)]}'
{"specs/keystone/train/capabilities-app-creds.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4a00082d079ba6caeb6a652ff94e01a6eb15351b","unresolved":false,"context_lines":[{"line_number":95,"context_line":"   access rules because that would require domain knowledge of each service in"},{"line_number":96,"context_line":"   the catalog."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"   The access rules are stored in a separate database table and linked to the"},{"line_number":99,"context_line":"   application credential so that old rules can be re-used with new application"},{"line_number":100,"context_line":"   credentials."},{"line_number":101,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"bfb3d3c7_f4a9688f","line":98,"range":{"start_line":98,"start_character":54,"end_line":98,"end_character":59},"updated":"2019-05-29 13:42:51.000000000","message":"Implementation question: during the session, wasn\u0027t there talk of putting these in a configuration file, too?","commit_id":"84dd128c1af24b1897b838f47560bb8272ef0515"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"9460b20e671e8c8f42372d2ead6f7024d841cfb4","unresolved":false,"context_lines":[{"line_number":95,"context_line":"   access rules because that would require domain knowledge of each service in"},{"line_number":96,"context_line":"   the catalog."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"   The access rules are stored in a separate database table and linked to the"},{"line_number":99,"context_line":"   application credential so that old rules can be re-used with new application"},{"line_number":100,"context_line":"   credentials."},{"line_number":101,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"bfb3d3c7_fd82a8ff","line":98,"range":{"start_line":98,"start_character":54,"end_line":98,"end_character":59},"in_reply_to":"bfb3d3c7_f4a9688f","updated":"2019-05-29 17:14:33.000000000","message":"I don\u0027t recall that, nor do I see it in the notes. The idea as I recall it was to have the user create them on-demand and then persist them in the db so that they could be linked again later on. Do you see a value in keeping them in a config file?","commit_id":"84dd128c1af24b1897b838f47560bb8272ef0515"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4a00082d079ba6caeb6a652ff94e01a6eb15351b","unresolved":false,"context_lines":[{"line_number":272,"context_line":"the allowed access rules that a user may configure by creating a global"},{"line_number":273,"context_line":"whitelist of access rules against which users\u0027 access rules are validated prior"},{"line_number":274,"context_line":"to the creation of the application credential. The value of this is to assist"},{"line_number":275,"context_line":"users in creating valid access rules and avoiding accidentally opening security"},{"line_number":276,"context_line":"holes by creating invalid rules. It would also give the operator more control"},{"line_number":277,"context_line":"of the overall access control configuration. However, for the time being, this"},{"line_number":278,"context_line":"feature is infeasible because we lack discoverability of APIs and it is"},{"line_number":279,"context_line":"impossible to create a complete list of valid access rules for all services"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bfb3d3c7_74c81873","line":276,"range":{"start_line":275,"start_character":41,"end_line":276,"end_character":5},"updated":"2019-05-29 13:42:51.000000000","message":"Ultimately, the operation is still limited by the role in the token, right? I thought the main driver for putting this off is that it was susceptible to poor user experience.","commit_id":"84dd128c1af24b1897b838f47560bb8272ef0515"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"9460b20e671e8c8f42372d2ead6f7024d841cfb4","unresolved":false,"context_lines":[{"line_number":272,"context_line":"the allowed access rules that a user may configure by creating a global"},{"line_number":273,"context_line":"whitelist of access rules against which users\u0027 access rules are validated prior"},{"line_number":274,"context_line":"to the creation of the application credential. The value of this is to assist"},{"line_number":275,"context_line":"users in creating valid access rules and avoiding accidentally opening security"},{"line_number":276,"context_line":"holes by creating invalid rules. It would also give the operator more control"},{"line_number":277,"context_line":"of the overall access control configuration. However, for the time being, this"},{"line_number":278,"context_line":"feature is infeasible because we lack discoverability of APIs and it is"},{"line_number":279,"context_line":"impossible to create a complete list of valid access rules for all services"}],"source_content_type":"text/x-rst","patch_set":2,"id":"bfb3d3c7_5d0c14a4","line":276,"range":{"start_line":275,"start_character":41,"end_line":276,"end_character":5},"in_reply_to":"bfb3d3c7_74c81873","updated":"2019-05-29 17:14:33.000000000","message":"Yes, regular policy enforcement would still apply, but the idea was perhaps the user was trying to restrict the app cred even further than what their role assignments allow but messed up somehow and ended up with either a non-working app cred or one with too much access.