbac` value to determine how"},{"line_number":166,"context_line":"to perform the rbac check."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"If the value for `rbac` is set to `token_validation` the service, URL,"},{"line_number":169,"context_line":"and verb will be sent along as part of the token validation code. The"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_ada85f21","line":166,"updated":"2016-11-17 23:49:36.000000000","message":"RBAC","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":169,"context_line":"and verb will be sent along as part of the token validation code. The"},{"line_number":170,"context_line":"validation logic will be as described below."},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"If the value for `rbac` is set to `in_process` the service, URL,"},{"line_number":173,"context_line":"and verb will not be sent along as part of the token validation code."},{"line_number":174,"context_line":"IN tead, the logic to perform the RBAC check will be done in the"},{"line_number":175,"context_line":"services process after the token is returned from the identity"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_2d6b6ff2","line":172,"updated":"2016-11-17 23:49:36.000000000","message":"So, this is what would maintain backwards compatibility, essentially applying policy exactly how it operates today.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":169,"context_line":"and verb will be sent along as part of the token validation code. The"},{"line_number":170,"context_line":"validation logic will be as described below."},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"If the value for `rbac` is set to `in_process` the service, URL,"},{"line_number":173,"context_line":"and verb will not be sent along as part of the token validation code."},{"line_number":174,"context_line":"IN tead, the logic to perform the RBAC check will be done in the"},{"line_number":175,"context_line":"services process after the token is returned from the identity"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_b28c17db","line":172,"in_reply_to":"7a77a97e_2d6b6ff2","updated":"2021-09-24 20:29:41.000000000","message":"yes, this is what will let the caching mechanism continue to work.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":203,"context_line":"the original request URL easier to read."},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":206,"context_line":"of brevity in this example."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"No part of the original request payload will be passed to the Keystone server."},{"line_number":209,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_8d2483c5","line":206,"updated":"2016-11-17 23:49:36.000000000","message":"If a service has opted into allowing keystone to do the RBAC check in validation, is there ever a reason for the service to request the catalog?","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":203,"context_line":"the original request URL easier to read."},{"line_number":204,"context_line":""},{"line_number":205,"context_line":"The catalog has been explicitly removed from the response for the sake"},{"line_number":206,"context_line":"of brevity in this example."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"No part of the original request payload will be passed to the Keystone server."},{"line_number":209,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_92a1db48","line":206,"in_reply_to":"7a77a97e_8d2483c5","updated":"2021-09-24 20:29:41.000000000","message":"Yes, service to service communication depends on using the endpoints in the catalog.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":226,"context_line":"python-keystoneclient will match the URL looking for explicit version"},{"line_number":227,"context_line":"information in the form of the pattern /v[0-9.]*/. Everything before"},{"line_number":228,"context_line":"this pattern will be removed from the URL, leaving"},{"line_number":229,"context_line":"`/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"python-keystoneclient will iterate through the set of patterns,"},{"line_number":232,"context_line":"attempting a match against each one. The URL remainder above will"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_ad04df17","line":229,"updated":"2016-11-17 23:49:36.000000000","message":"python-keystoneclient or keystone? I don\u0027t think the client will have access to the URL patterns stored in keystone, unless we plan to expose those through an API somehow.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":226,"context_line":"python-keystoneclient will match the URL looking for explicit version"},{"line_number":227,"context_line":"information in the form of the pattern /v[0-9.]*/. Everything before"},{"line_number":228,"context_line":"this pattern will be removed from the URL, leaving"},{"line_number":229,"context_line":"`/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"python-keystoneclient will iterate through the set of patterns,"},{"line_number":232,"context_line":"attempting a match against each one. The URL remainder above will"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_f2fbef44","line":229,"in_reply_to":"7a77a97e_ad04df17","updated":"2021-09-24 20:29:41.000000000","message":"read above.  