)]}'
{"specs/keystone/stein/resource-options-for-all.rst":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"619a7c0ac33b73f085833e562da444e0dcfac719","unresolved":false,"context_lines":[{"line_number":70,"context_line":"Other End User Impact"},{"line_number":71,"context_line":"---------------------"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"Users will see an added ``resource_option`` response for resources."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"Performance Impact"},{"line_number":76,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3f79a3b5_199d2b54","line":73,"range":{"start_line":73,"start_character":24,"end_line":73,"end_character":43},"updated":"2018-12-10 18:48:02.000000000","message":"resource_options.","commit_id":"099de75e253cda461da7e29b3f6008e465f7e447"},{"author":{"_account_id":10420,"name":"Adrian Turjak","email":"devs+openstack@uncaught-exceptions.com","username":"adriant"},"change_message_id":"108a505274139adf8c6c9a76438509acc649eedc","unresolved":false,"context_lines":[{"line_number":17,"context_line":"within keystone will benefit from a similar set of technologies. Examples"},{"line_number":18,"context_line":"of use cases are:"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"* Limit login to specific origins (IP Addrs) for tokens scoped to a given"},{"line_number":21,"context_line":"  project or domain"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"* Apply default PCI-DSS options to all users contained within a Domain, e.g."},{"line_number":24,"context_line":"  exempt all service users in a ``service`` domain from password change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fdfeff1_4f4924ce","line":21,"range":{"start_line":20,"start_character":2,"end_line":21,"end_character":19},"updated":"2019-01-25 01:25:48.000000000","message":"This we can probably drop if we do this via auth rules, because then the below covers it.\n\nBut it depends on how we do:\nhttps://bugs.launchpad.net/keystone/+bug/1804042","commit_id":"e466dc1fce5b1f609f0ce7f9dfbc813f18fe70b0"},{"author":{"_account_id":10420,"name":"Adrian Turjak","email":"devs+openstack@uncaught-exceptions.com","username":"adriant"},"change_message_id":"feb79d818439fb5bc96f4549d216b20757e99ac4","unresolved":false,"context_lines":[{"line_number":17,"context_line":"within keystone will benefit from a similar set of technologies. Examples"},{"line_number":18,"context_line":"of use cases are:"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"* Limit login to specific origins (IP Addrs) for tokens scoped to a given"},{"line_number":21,"context_line":"  project or domain"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"* Apply default PCI-DSS options to all users contained within a Domain, e.g."},{"line_number":24,"context_line":"  exempt all service users in a ``service`` domain from password change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fdfeff1_544afaab","line":21,"range":{"start_line":20,"start_character":2,"end_line":21,"end_character":19},"in_reply_to":"9fdfeff1_4f4924ce","updated":"2019-01-27 22:17:28.000000000","message":"Hmmm, now that I think about this some more.\n\nLimiting a whole project by one or more IP ranges can\u0027t be done nicely done with auth-rules because you\u0027d know that methods contained the source_ip method, but not what IP it came from originally.\n\nIf auth rules and the CIDR behind it is admin controlled, then there isn\u0027t an issue since you know if they successfully get the source_ip method, they will have the right ip. But if it\u0027s user controlled, for all we know the configured ip for the user could be 0.0.0.0/0 at which point they\u0027d get the auth-method, but it would be meaningless.\n\nWe would still need a project option, but then we\u0027d be making custom logic just for this use case that is separate to auth rules. We\u0027d be double handling the ip.\n\nWe could potentially store the original auth IP in the token and use that when checking rescoping.","commit_id":"e466dc1fce5b1f609f0ce7f9dfbc813f18fe70b0"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"31bb8c865cdd55e76e21e7e3835318d30fe6b869","unresolved":false,"context_lines":[{"line_number":17,"context_line":"within keystone will benefit from a similar set of technologies. Examples"},{"line_number":18,"context_line":"of use cases are:"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"* Limit login to specific origins (IP Addrs) for tokens scoped to a given"},{"line_number":21,"context_line":"  project or domain"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"* Apply default PCI-DSS options to all users contained within a Domain, e.g."},{"line_number":24,"context_line":"  exempt all service users in a ``service`` domain from password change"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9fdfeff1_9a007aad","line":21,"range":{"start_line":20,"start_character":2,"end_line":21,"end_character":19},"in_reply_to":"9fdfeff1_544afaab","updated":"2019-01-28 19:24:47.000000000","message":"All optional. These are example use cases. Code and logic for them are currently not consider/implemented.","commit_id":"e466dc1fce5b1f609f0ce7f9dfbc813f18fe70b0"}],"specs/keystone/train/resource-options-for-all.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"1f0e3f7a331bdf1743f9549a369f152acb697881","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":"* Apply default PCI-DSS options to all users contained within a Domain, e.g."},{"line_number":24,"context_line":"  exempt all service users in a ``service`` domain from password change"},{"line_number":25,"context_line":"  requirements."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"* Apply default Multi-Factor-Auth rules to all logins scoping to a given"},{"line_number":28,"context_line":"  domain or project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"ffb9cba7_cfaa1884","line":25,"updated":"2019-04-24 00:08:06.000000000","message":"++","commit_id":"2d0de7cccd172c6c70349851b0ca50ada8dd5c79"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"1f0e3f7a331bdf1743f9549a369f152acb697881","unresolved":false,"context_lines":[{"line_number":44,"context_line":"Add the same controls, db tables, and responses for all resource types that"},{"line_number":45,"context_line":"currently do not have resource options implemented. This will be implemented"},{"line_number":46,"context_line":"as part of the base SQL Model class defined within keystone, all future"},{"line_number":47,"context_line":"resource types will be expected to implement the resource option functionality."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Alternatives"},{"line_number":50,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ffb9cba7_af91e454","line":47,"updated":"2019-04-24 00:08:06.000000000","message":"It might be worth adding more detail here, what is the user-facing impact? As it is it seems almost more like a refactor and not a feature.","commit_id":"2d0de7cccd172c6c70349851b0ca50ada8dd5c79"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"71a83a764c43a960c28273f6f78acb5c712f8fb9","unresolved":false,"context_lines":[{"line_number":44,"context_line":"Add the same controls, db tables, and responses for all resource types that"},{"line_number":45,"context_line":"currently do not have resource options implemented. This will be implemented"},{"line_number":46,"context_line":"as part of the base SQL Model class defined within keystone, all future"},{"line_number":47,"context_line":"resource types will be expected to implement the resource option functionality."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Alternatives"},{"line_number":50,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ffb9cba7_5e6faa91","line":47,"in_reply_to":"ffb9cba7_af91e454","updated":"2019-04-24 15:59:49.000000000","message":"Sure. I\u0027ll add an update including the information on what the user-facing impact.","commit_id":"2d0de7cccd172c6c70349851b0ca50ada8dd5c79"}]}