)]}'
{"specs/keystone/wallaby/secure-rbac-project-id-passthrough.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f3d257c0003bddaa09779e1b1cb99577ec206966","unresolved":true,"context_lines":[{"line_number":8,"context_line":"secure-rbac - X-Project-Id Pass-through"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bug #1925684 \u003chttps://bugs.launchpad.net/keystone/+bug/1925684\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As was discussed during the Wallaby PTG [1], implementing secure-rbac policies for"},{"line_number":14,"context_line":"system scoped credentials can be challenging for projects where some APIs"}],"source_content_type":"text/x-rst","patch_set":1,"id":"20b815a5_c4c05afa","line":11,"updated":"2021-04-23 21:41:42.000000000","message":"Working on a PoC here\n\nhttps://review.opendev.org/c/openstack/keystonemiddleware/+/787822","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"714d1e59a2eab4e3ea68257fd9d8e85d0932effb","unresolved":false,"context_lines":[{"line_number":8,"context_line":"secure-rbac - X-Project-Id Pass-through"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"`bug #1925684 \u003chttps://bugs.launchpad.net/keystone/+bug/1925684\u003e`_"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As was discussed during the Wallaby PTG [1], implementing secure-rbac policies for"},{"line_number":14,"context_line":"system scoped credentials can be challenging for projects where some APIs"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b982b48b_eef545d0","line":11,"in_reply_to":"20b815a5_c4c05afa","updated":"2021-05-12 13:22:47.000000000","message":"Ack","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This spec proposes a change to Keystone middleware to provide a project ID"},{"line_number":18,"context_line":"to be used in the context of such APIs.  This should enable projects to"},{"line_number":19,"context_line":"write and use system scoped policy rules with no code changes in most cases."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Problem Description"},{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3de0adcf_f6d737a7","line":19,"updated":"2021-04-23 19:29:19.000000000","message":"++\n\nFrom an end user perspective, this will allow operators to easily manage resources owned by a project.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"07bdf1e2af3cdd6e1d9e1ee510778a7ee4d801ad","unresolved":true,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This spec proposes a change to Keystone middleware to provide a project ID"},{"line_number":18,"context_line":"to be used in the context of such APIs.  This should enable projects to"},{"line_number":19,"context_line":"write and use system scoped policy rules with no code changes in most cases."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Problem Description"},{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"94d9e1c0_e6f75bbc","line":19,"in_reply_to":"3de0adcf_f6d737a7","updated":"2021-04-29 00:01:22.000000000","message":"yep the only thing you wont be able to do is manage multiple resouces for different project at the same with one token but that is not a normal usecase.\n\nthere are thing like the nova clients host-evacuate which loops over all instance on a host and evaucates them that would be harder to implement but we alreday decied to not port that to osc or add similar commands in the future so i think this will cover the most common use cases.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This spec proposes a change to Keystone middleware to provide a project ID"},{"line_number":18,"context_line":"to be used in the context of such APIs.  This should enable projects to"},{"line_number":19,"context_line":"write and use system scoped policy rules with no code changes in most cases."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Problem Description"},{"line_number":22,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e4020245_3641bf37","line":19,"in_reply_to":"94d9e1c0_e6f75bbc","updated":"2021-06-04 16:46:03.000000000","message":"Ack","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":28,"context_line":"Attempting to use system scoped tokens with such APIs typically results in"},{"line_number":29,"context_line":"errors or unwanted behavior.  For example, some Barbican API calls return"},{"line_number":30,"context_line":"5XX internal errors for operations that assume that there is a Project ID"},{"line_number":31,"context_line":"in UUID format in the request context."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2190e5ef_14d35d9c","line":31,"updated":"2021-04-23 19:29:19.000000000","message":"Similar case in nova that we can reference as well.\n\nhttps://bugs.launchpad.net/nova/+bug/1918945","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":28,"context_line":"Attempting to use system scoped tokens with such APIs typically results in"},{"line_number":29,"context_line":"errors or unwanted behavior.  For example, some Barbican API calls return"},{"line_number":30,"context_line":"5XX internal errors for operations that assume that there is a Project ID"},{"line_number":31,"context_line":"in UUID format in the request context."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed Change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c247d12d_90dddbfa","line":31,"in_reply_to":"2190e5ef_14d35d9c","updated":"2021-06-04 16:46:03.000000000","message":"Done","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Currently, keystone middleware modifies the request after authentication"},{"line_number":37,"context_line":"by adding context headers from the authenticated data.  