)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"765e13902ec343858d2bc67ea0936b1b16350a20","unresolved":false,"context_lines":[{"line_number":9,"context_line":"This change updates the EC2 credentials policies to understand"},{"line_number":10,"context_line":"the system reader and member role. A follow-on change will add"},{"line_number":11,"context_line":"support for system admin."},{"line_number":12,"context_line":"For the time being, we\u0027re deferring adding support for domain"},{"line_number":13,"context_line":"and project users to create EC2 credentials but may add it in"},{"line_number":14,"context_line":"the future."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Change-Id: I090e2470726d22b2670a2cca89025063419f5262"},{"line_number":17,"context_line":"Partial-Bug: #1750678"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"5faad753_967d231e","line":14,"range":{"start_line":12,"start_character":0,"end_line":14,"end_character":11},"updated":"2019-09-09 20:32:20.000000000","message":"This doesn\u0027t make any sense. This change is enabling both \u0027system\u0027 and \u0027project\u0027 as a scope type for these APIs. EC2 credentials, like regular credentials, mostly only make sense as a project-scoped operation since they are managed by regular users.","commit_id":"20afd6f85c5ba7518aca12a8fa2594ea13c20a63"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"f5ccc5c17a356e711d8c6c382c3fd1ebfada110d","unresolved":false,"context_lines":[{"line_number":9,"context_line":"This change updates the EC2 credentials policies to understand"},{"line_number":10,"context_line":"the system reader and member role. A follow-on change will add"},{"line_number":11,"context_line":"support for system admin."},{"line_number":12,"context_line":"For the time being, we\u0027re deferring adding support for domain"},{"line_number":13,"context_line":"and project users to create EC2 credentials but may add it in"},{"line_number":14,"context_line":"the future."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Change-Id: I090e2470726d22b2670a2cca89025063419f5262"},{"line_number":17,"context_line":"Partial-Bug: #1750678"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"5faad753_13b29c95","line":14,"range":{"start_line":12,"start_character":0,"end_line":14,"end_character":11},"in_reply_to":"5faad753_967d231e","updated":"2019-09-10 06:39:47.000000000","message":"Done","commit_id":"20afd6f85c5ba7518aca12a8fa2594ea13c20a63"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3b14224193d82f34fd5ded512407138d09ad7a45","unresolved":false,"context_lines":[{"line_number":16,"context_line":"ec2_delete_inconsistently."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Also removing the test of ec2 credentials from test_v3_protection"},{"line_number":19,"context_line":"since new protection file is being added."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Change-Id: I090e2470726d22b2670a2cca89025063419f5262"},{"line_number":22,"context_line":"Partial-Bug: #1750678"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"5faad753_e729239b","line":19,"updated":"2019-09-10 23:14:21.000000000","message":"It would be better if this happened in the next patch, removing the policies from the sample policy file is what breaks those tests.","commit_id":"d9864af2417488edf51ea5b4ca721f54dd289c0d"}],"keystone/common/policies/ec2_credential.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"765e13902ec343858d2bc67ea0936b1b16350a20","unresolved":false,"context_lines":[{"line_number":52,"context_line":"    ),"},{"line_number":53,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":54,"context_line":"        name\u003dbase.IDENTITY % \u0027ec2_list_credentials\u0027,"},{"line_number":55,"context_line":"        check_str\u003dbase.RULE_SYSTEM_READER_OR_OWNER,"},{"line_number":56,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":57,"context_line":"        description\u003d\u0027List ec2 credentials.\u0027,"},{"line_number":58,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/users/{user_id}/credentials/OS-EC2\u0027,"}],"source_content_type":"text/x-python","patch_set":6,"id":"5faad753_d908ac29","line":55,"updated":"2019-09-09 20:32:20.000000000","message":"Hmm weird that this behavior is inconsistent with ec2_get_credential and with the equivalent identity:list_credentials rule, but I see that it\u0027s compatible with the old rule. Might be worth mentioning why this one is weird in the commit message.","commit_id":"20afd6f85c5ba7518aca12a8fa2594ea13c20a63"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"f5ccc5c17a356e711d8c6c382c3fd1ebfada110d","unresolved":false,"context_lines":[{"line_number":52,"context_line":"    ),"},{"line_number":53,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":54,"context_line":"        name\u003dbase.IDENTITY % \u0027ec2_list_credentials\u0027,"},{"line_number":55,"context_line":"        check_str\u003dbase.RULE_SYSTEM_READER_OR_OWNER,"},{"line_number":56,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":57,"context_line":"        description\u003d\u0027List ec2 credentials.