)]}'
{"specs/keystone/ongoing/role-check-bodykey.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3422fdb3e8f86241c424a2984e59bd505b3990da","unresolved":false,"context_lines":[{"line_number":17,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"The access lists for auth-creds are based on the PATH of the API only."},{"line_number":20,"context_line":"However, some of the APIs actually switch based on a value in the Body"},{"line_number":21,"context_line":"of a POST request.  The compute `actions` API is the most notable"},{"line_number":22,"context_line":"option."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"5fc1f717_a3df45d5","line":21,"range":{"start_line":20,"start_character":53,"end_line":21,"end_character":17},"updated":"2019-04-08 21:04:18.000000000","message":"You have a specific example for this case, but I can imagine some badly-designed API could enforce policy based on any number of inappropriate keys, such as headers, or the contents of an uploaded object. Or perhaps the API isn\u0027t a JSON API. We can\u0027t predict all these cases.","commit_id":"a5e8ad68fe22cea9039dfd8e00b75a845272d52c"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3422fdb3e8f86241c424a2984e59bd505b3990da","unresolved":false,"context_lines":[{"line_number":18,"context_line":""},{"line_number":19,"context_line":"The access lists for auth-creds are based on the PATH of the API only."},{"line_number":20,"context_line":"However, some of the APIs actually switch based on a value in the Body"},{"line_number":21,"context_line":"of a POST request.  The compute `actions` API is the most notable"},{"line_number":22,"context_line":"option."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Proposed Change"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5fc1f717_43ea2174","line":22,"range":{"start_line":21,"start_character":20,"end_line":22,"end_character":7},"updated":"2019-04-08 21:04:18.000000000","message":"The nova project is just one of quite a lot of OpenStack services, and keystone is even often used for non-OpenStack services, this is why I worry about trying to take nova\u0027s weird corner case and turn it into a one-size-fits-all solution.","commit_id":"a5e8ad68fe22cea9039dfd8e00b75a845272d52c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9fd9f1690b434cc5c6b479d543d5d72f2934d23d","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Only apply RBAC for a route that matches on verb and path but that"},{"line_number":37,"context_line":"does not contain a body key if none of the Routes with body keys match."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Alternatives"},{"line_number":41,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5fc1f717_f129899b","line":38,"updated":"2019-04-09 13:46:40.000000000","message":"I\u0027m not sure if this will be a silver bullet, but nova has a specification proposed that details, extensively, the work they\u0027d like to do to clean up their policy enforcement.\n\nI don\u0027t know if microversions helps fix the in-body key API issues, but that could be a discussion to have in that specification. Also, if that work gets done, I would be really curious to see the reaction from operators and users since it would be moving nova in the right direction policy-wise. Maybe we assist them with that effort where we can and revisit this when the dust settles and before we start making a complicated change to queue off of request body information.","commit_id":"a5e8ad68fe22cea9039dfd8e00b75a845272d52c"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"efbf0aed4ff0f9b961e4cd9f828826e9ae2569b0","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Only apply RBAC for a route that matches on verb and path but that"},{"line_number":37,"context_line":"does not contain a body key if none of the Routes with body keys match."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Alternatives"},{"line_number":41,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ffb9cba7_2f0bb48e","line":38,"in_reply_to":"5fc1f717_710fd938","updated":"2019-04-24 00:19:37.000000000","message":"Adam, if this (somehow magically) wasn\u0027t a problem for nova, would there still be a need for this?","commit_id":"a5e8ad68fe22cea9039dfd8e00b75a845272d52c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9356cc512a9ba2c2e571a93692071d27e5bc8c15","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Only apply RBAC for a route that matches on verb and path but that"},{"line_number":37,"context_line":"does not contain a body key if none of the Routes with body keys match."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Alternatives"},{"line_number":41,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5fc1f717_710fd938","line":38,"in_reply_to":"5fc1f717_f129899b","updated":"2019-04-09 13:47:12.000000000","message":"Link to the nova specification under review: https://review.openstack.org/#/c/547850/","commit_id":"a5e8ad68fe22cea9039dfd8e00b75a845272d52c"}],"specs/keystone/pike/role-check-bodykey.rst":[{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Proposed Change"},{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"Add in an optional `bodykey` value for RBAC in Middleware Routes.  Use"},{"line_number":29,"context_line":"this value to inspect the Body of the request.  If the key matches,"},{"line_number":30,"context_line":"enforce the on the Role assigned with the Route."},{"line_number":31,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_0e6584e1","line":28,"range":{"start_line":28,"start_character":20,"end_line":28,"end_character":27},"updated":"2017-05-31 17:06:33.000000000","message":"this spec is missing what this bodykey would look like, which is critical to evaluating this proposal. We would need to account for *where* something is in the body, not just search the whole thing, so there needs to be some kind of pathing. And it needs to work for all services, with all their variations. And what if body includes a list? Etc. Please define.","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":27,"context_line":""},{"line_number":28,"context_line":"Add in an optional `bodykey` value for RBAC in Middleware Routes.  