For project scoped"},{"line_number":38,"context_line":"tokens, it adds a X-Project-Id header.  For system scoped tokens, this header"},{"line_number":39,"context_line":"is not added, which results in a `None` value in many cases."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"For security reasons, the middleware currently removes a number of headers"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3453369f_05b6dba8","line":38,"range":{"start_line":38,"start_character":18,"end_line":38,"end_character":30},"updated":"2021-04-23 19:29:19.000000000","message":"nit: HTTP_X_PROJECT_ID *","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"714d1e59a2eab4e3ea68257fd9d8e85d0932effb","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Currently, keystone middleware modifies the request after authentication"},{"line_number":37,"context_line":"by adding context headers from the authenticated data.  For project scoped"},{"line_number":38,"context_line":"tokens, it adds a X-Project-Id header.  For system scoped tokens, this header"},{"line_number":39,"context_line":"is not added, which results in a `None` value in many cases."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"For security reasons, the middleware currently removes a number of headers"}],"source_content_type":"text/x-rst","patch_set":1,"id":"46bbd4d3_134c94e3","line":38,"range":{"start_line":38,"start_character":18,"end_line":38,"end_character":30},"in_reply_to":"3453369f_05b6dba8","updated":"2021-05-12 13:22:47.000000000","message":"I am not sure about the correct way to talk about these.  From an API client point of view, the header is provided by setting \"X-Project-Id\" in the request before sending it.  It\u0027s the WSGI layer in the server that converts the provided header into the HTTP_X_PROJECT_ID.\n\nI can note both as equivalent in the next patch revision.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Currently, keystone middleware modifies the request after authentication"},{"line_number":37,"context_line":"by adding context headers from the authenticated data.  For project scoped"},{"line_number":38,"context_line":"tokens, it adds a X-Project-Id header.  For system scoped tokens, this header"},{"line_number":39,"context_line":"is not added, which results in a `None` value in many cases."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"For security reasons, the middleware currently removes a number of headers"}],"source_content_type":"text/x-rst","patch_set":1,"id":"beb02634_11f90126","line":38,"range":{"start_line":38,"start_character":18,"end_line":38,"end_character":30},"in_reply_to":"46bbd4d3_134c94e3","updated":"2021-06-04 16:46:03.000000000","message":"Done","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"04df3d17063722b96648c76a8b39409bcb5a608c","unresolved":true,"context_lines":[{"line_number":51,"context_line":"* Provided credentials are authenticated"},{"line_number":52,"context_line":"* When the provided credentials are project-scoped the cached value is"},{"line_number":53,"context_line":"  discarded, and the value from the authenticated data is used"},{"line_number":54,"context_line":"* When the provided credentials are system-scoped the cached value is"},{"line_number":55,"context_line":"  added to request in the X-Project-Id header."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Alternatives"},{"line_number":58,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ba233bca_f3f952a4","line":55,"range":{"start_line":54,"start_character":0,"end_line":55,"end_character":46},"updated":"2021-04-24 11:08:28.000000000","message":"would this work even without the owner of the project scoped token being a domain admin.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"07bdf1e2af3cdd6e1d9e1ee510778a7ee4d801ad","unresolved":false,"context_lines":[{"line_number":51,"context_line":"* Provided credentials are authenticated"},{"line_number":52,"context_line":"* When the provided credentials are project-scoped the cached value is"},{"line_number":53,"context_line":"  discarded, and the value from the authenticated data is used"},{"line_number":54,"context_line":"* When the provided credentials are system-scoped the cached value is"},{"line_number":55,"context_line":"  added to request in the X-Project-Id header."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Alternatives"},{"line_number":58,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"cfd4a39a_6baec038","line":55,"range":{"start_line":54,"start_character":0,"end_line":55,"end_character":46},"in_reply_to":"9f1ece05_8152f62b","updated":"2021-04-29 00:01:22.000000000","message":"Ack","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8051637b6acdcd54683a5d25f6e174bdc23117e3","unresolved":true,"context_lines":[{"line_number":51,"context_line":"* Provided credentials are authenticated"},{"line_number":52,"context_line":"* When the provided credentials are project-scoped the cached value is"},{"line_number":53,"context_line":"  discarded, and the value from the authenticated data is used"},{"line_number":54,"context_line":"* When the provided credentials are system-scoped the cached value is"},{"line_number":55,"context_line":"  added to request in the X-Project-Id header."