I specified how this would work.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":228,"context_line":"this pattern will be removed from the URL, leaving"},{"line_number":229,"context_line":"`/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"python-keystoneclient will iterate through the set of patterns,"},{"line_number":232,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":233,"context_line":"match the pattern"},{"line_number":234,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_ff059e10","line":231,"updated":"2016-11-17 23:49:36.000000000","message":"python-keystoneclient or keystone?","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":228,"context_line":"this pattern will be removed from the URL, leaving"},{"line_number":229,"context_line":"`/v2.1/2497f6​/servers/​83cbdc`"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"python-keystoneclient will iterate through the set of patterns,"},{"line_number":232,"context_line":"attempting a match against each one. The URL remainder above will"},{"line_number":233,"context_line":"match the pattern"},{"line_number":234,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_3298071c","line":231,"in_reply_to":"7a77a97e_ff059e10","updated":"2021-09-24 20:29:41.000000000","message":"Client.  So we don\u0027t duplicate the logic internal and external.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":445,"context_line":"issues that have been discussed thus far."},{"line_number":446,"context_line":""},{"line_number":447,"context_line":"The largest potential negative impact identified thus far is the"},{"line_number":448,"context_line":"impact on token caching. Tokens that are validated once are typically"},{"line_number":449,"context_line":"cached in the remote services. Due to the need to validate more than"},{"line_number":450,"context_line":"just the token validity, but also the role information, now caching"},{"line_number":451,"context_line":"will not be sufficient, as an additional call might have a different"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_9f490a63","line":448,"updated":"2016-11-17 23:49:36.000000000","message":"If we are unable to use token caching, we should *really* think this over. Token caching is a huge part of keystone\u0027s performance story and it\u0027s what we\u0027ve been urging deployers to use for the last couple years.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":445,"context_line":"issues that have been discussed thus far."},{"line_number":446,"context_line":""},{"line_number":447,"context_line":"The largest potential negative impact identified thus far is the"},{"line_number":448,"context_line":"impact on token caching. Tokens that are validated once are typically"},{"line_number":449,"context_line":"cached in the remote services. Due to the need to validate more than"},{"line_number":450,"context_line":"just the token validity, but also the role information, now caching"},{"line_number":451,"context_line":"will not be sufficient, as an additional call might have a different"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_72599f8d","line":448,"in_reply_to":"7a77a97e_9f490a63","updated":"2021-09-24 20:29:41.000000000","message":"See below. That is why I added the second, external approach.  But Some people will prefer the all-in-one approach, as you won;t have to build a new mechanism if you are coding in a language other python.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4736d75ceeb953ed8c66e66cb1c2d22f61ef2b5c","unresolved":false,"context_lines":[{"line_number":485,"context_line":"middleware can safely be upgraded."},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"Once the code changes are in place, the deployer will have to load the"},{"line_number":488,"context_line":"rules to the Keystone server before relying on this mechanism."},{"line_number":489,"context_line":""},{"line_number":490,"context_line":""},{"line_number":491,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_ffa11ef9","line":488,"updated":"2016-11-17 23:49:36.000000000","message":"Here I think we need an explicit example of how a deployer would go through and update their policy.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"e014f718e4d418ce21ffb31adf1934ee99d3114d","unresolved":false,"context_lines":[{"line_number":485,"context_line":"middleware can safely be upgraded."},{"line_number":486,"context_line":""},{"line_number":487,"context_line":"Once the code changes are in place, the deployer will have to load the"},{"line_number":488,"context_line":"rules to the Keystone server before relying on this mechanism."},{"line_number":489,"context_line":""},{"line_number":490,"context_line":""},{"line_number":491,"context_line":"Developer Impact"}],"source_content_type":"text/x-rst","patch_set":8,"id":"7a77a97e_12e06b95","line":488,"in_reply_to":"7a77a97e_ffa11ef9","updated":"2021-09-24 20:29:41.000000000","message":"Too much for a spec.  