Use"},{"line_number":29,"context_line":"this value to inspect the Body of the request.  If the key matches,"},{"line_number":30,"context_line":"enforce the on the Role assigned with the Route."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"To avoid a bypass, the RBAC check will attempt to match any routes"},{"line_number":33,"context_line":"that match.  If the route matches on verb, path, and bodykey, then the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_9b4f9891","line":30,"range":{"start_line":30,"start_character":8,"end_line":30,"end_character":12},"updated":"2017-05-31 17:06:33.000000000","message":"extra \"the\"","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":53,"context_line":"Notifications Impact"},{"line_number":54,"context_line":"--------------------"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Not change"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"Other End User Impact"},{"line_number":59,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_ce02ec0b","line":56,"range":{"start_line":56,"start_character":0,"end_line":56,"end_character":3},"updated":"2017-05-31 17:06:33.000000000","message":"No*","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":64,"context_line":"------------------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"If these URLs are heavily hit, and there are a lot of matching rules,"},{"line_number":67,"context_line":"each request will require more comptutation, but the amount should be"},{"line_number":68,"context_line":"unnoticible."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_510c413a","line":67,"range":{"start_line":67,"start_character":31,"end_line":67,"end_character":43},"updated":"2017-05-31 17:06:33.000000000","message":"computation*","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":65,"context_line":""},{"line_number":66,"context_line":"If these URLs are heavily hit, and there are a lot of matching rules,"},{"line_number":67,"context_line":"each request will require more comptutation, but the amount should be"},{"line_number":68,"context_line":"unnoticible."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"Other Deployer Impact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_d1173145","line":68,"range":{"start_line":68,"start_character":0,"end_line":68,"end_character":11},"updated":"2017-05-31 17:06:33.000000000","message":"unnoticeable*","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":71,"context_line":"Other Deployer Impact"},{"line_number":72,"context_line":"---------------------"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Deployer will want new rbac routes for the POST apis."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Developer Impact"},{"line_number":77,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_912bf980","line":74,"range":{"start_line":74,"start_character":23,"end_line":74,"end_character":27},"updated":"2017-05-31 17:06:33.000000000","message":"RBAC*","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":95,"context_line":"Work Items"},{"line_number":96,"context_line":"----------"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Work items or tasks -- break the feature up into the things that need to be"},{"line_number":99,"context_line":"done to implement it. Those parts might end up being done by different people,"},{"line_number":100,"context_line":"but we\u0027re mostly trying to understand the timeline for implementation."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_71574504","line":100,"range":{"start_line":98,"start_character":0,"end_line":100,"end_character":70},"updated":"2017-05-31 17:06:33.000000000","message":"this appears to be help text from the template, and should be replaced with real content.","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":108,"context_line":"Documentation Impact"},{"line_number":109,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"What is the impact on the docs team of this change? Some changes might require"},{"line_number":112,"context_line":"donating resources to the docs team to have the documentation updated. Don\u0027t"},{"line_number":113,"context_line":"repeat details discussed above, but please reference them here."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_919e59b6","line":113,"range":{"start_line":111,"start_character":0,"end_line":113,"end_character":62},"updated":"2017-05-31 17:06:33.000000000","message":"more help text from the template that needs to get replaced.","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"abb5dffb324e0770665eb24062ee08efe4b0c805","unresolved":false,"context_lines":[{"line_number":116,"context_line":"References"},{"line_number":117,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Please add any useful references here. You are not required to have any"},{"line_number":120,"context_line":"reference. Moreover, this specification should still make sense when your"},{"line_number":121,"context_line":"references are unavailable. Examples of what you could include are:"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"* Links to mailing list or IRC discussions"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"* Links to notes from a summit session"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"* Links to relevant research, if appropriate"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* Related specifications as appropriate (e.g.  if it\u0027s an EC2 thing, link the"},{"line_number":130,"context_line":"  EC2 docs)"},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"* Anything else you feel it is worthwhile to refer to"}],"source_content_type":"text/x-rst","patch_set":2,"id":"df140735_d1b3b14c","line":132,"range":{"start_line":119,"start_character":0,"end_line":132,"end_character":53},"updated":"2017-05-31 17:06:33.000000000","message":"more help text from the template that needs to get replaced.","commit_id":"2ff7b52ca8fe88b9db9a6ed98d464b40bf66a86d"}]}