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Alternatives"},{"line_number":58,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f1ece05_8152f62b","line":55,"range":{"start_line":54,"start_character":0,"end_line":55,"end_character":46},"in_reply_to":"ba233bca_f3f952a4","updated":"2021-04-26 12:59:50.000000000","message":"Yes. Technically the token is still system-scoped, but we\u0027re just letting system users specify a project ID in addition to the system.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Two other alternatives were discussed:"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Wrap operations on project-owned resources with explicit role assignments."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Use inherited orle assignments from domains."},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"d9c4af7a_2fd7546d","line":62,"range":{"start_line":62,"start_character":2,"end_line":62,"end_character":76},"updated":"2021-04-23 19:29:19.000000000","message":"Advantages:\n\n- Explicit audit trail via role assignments in keystone\n- Ensures that operations on project-owned resources must be done with a project-scoped token\n\nDisadvantages:\n\n- Very chatty and will increase the amount of time it takes for system users to do things with project-owned resources\n- Will not work for system-users cleaning up resources in a project that doesn\u0027t exist since you can\u0027t get a token scoped to a project that doesn\u0027t exist\n- Could result in a leftover role assignments for system users\n- Will not work for system readers since they don\u0027t have the ability to create role assignments in keystone (that\u0027s a writable operation)","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Two other alternatives were discussed:"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Wrap operations on project-owned resources with explicit role assignments."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Use inherited orle assignments from domains."},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"0eeb9e4e_dec073ab","line":62,"range":{"start_line":62,"start_character":2,"end_line":62,"end_character":76},"in_reply_to":"d9c4af7a_2fd7546d","updated":"2021-06-04 16:46:03.000000000","message":"Added these to the spec.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Wrap operations on project-owned resources with explicit role assignments."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Use inherited orle assignments from domains."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Refere to the Xena notes [1] for details of their advantages/disadvantages."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"733294ae_67a93484","line":64,"updated":"2021-04-23 19:29:19.000000000","message":"Advantages:\n\n- Less chatty than approach #1 because it doesn\u0027t require an explicit assignment\n- Ensures that operations on project-owned resources must be done with a project-scoped token\n\nDisadvantages:\n- Must be done for each system user on each domain, which are both dynamic resources (e.g., requires a process doc?)\n- Potential for privilege escalation if a system reader is given the admin or member role on a domain (what\u0027s responsible for this, the deployment tool? the user?)\n- Will not work for system readers since they don\u0027t have the ability to create role assignments in keystone (that\u0027s a writable operation)","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Wrap operations on project-owned resources with explicit role assignments."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Use inherited orle assignments from domains."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Refere to the Xena notes [1] for details of their advantages/disadvantages."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"436e7693_731766ea","line":64,"range":{"start_line":64,"start_character":16,"end_line":64,"end_character":20},"updated":"2021-04-23 19:29:19.000000000","message":"nit: role","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Wrap operations on project-owned resources with explicit role assignments."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Use inherited orle assignments from domains."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Refere to the Xena notes [1] for details of their advantages/disadvantages."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"d910e071_16486ea9","line":64,"range":{"start_line":64,"start_character":16,"end_line":64,"end_character":20},"in_reply_to":"436e7693_731766ea","updated":"2021-06-04 16:46:03.000000000","message":"Done","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"* Wrap operations on project-owned resources with explicit role assignments."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Use inherited orle assignments from domains."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Refere to the Xena notes [1] for details of their advantages/disadvantages."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"502e772d_86ff81eb","line":64,"in_reply_to":"733294ae_67a93484","updated":"2021-06-04 16:46:03.000000000","message":"Also added these.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Should add that project ID to the request before sending."