Upload and customize.","commit_id":"5f7aac4802098980b5959765a57298f66b2c4d53"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"3f9c7fae5b414de43dec2173294a5a1060cc1230","unresolved":false,"context_lines":[{"line_number":21,"context_line":" * Allow operator assignment of the roles to operations"},{"line_number":22,"context_line":" * Provide a means to report what role is required for an operation"},{"line_number":23,"context_line":" * Allow fine grained delegations down to individual operations"},{"line_number":24,"context_line":""},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""},{"line_number":27,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_fab34fe7","line":24,"updated":"2016-11-24 13:15:36.000000000","message":"too many blank lines :)","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":6534,"name":"David Chadwick","email":"d.w.chadwick@truetrust.co.uk","username":"d-w-chadwick"},"change_message_id":"6a816ac6018af1b7d44b445aabcc13f601b6fabd","unresolved":false,"context_lines":[{"line_number":55,"context_line":"work within the restrictions of a distributed development model. Any"},{"line_number":56,"context_line":"approach which requires changes to every project has little to no"},{"line_number":57,"context_line":"chance of succeeding. Thus, RBAC enforcement needs to be encapsulated"},{"line_number":58,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":59,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":60,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":61,"context_line":"from a database to check attributes."}],"source_content_type":"text/x-rst","patch_set":9,"id":"7a77a97e_ddfc2a74","line":58,"range":{"start_line":58,"start_character":37,"end_line":58,"end_character":38},"updated":"2016-11-23 15:55:48.000000000","message":"Dont mix up policy enforcement and policy specification. Policy enforcement can only really take place fully at the service itself. What you want to ensure is that policy specification is correct so that enforcement wont terminate a partially complete job","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b7171f33ade42dade137438248a75b99c15374f0","unresolved":false,"context_lines":[{"line_number":55,"context_line":"work within the restrictions of a distributed development model. Any"},{"line_number":56,"context_line":"approach which requires changes to every project has little to no"},{"line_number":57,"context_line":"chance of succeeding. Thus, RBAC enforcement needs to be encapsulated"},{"line_number":58,"context_line":"with Keystone and Keystonemiddleware. However, the full policy check"},{"line_number":59,"context_line":"as performed by policy.json and oslo-policy is embedded deep within"},{"line_number":60,"context_line":"the code of each project, due primarily to the need to fetch a record"},{"line_number":61,"context_line":"from a database to check attributes."}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_ec098f85","line":58,"range":{"start_line":58,"start_character":37,"end_line":58,"end_character":38},"in_reply_to":"7a77a97e_ddfc2a74","updated":"2016-11-27 18:54:57.000000000","message":"We are still talking enforcement here.  Keystonemiddle is executed inside The service.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":6534,"name":"David Chadwick","email":"d.w.chadwick@truetrust.co.uk","username":"d-w-chadwick"},"change_message_id":"6a816ac6018af1b7d44b445aabcc13f601b6fabd","unresolved":false,"context_lines":[{"line_number":65,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":66,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":67,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":70,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":71,"context_line":"additional questions unsolved: how do we make the role checks easily"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7a77a97e_3df6fe8e","line":68,"updated":"2016-11-23 15:55:48.000000000","message":"The fact that the current policy files only contain admin roles is not the crucial fact. It is whether the code can support an arbitrary set of roles and will work when values other than admin are specified. If the code is deficient, then you have a problem. If the code works but people are simply not using the policies to their full effect by only specifying admin roles, then you should be ok.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b7171f33ade42dade137438248a75b99c15374f0","unresolved":false,"context_lines":[{"line_number":65,"context_line":"project. The matching logic in the policy.json rules are very specific"},{"line_number":66,"context_line":"to each of the projects. There is little reason to modify this part"},{"line_number":67,"context_line":"of the policy. In fact, doing so might break deployments upon update."