\n\nThe highlighted text is trying to provide context for why we would have thought it was a good idea, not why we\u0027re putting it off. I\u0027ll try to clarify in the following sentences that the lack of discoverability makes requiring this a poor user experience.","commit_id":"84dd128c1af24b1897b838f47560bb8272ef0515"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3dc75a3fac57c0ac7f5d44485678719ecef361b6","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Add Fine Grained Restrictions to Application Credentials"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp \u003chttps://blueprints.launchpad.net/keystone/+spec/whitelist-extension-for-app-creds\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Currently Keystone application credentials are mostly unrestricted."},{"line_number":14,"context_line":"Restrictions can only be imposed on creation of follow-up application"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_3facd69d","line":11,"updated":"2019-06-26 15:24:04.000000000","message":"Are we still going to track this work under the old blueprint or are we going to use a new bug report?","commit_id":"94df8711bc838cb28512e1ad3fc9b8d8480cd87d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"e25b675d472b415cc18268429094a890e51a1fd3","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Add Fine Grained Restrictions to Application Credentials"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp \u003chttps://blueprints.launchpad.net/keystone/+spec/whitelist-extension-for-app-creds\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Currently Keystone application credentials are mostly unrestricted."},{"line_number":14,"context_line":"Restrictions can only be imposed on creation of follow-up application"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_b0c1d531","line":11,"in_reply_to":"9fb8cfa7_3facd69d","updated":"2019-06-26 17:47:40.000000000","message":"I have been just to avoid changing horses mid-race but I don\u0027t feel strongly about it.","commit_id":"94df8711bc838cb28512e1ad3fc9b8d8480cd87d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"88eaa0225f53f8bcc8673ef5c9be2daa5b03c730","unresolved":false,"context_lines":[{"line_number":8,"context_line":"Add Fine Grained Restrictions to Application Credentials"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bp \u003chttps://blueprints.launchpad.net/keystone/+spec/whitelist-extension-for-app-creds\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Currently Keystone application credentials are mostly unrestricted."},{"line_number":14,"context_line":"Restrictions can only be imposed on creation of follow-up application"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_0648ab2a","line":11,"in_reply_to":"9fb8cfa7_b0c1d531","updated":"2019-06-26 19:14:58.000000000","message":"Works for me. I think it\u0027s fine if we finish out this work with the blueprint.","commit_id":"94df8711bc838cb28512e1ad3fc9b8d8480cd87d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"51da9f3d110a9635b8cb07259daee934b8a8574b","unresolved":false,"context_lines":[{"line_number":187,"context_line":""},{"line_number":188,"context_line":"Request::"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"    GET /v3/users/{user_id}/access_rules"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"Response:"},{"line_number":193,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_fff5decb","line":190,"updated":"2019-06-26 15:23:19.000000000","message":"Aha - this is the bit I was missing as I reviewed the patches.","commit_id":"94df8711bc838cb28512e1ad3fc9b8d8480cd87d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"e25b675d472b415cc18268429094a890e51a1fd3","unresolved":false,"context_lines":[{"line_number":187,"context_line":""},{"line_number":188,"context_line":"Request::"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"    GET /v3/users/{user_id}/access_rules"},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"Response:"},{"line_number":193,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_50b3b9e9","line":190,"in_reply_to":"9fb8cfa7_fff5decb","updated":"2019-06-26 17:47:40.000000000","message":"Yeah, looks like I neglected to implement this part. Will do another pass to make sure I actually covered everything in this spec.","commit_id":"94df8711bc838cb28512e1ad3fc9b8d8480cd87d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"51da9f3d110a9635b8cb07259daee934b8a8574b","unresolved":false,"context_lines":[{"line_number":321,"context_line":"external to OpenStack. Since providing a complete list is infeasible, leaving it"},{"line_number":322,"context_line":"up to the operator to curate their own list causes a poor operating experience"},{"line_number":323,"context_line":"for the operator and the list would be susceptible to mistakes, which in turn"},{"line_number":324,"context_line":"would cause an extremely poor user experience for the end user."},{"line_number":325,"context_line":""},{"line_number":326,"context_line":"When this feature becomes feasible, another possibility is to allow operators to"},{"line_number":327,"context_line":"configure a role ID for each access rule to indicate that the user needs to"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9fb8cfa7_1fb23207","line":324,"updated":"2019-06-26 15:23:19.000000000","message":"++","commit_id":"94df8711bc838cb28512e1ad3fc9b8d8480cd87d"}]}