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ee9c6722_c22810a2","line":99,"range":{"start_line":99,"start_character":34,"end_line":99,"end_character":41},"updated":"2021-04-23 19:29:19.000000000","message":"nit: request headers, right?","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Should add that project ID to the request before sending."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"08d8ff64_1dd2b91e","line":99,"range":{"start_line":99,"start_character":34,"end_line":99,"end_character":41},"in_reply_to":"b4d8e4e8_683be00e","updated":"2021-06-04 16:46:03.000000000","message":"KSM should fail if the request has more than one Project ID.  Reasoning: Requests now on inserts a single Project ID because it scrubs any coming in from the user.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a0fe317d7389c55d54a981b63ff8413d14325290","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Should add that project ID to the request before sending."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c558dea0_cc5e5c14","line":99,"range":{"start_line":99,"start_character":34,"end_line":99,"end_character":41},"in_reply_to":"c0868aff_fb004aa6","updated":"2021-05-10 12:16:21.000000000","message":"Yeah - documenting that limitation here would be a good idea and we can figure out if we should pursue it later.\n\nAs we\u0027re learning, usage of context.project_id in OpenStack is assuming a single value, not a list. I\u0027m not sure how:\n\n  X-Project-Id: foo\n  X-Project-Id: bar\n\nwould behave in the wild. I think calling that out here might be useful.\n\nIn the short term, operators might need to query for all instances in a project to use the project ID pass through functionality.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"714d1e59a2eab4e3ea68257fd9d8e85d0932effb","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Should add that project ID to the request before sending."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b4d8e4e8_683be00e","line":99,"range":{"start_line":99,"start_character":34,"end_line":99,"end_character":41},"in_reply_to":"c558dea0_cc5e5c14","updated":"2021-05-12 13:22:47.000000000","message":"I agree, it would be good to call out the limitation of a single Project ID here.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"04df3d17063722b96648c76a8b39409bcb5a608c","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Should add that project ID to the request before sending."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ef5ce8ad_7d1ff8ab","line":99,"range":{"start_line":99,"start_character":34,"end_line":99,"end_character":41},"in_reply_to":"ee9c6722_c22810a2","updated":"2021-04-24 11:08:28.000000000","message":"ok so this could work yes.\nwe may be able to be a little smarter in some case and try and figure it out automatically but explict --os-project-id gets us most of the way there.\n\n\nit will mean that system admins need to adapt form\n\nopenstack --os-cloud admin server stop \u003cuuid\u003e\n\nto \n\nopenstack --os-cloud admin --os-project-id \u003cproject\u003e server stop \u003cuuid\u003e\n\nwhich proably means they have to look up the project id in a previous call\nbut it gets us 90% of the way there.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"07bdf1e2af3cdd6e1d9e1ee510778a7ee4d801ad","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Should add that project ID to the request before sending."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c0868aff_fb004aa6","line":99,"range":{"start_line":99,"start_character":34,"end_line":99,"end_character":41},"in_reply_to":"ef28ac12_905f7f2f","updated":"2021-04-29 00:01:22.000000000","message":"yep restricting to one header i think makes sense.\n\ntechnically i think you can do this today\n\nopenstack --os-cloud admin server stop \u003ctenant-1-vm\u003e \u003ctenant-2-vm\u003e\n\nthis would not work if we restirct to just one X_PROJECT_ID but again i think\nthis is an edgecase to an edgecase.\n\nif we find that too limiting we can always extended it after we get feedback on this approach form operators.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8051637b6acdcd54683a5d25f6e174bdc23117e3","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Should add that project ID to the request before sending."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ef28ac12_905f7f2f","line":99,"range":{"start_line":99,"start_character":34,"end_line":99,"end_character":41},"in_reply_to":"ef5ce8ad_7d1ff8ab","updated":"2021-04-26 12:59:50.000000000","message":"Another thing to add here is that we should make sure this is only ever a list of one. Since it\u0027s possible to pass multiple headers in on the same request, we don\u0027t want to accept them all.\n\nRight now keystone technically enforces this because the token can only be scoped to a single project at a time, so ksm will only ever set X_PROJECT_ID to one single project.\n\nI think we want to maintain that behavior with this passthrough.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Caching the incoming value of the Project ID will increase cace storage"},{"line_number":105,"context_line":"consumption."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Other Deployer Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5363f8b6_aa6c1b89","line":104,"range":{"start_line":104,"start_character":59,"end_line":104,"end_character":63},"updated":"2021-04-23 19:29:19.000000000","message":"nit: cache*?","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"04df3d17063722b96648c76a8b39409bcb5a608c","unresolved":true,"context_lines":[{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Caching the incoming value of the Project ID will increase cace storage"},{"line_number":105,"context_line":"consumption."