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"It would be possible to have an additional call to oslo-policy"},{"line_number":70,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":71,"context_line":"additional questions unsolved: how do we make the role checks easily"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_0c0fab88","line":68,"in_reply_to":"7a77a97e_3df6fe8e","updated":"2016-11-27 18:54:57.000000000","message":"And yes, it is the latter case that is true.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":6534,"name":"David Chadwick","email":"d.w.chadwick@truetrust.co.uk","username":"d-w-chadwick"},"change_message_id":"6a816ac6018af1b7d44b445aabcc13f601b6fabd","unresolved":false,"context_lines":[{"line_number":70,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":71,"context_line":"additional questions unsolved: how do we make the role checks easily"},{"line_number":72,"context_line":"editable, but still distributed to all of the services?"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":75,"context_line":"scope check. While the scope check requires attributes off a resource"},{"line_number":76,"context_line":"fetched from the database, the RBAC check can be performed entirely"}],"source_content_type":"text/x-rst","patch_set":9,"id":"7a77a97e_5d481acc","line":73,"updated":"2016-11-23 15:55:48.000000000","message":"One solution is to have an external policy management service that allows admins to create consistent policies, and then the policies can be exported to the various OpenStack services (as Ioram did in his PhD work)","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3be4816d1bc0df8f769aabcae04fdc7e68959ca1","unresolved":false,"context_lines":[{"line_number":70,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":71,"context_line":"additional questions unsolved: how do we make the role checks easily"},{"line_number":72,"context_line":"editable, but still distributed to all of the services?"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":75,"context_line":"scope check. While the scope check requires attributes off a resource"},{"line_number":76,"context_line":"fetched from the database, the RBAC check can be performed entirely"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_d0d058cc","line":73,"in_reply_to":"5a74a57a_6c1e5fbc","updated":"2016-11-30 14:46:52.000000000","message":"I don\u0027t think David is suggesting an external decision point as much as it would be an external policy administration and information point. The last bit about being able to export policy to various OpenStack services sounds like we\u0027re still going to keep policy enforcement at the service. What it would solve would be the management of policy.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b7171f33ade42dade137438248a75b99c15374f0","unresolved":false,"context_lines":[{"line_number":70,"context_line":"from keystonemiddleware to check only the roles. However, that leaves"},{"line_number":71,"context_line":"additional questions unsolved: how do we make the role checks easily"},{"line_number":72,"context_line":"editable, but still distributed to all of the services?"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"The RBAC check does not require the same information required for the"},{"line_number":75,"context_line":"scope check. While the scope check requires attributes off a resource"},{"line_number":76,"context_line":"fetched from the database, the RBAC check can be performed entirely"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_6c1e5fbc","line":73,"in_reply_to":"7a77a97e_5d481acc","updated":"2016-11-27 18:54:57.000000000","message":"There have been many discussions along these lines.  There are a few issues with an external PDP like this, and I thought I had made them clear in this document.  However, since this is a spec, and not a teaching document on RBAC, it is obviously going to be impossible to address all of them.\n\n If there is a public paper on Ioram\u0027s work, please send a link and I will include it to the references at the end.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":11022,"name":"Rodrigo Duarte Sousa","email":"rodrigodsousa@gmail.com","username":"rodrigods"},"change_message_id":"3f9c7fae5b414de43dec2173294a5a1060cc1230","unresolved":false,"context_lines":[{"line_number":77,"context_line":"off of information involved in the request. The basic data required"},{"line_number":78,"context_line":"is:"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"  * The requested URL, to include the understanding of which service"},{"line_number":81,"context_line":"    or endpoint the URL implements."},{"line_number":82,"context_line":"  * The Data returned from the Token"},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_857d9cb3","line":80,"range":{"start_line":80,"start_character":8,"end_line":80,"end_character":21},"updated":"2016-11-24 13:15:36.000000000","message":"assuming the URL is \"following REST\", that\u0027s true.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b7171f33ade42dade137438248a75b99c15374f0","unresolved":false,"context_lines":[{"line_number":77,"context_line":"off of information involved in the request. The basic data required"},{"line_number":78,"context_line":"is:"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"  * The requested URL, to include the understanding of which service"},{"line_number":81,"context_line":"    or endpoint the URL implements."},{"line_number":82,"context_line":"  * The Data returned from the Token"},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_8c1bbbc9","line":80,"range":{"start_line":80,"start_character":8,"end_line":80,"end_character":21},"in_reply_to":"5a74a57a_857d9cb3","updated":"2016-11-27 18:54:57.000000000","message":"Yes, and we shoul,d e OK for the OpenStack services.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"be77369ec35e3541266ea5196978c13006159637","unresolved":false,"context_lines":[{"line_number":120,"context_line":"  * Create an API for management of role to URL Pattern mappings."},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  * Append a Role check to the token validation that uses the role to URL"},{"line_number":123,"context_line":"    Pattern mappings."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"RBAC Check Flow"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_072618ce","line":123,"updated":"2016-11-23 20:00:00.000000000","message":"For clarification from the meeting - this is what would break the current token caching implementation in keystone.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b7171f33ade42dade137438248a75b99c15374f0","unresolved":false,"context_lines":[{"line_number":120,"context_line":"  * Create an API for management of role to URL Pattern mappings."},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  * Append a Role check to the token validation that uses the role to URL"},{"line_number":123,"context_line":"    Pattern mappings."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"RBAC Check Flow"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_ac7a37ef","line":123,"in_reply_to":"5a74a57a_072618ce","updated":"2016-11-27 18:54:57.000000000","message":"Correct.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"be77369ec35e3541266ea5196978c13006159637","unresolved":false,"context_lines":[{"line_number":173,"context_line":""},{"line_number":174,"context_line":"If the value for `rbac` is set to `in_process` the service, URL,"},{"line_number":175,"context_line":"and verb will not be sent along as part of the token validation code."},{"line_number":176,"context_line":"IN tead, the logic to perform the RBAC check will be done in the"},{"line_number":177,"context_line":"services process after the token is returned from the identity"},{"line_number":178,"context_line":"endpoint. This will support the current token caching approach."},{"line_number":179,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_2a111953","line":176,"updated":"2016-11-23 20:00:00.000000000","message":"Instead*","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"be77369ec35e3541266ea5196978c13006159637","unresolved":false,"context_lines":[{"line_number":175,"context_line":"and verb will not be sent along as part of the token validation code."},{"line_number":176,"context_line":"IN tead, the logic to perform the RBAC check will be done in the"},{"line_number":177,"context_line":"services process after the token is returned from the identity"},{"line_number":178,"context_line":"endpoint. This will support the current token caching approach."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"validation"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_ca57c500","line":178,"updated":"2016-11-23 20:00:00.000000000","message":"It will but - we have to make another call to keystone to retrieve the set of operations and the implied roles those operations require. This will for sure have an impact on performance since we\u0027re asking keystone for even more information in separate call.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b7171f33ade42dade137438248a75b99c15374f0","unresolved":false,"context_lines":[{"line_number":175,"context_line":"and verb will not be sent along as part of the token validation code."},{"line_number":176,"context_line":"IN tead, the logic to perform the RBAC check will be done in the"},{"line_number":177,"context_line":"services process after the token is returned from the identity"},{"line_number":178,"context_line":"endpoint. This will support the current token caching approach."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":""},{"line_number":181,"context_line":"validation"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_ec80afc1","line":178,"in_reply_to":"5a74a57a_ca57c500","updated":"2016-11-27 18:54:57.000000000","message":"The Data needed for RBAC should be fetchable in a single call, and can be cached in the same mechanism as the Tokens.  it is only the non-cache cases that will benefit from an all-in-one call.