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Other Deployer Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"689f1ec7_fed95b94","line":104,"range":{"start_line":104,"start_character":59,"end_line":104,"end_character":63},"in_reply_to":"5363f8b6_aa6c1b89","updated":"2021-04-24 11:08:28.000000000","message":"nit: its not really cached \n\nthe term cache was used to refer to temporally store the value  received so it can be restored after auth.\nthat is technically not caching its buffering or just adjacent storage rather then caching since there is only one copy of it and cache implies making a local fast copy of something\n\nbut yes cache is probable what he meant.","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"bf87b8dcab1fed38830f1c04d0e173aca4d0e037","unresolved":false,"context_lines":[{"line_number":101,"context_line":"Performance Impact"},{"line_number":102,"context_line":"------------------"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Caching the incoming value of the Project ID will increase cace storage"},{"line_number":105,"context_line":"consumption."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Other Deployer Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8fca3acd_bf04035d","line":104,"range":{"start_line":104,"start_character":59,"end_line":104,"end_character":63},"in_reply_to":"689f1ec7_fed95b94","updated":"2021-06-04 16:46:03.000000000","message":"NOTE: removed this.  There should be no performance impact with this change.  This change is only for operators (system-scoped users)","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f35b78c7ef2309e27e446524be62930e0e4a3f8f","unresolved":true,"context_lines":[{"line_number":129,"context_line":"----------"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"* Implement middlware changes"},{"line_number":132,"context_line":"* Implement client changes"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"Dependencies"},{"line_number":135,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"900d0b11_f0faa28c","line":132,"updated":"2021-04-23 19:29:19.000000000","message":"We might need additional changes to keystoneauth to make sure it populates the same header (HTTP_X_PROJECT_ID) if context.system_scope and context.project_id are not None.\n\nThis is going to be important for service-to-service communication (e.g., nova using the user\u0027s context object to talk to neutron for a port binding when building a server for a specific project).","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"04df3d17063722b96648c76a8b39409bcb5a608c","unresolved":true,"context_lines":[{"line_number":129,"context_line":"----------"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"* Implement middlware changes"},{"line_number":132,"context_line":"* Implement client changes"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"Dependencies"},{"line_number":135,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7c94048d_162a3287","line":132,"in_reply_to":"900d0b11_f0faa28c","updated":"2021-04-24 11:08:28.000000000","message":"yes perhaps although while i dont fully understand how service tokens work under the hood\ni think dan said that when we send both tokens the user token is what the service/middelware reads form to populate teh context and the service token is just there to say the token was still valid when nova recirved it so you should accept it too.\n\nif that is actully how it work then with service tokens it should be fine since context.proejct_id shoudl be populsted in that case correct?","commit_id":"7b73cdd9e7deb5511160905cc14496de44ff73d1"}],"specs/keystonemiddleware/xena/secure-rbac-project-id-passthrough.rst":[{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"d156746b0bfccb689db692b039b2810e02064523","unresolved":true,"context_lines":[{"line_number":105,"context_line":"    * Will not work for system readers since they don\u0027t have the ability to"},{"line_number":106,"context_line":"      create role assignments in keystone (that\u0027s a writable operation)"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Refere to the Xena notes [1] for details of their advantages/disadvantages."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"One key difference between both of these alternatives and this spec is that"},{"line_number":111,"context_line":"this spec does not require Keystone to issue a project token to be used by the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f9e392ab_1742cde5","line":108,"range":{"start_line":108,"start_character":0,"end_line":108,"end_character":6},"updated":"2021-06-04 17:42:56.000000000","message":"Refer","commit_id":"74bc8de42ccb880c3e1510b2b8803de03d3983f2"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b60a1de100231097180bbcf93de397e969e86e0a","unresolved":false,"context_lines":[{"line_number":105,"context_line":"    * Will not work for system readers since they don\u0027t have the ability to"},{"line_number":106,"context_line":"      create role assignments in keystone (that\u0027s a writable operation)"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Refere to the Xena notes [1] for details of their advantages/disadvantages."