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3be4816d1bc0df8f769aabcae04fdc7e68959ca1","unresolved":false,"context_lines":[{"line_number":218,"context_line":""},{"line_number":219,"context_line":"For this example, we will specify that the expansion of role"},{"line_number":220,"context_line":"inference rules is disabled. This will minimize the token response"},{"line_number":221,"context_line":"data size as the number of defined roles increases."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"python-keystoneclient will make a query against the keystone URL"},{"line_number":224,"context_line":"pattern database specific to the service. Due to caching needs, this"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_9b4e0195","line":221,"updated":"2016-11-30 14:46:52.000000000","message":"That and the mapping of url to role breaks if there is more than one role specified. The entire idea of this spec relies on using inherited roles.","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3be4816d1bc0df8f769aabcae04fdc7e68959ca1","unresolved":false,"context_lines":[{"line_number":220,"context_line":"inference rules is disabled. This will minimize the token response"},{"line_number":221,"context_line":"data size as the number of defined roles increases."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"python-keystoneclient will make a query against the keystone URL"},{"line_number":224,"context_line":"pattern database specific to the service. Due to caching needs, this"},{"line_number":225,"context_line":"query can also be loaded directly from its JSON representation. The"},{"line_number":226,"context_line":"Keystone server will expand the role inference rules in the result."}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_36bee4ff","line":223,"updated":"2016-11-30 14:46:52.000000000","message":"python-keystoneclient or keystonemiddleware?","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3be4816d1bc0df8f769aabcae04fdc7e68959ca1","unresolved":false,"context_lines":[{"line_number":246,"context_line":"And the validation will succeed. The Keystone server will return the"},{"line_number":247,"context_line":"200 response code and the auth_data as before."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"The failure path will be similar to a failed token validation."},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"After the token validation is completed, auth_token middleware adds"},{"line_number":252,"context_line":"several additional headers to the request and completes. The WSGI"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_364ee4c1","line":249,"updated":"2016-11-30 14:46:52.000000000","message":"So - this is moving the decision point from oslo-policy into python-keystoneclient?","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3be4816d1bc0df8f769aabcae04fdc7e68959ca1","unresolved":false,"context_lines":[{"line_number":249,"context_line":"The failure path will be similar to a failed token validation."},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"After the token validation is completed, auth_token middleware adds"},{"line_number":252,"context_line":"several additional headers to the request and completes. The WSGI"},{"line_number":253,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":254,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"},{"line_number":255,"context_line":"library to enforce policy as specified by either the Nova annotations"}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_7603fc76","line":252,"updated":"2016-11-30 14:46:52.000000000","message":"New headers or existing ones? If they are new, what\u0027s the reason for adding them?","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3be4816d1bc0df8f769aabcae04fdc7e68959ca1","unresolved":false,"context_lines":[{"line_number":252,"context_line":"several additional headers to the request and completes. The WSGI"},{"line_number":253,"context_line":"middleware pipeline continues, eventually calling into the Nova server"},{"line_number":254,"context_line":"specific code. Inside this code, Nova will call the oslo-policy"},{"line_number":255,"context_line":"library to enforce policy as specified by either the Nova annotations"},{"line_number":256,"context_line":"or the overloads provided in the policy.json or policy.yaml files."},{"line_number":257,"context_line":""},{"line_number":258,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5a74a57a_1651e862","line":255,"updated":"2016-11-30 14:46:52.000000000","message":"This piece is going to be duplicating the check we already did in middleware (er, python-keystoneclient?). I\u0027d like to have this clarified since it would be super confusing to operators if a URL pattern somehow differs from it\u0027s policy.json counterpart and the entire call failed in one of the checks. I like the approach that Nova took with this where they codified their policy into oslo-policy and consolidated their policy.json.\n\nWhy can\u0027t we keep the policy enforcement for roles in oslo-policy since Nova has to use it for the scope check anyway?","commit_id":"28d39871c68c758a33c8da61e62f8ae47a53eb6a"}]}