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"One key difference between both of these alternatives and this spec is that"},{"line_number":111,"context_line":"this spec does not require Keystone to issue a project token to be used by the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2413979c_2350bfa1","line":108,"range":{"start_line":108,"start_character":0,"end_line":108,"end_character":6},"in_reply_to":"f9e392ab_1742cde5","updated":"2021-06-04 18:02:36.000000000","message":"Ack","commit_id":"74bc8de42ccb880c3e1510b2b8803de03d3983f2"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"d156746b0bfccb689db692b039b2810e02064523","unresolved":true,"context_lines":[{"line_number":120,"context_line":""},{"line_number":121,"context_line":"As mentioned, removing X-Project-Id as the middleware currently does is good"},{"line_number":122,"context_line":"practice.  We should consider any adverse effects of allowing pass-through for"},{"line_number":123,"context_line":"project scoped requests."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"It\u0027s also important to be able to audit when system scoped requests are using"},{"line_number":126,"context_line":"this pass-through."}],"source_content_type":"text/x-rst","patch_set":2,"id":"08c8158a_cfd20288","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":7},"updated":"2021-06-04 17:42:56.000000000","message":"s/project/system  ?","commit_id":"74bc8de42ccb880c3e1510b2b8803de03d3983f2"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b60a1de100231097180bbcf93de397e969e86e0a","unresolved":false,"context_lines":[{"line_number":120,"context_line":""},{"line_number":121,"context_line":"As mentioned, removing X-Project-Id as the middleware currently does is good"},{"line_number":122,"context_line":"practice.  We should consider any adverse effects of allowing pass-through for"},{"line_number":123,"context_line":"project scoped requests."},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"It\u0027s also important to be able to audit when system scoped requests are using"},{"line_number":126,"context_line":"this pass-through."}],"source_content_type":"text/x-rst","patch_set":2,"id":"044903a4_075fa121","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":7},"in_reply_to":"08c8158a_cfd20288","updated":"2021-06-04 18:02:36.000000000","message":"Yes, fixed.","commit_id":"74bc8de42ccb880c3e1510b2b8803de03d3983f2"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"79999899cad7e1e849d2379b85a74556e96840a3","unresolved":true,"context_lines":[{"line_number":55,"context_line":"with system scoped credentials:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"* If present, the X-Project-Id header is cached"},{"line_number":58,"context_line":"* Provided credentials are authenticated"},{"line_number":59,"context_line":"* When the provided credentials are project-scoped the cached value is"},{"line_number":60,"context_line":"  discarded, and the value from the authenticated data is used"},{"line_number":61,"context_line":"* When the provided credentials are system-scoped the cached value is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"72b7fa46_78b5235a","line":58,"updated":"2021-06-08 18:05:22.000000000","message":"Is the project id validated as part of this operation?\n\nBy validated, I mean checking if the project exists, the user has access to it, etc.","commit_id":"18760db9fcdf3eb2cccb2b11f8503acb0d003d2b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f2c4176b2e7da9b40e6dbc1ee3b9f759fa87e05","unresolved":true,"context_lines":[{"line_number":55,"context_line":"with system scoped credentials:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"* If present, the X-Project-Id header is cached"},{"line_number":58,"context_line":"* Provided credentials are authenticated"},{"line_number":59,"context_line":"* When the provided credentials are project-scoped the cached value is"},{"line_number":60,"context_line":"  discarded, and the value from the authenticated data is used"},{"line_number":61,"context_line":"* When the provided credentials are system-scoped the cached value is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"545f5c11_4ea4f79d","line":58,"in_reply_to":"38f2d390_27ea0f82","updated":"2021-08-02 21:16:25.000000000","message":"\u003e I had not thought about validation yet.  I certainly think we should validate that the Project-ID provided by the client is in the same format that KSM uses for existing Project IDs.  i.e. ensure it has dashes (or doesn\u0027t have them) in the appropriate positions, and that it has the correct length, etc.\n\u003e \n\u003e One of the use cases we\u0027ve seen before is using System credentials to clean up orphaned resources after a project is removed from Keystone, so I don\u0027t think validation should include validating that the Project ID exists in Keystone.  I assume that most projects will be handle arbitrary Project IDs, given that only Keystone controls the assignment of Project IDs.\n\u003e \n\u003e This change will only affect System-scope tokens.  As I understand the System-scope personas, they are typically cloud operators, and are consider sort-of super-users for the cloud.  This change would not validate the relationship between the system-scope token and the provided project ID.  The assumption is that a user with a valid system-scoped token inherently has access to all project IDs (including already deleted IDs).\n\n++\n\nNot having strict validation of the project ID makes this really useful for cleaning up stale resources. It was the main reason for not implementing strict validation.\n\nWe should however completely ignore/sanitize this header if the token is project-scoped (detailed on the next line).","commit_id":"18760db9fcdf3eb2cccb2b11f8503acb0d003d2b"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"5266534dc50bf2bf661367ed2b961e462a4685b3","unresolved":true,"context_lines":[{"line_number":55,"context_line":"with system scoped credentials:"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"* If present, the X-Project-Id header is cached"},{"line_number":58,"context_line":"* Provided credentials are authenticated"},{"line_number":59,"context_line":"* When the provided credentials are project-scoped the cached value is"},{"line_number":60,"context_line":"  discarded, and the value from the authenticated data is used"},{"line_number":61,"context_line":"* When the provided credentials are system-scoped the cached value is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"38f2d390_27ea0f82","line":58,"in_reply_to":"72b7fa46_78b5235a","updated":"2021-06-08 19:18:47.000000000","message":"I had not thought about validation yet.  I certainly think we should validate that the Project-ID provided by the client is in the same format that KSM uses for existing Project IDs.  i.e. ensure it has dashes (or doesn\u0027t have them) in the appropriate positions, and that it has the correct length, etc.\n\nOne of the use cases we\u0027ve seen before is using System credentials to clean up orphaned resources after a project is removed from Keystone, so I don\u0027t think validation should include validating that the Project ID exists in Keystone.  I assume that most projects will be handle arbitrary Project IDs, given that only Keystone controls the assignment of Project IDs.\n\nThis change will only affect System-scope tokens.  As I understand the System-scope personas, they are typically cloud operators, and are consider sort-of super-users for the cloud.  This change would not validate the relationship between the system-scope token and the provided project ID.  The assumption is that a user with a valid system-scoped token inherently has access to all project IDs (including already deleted IDs).","commit_id":"18760db9fcdf3eb2cccb2b11f8503acb0d003d2b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1f2c4176b2e7da9b40e6dbc1ee3b9f759fa87e05","unresolved":true,"context_lines":[{"line_number":57,"context_line":"* If present, the X-Project-Id header is cached"},{"line_number":58,"context_line":"* Provided credentials are authenticated"},{"line_number":59,"context_line":"* When the provided credentials are project-scoped the cached value is"},{"line_number":60,"context_line":"  discarded, and the value from the authenticated data is used"},{"line_number":61,"context_line":"* When the provided credentials are system-scoped the cached value is"},{"line_number":62,"context_line":"  added to request in the X-Project-Id header."},{"line_number":63,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"f5a069e8_9201cd25","line":60,"updated":"2021-08-02 21:16:25.000000000","message":"++\n\nThis is important for making sure project users can\u0027t circumvent the authorization of their token to work on other projects.","commit_id":"18760db9fcdf3eb2cccb2b11f8503acb0d003d2b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d84c5b9b65582e6987e680a47f14f22fa4db97bf","unresolved":true,"context_lines":[{"line_number":137,"context_line":"request when using system scoped tokens. e.g."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"    openstack secret list --os-project-id XXXXX-XXXX-XXXX-XXXX"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"Should add that project ID to the request headers before sending."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"KSM should fail if the request has more than one Project ID.  The reasoning"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7b8dffdc_3a094268","line":140,"updated":"2021-06-08 14:40:43.000000000","message":"+1\n\nin realiaty it might be more like \n\nopenstack --os-cloud \u003csys admin reader cloud.yaml entry\u003e secret list --os-project-id XXXXX-XXXX-XXXX-XXXX\n\nthe \u003csys admin reader cloud.yaml entry\u003e will not correspond to any project and --os-project-id will provide the project info which i thinks is a good experience.","commit_id":"18760db9fcdf3eb2cccb2b11f8503acb0d003d2b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d84c5b9b65582e6987e680a47f14f22fa4db97bf","unresolved":true,"context_lines":[{"line_number":144,"context_line":"for this is that currently only one project ID is added to the headers because"},{"line_number":145,"context_line":"any X-Project-Id headers are removed from the request.  Allowing more than"},{"line_number":146,"context_line":"may cause unintended side effects and/or errors."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Performance Impact"},{"line_number":149,"context_line":"------------------"},{"line_number":150,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"215e960d_c154a4cb","line":147,"updated":"2021-06-08 14:40:43.000000000","message":"ack","commit_id":"18760db9fcdf3eb2cccb2b11f8503acb0d003d2b"}]}