\u0027,"},{"line_number":58,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/users/{user_id}/credentials/OS-EC2\u0027,"}],"source_content_type":"text/x-python","patch_set":6,"id":"5faad753_13db7ced","line":55,"in_reply_to":"5faad753_d908ac29","updated":"2019-09-10 06:39:47.000000000","message":"I added some. But I am still find the reasoning behind this inconsistency.","commit_id":"20afd6f85c5ba7518aca12a8fa2594ea13c20a63"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"765e13902ec343858d2bc67ea0936b1b16350a20","unresolved":false,"context_lines":[{"line_number":64,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":65,"context_line":"        name\u003dbase.IDENTITY % \u0027ec2_create_credential\u0027,"},{"line_number":66,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_OWNER,"},{"line_number":67,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":68,"context_line":"        description\u003d\u0027Create ec2 credential.\u0027,"},{"line_number":69,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/users/{user_id}/credentials/OS-EC2\u0027,"},{"line_number":70,"context_line":"                     \u0027method\u0027: \u0027POST\u0027}]"}],"source_content_type":"text/x-python","patch_set":6,"id":"5faad753_168ff323","line":67,"updated":"2019-09-09 20:32:20.000000000","message":"This is changing the non-read-only operations. It\u0027s fine if you want to combine both system reader and system admin in one change, but the commit message needs to reflect that.","commit_id":"20afd6f85c5ba7518aca12a8fa2594ea13c20a63"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"f5ccc5c17a356e711d8c6c382c3fd1ebfada110d","unresolved":false,"context_lines":[{"line_number":64,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":65,"context_line":"        name\u003dbase.IDENTITY % \u0027ec2_create_credential\u0027,"},{"line_number":66,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_OWNER,"},{"line_number":67,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":68,"context_line":"        description\u003d\u0027Create ec2 credential.\u0027,"},{"line_number":69,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/users/{user_id}/credentials/OS-EC2\u0027,"},{"line_number":70,"context_line":"                     \u0027method\u0027: \u0027POST\u0027}]"}],"source_content_type":"text/x-python","patch_set":6,"id":"5faad753_73bbd071","line":67,"in_reply_to":"5faad753_168ff323","updated":"2019-09-10 06:39:47.000000000","message":"Done","commit_id":"20afd6f85c5ba7518aca12a8fa2594ea13c20a63"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1ce073cf175d236896412173cebf5e4136c6f574","unresolved":false,"context_lines":[{"line_number":14,"context_line":"from oslo_policy import policy"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"from keystone.common.policies import base"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"SYSTEM_READER_OR_CRED_OWNER \u003d ("},{"line_number":19,"context_line":"    \u0027(role:reader and system_scope:all) \u0027"},{"line_number":20,"context_line":"    \u0027or user_id:%(target.credential.user_id)s\u0027"},{"line_number":21,"context_line":")"},{"line_number":22,"context_line":"SYSTEM_ADMIN_OR_CRED_OWNER \u003d ("},{"line_number":23,"context_line":"    \u0027(role:admin and system_scope:all) \u0027"},{"line_number":24,"context_line":"    \u0027or user_id:%(target.credential.user_id)s\u0027"},{"line_number":25,"context_line":")"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"deprecated_ec2_get_credential \u003d policy.DeprecatedRule("},{"line_number":28,"context_line":"    name\u003dbase.IDENTITY % \u0027ec2_get_credential\u0027,"}],"source_content_type":"text/x-python","patch_set":11,"id":"5faad753_b157a558","line":25,"range":{"start_line":17,"start_character":0,"end_line":25,"end_character":1},"updated":"2019-09-13 13:30:35.000000000","message":"In a future patch, we should consolidate these policies with the existing ones for credentials.\n\nhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/credential.py#L18-L25","commit_id":"cf2b02829d8ea809f3180de62d5e36e189c92df1"}],"keystone/tests/unit/protection/v3/test_ec2_credential.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3b14224193d82f34fd5ded512407138d09ad7a45","unresolved":false,"context_lines":[{"line_number":103,"context_line":"                     headers\u003dself.headers)"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"class _SystemReaderMemberAndAdminUserTests(object):"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"    def test_user_can_delete_ec2_credentials_for_others(self):"},{"line_number":109,"context_line":"        user \u003d unit.new_user_ref(domain_id\u003dCONF.identity.default_domain_id)"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_9a020609","line":106,"range":{"start_line":106,"start_character":7,"end_line":106,"end_character":25},"updated":"2019-09-10 23:14:21.000000000","message":"SystemReader can delete???","commit_id":"d9864af2417488edf51ea5b4ca721f54dd289c0d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3b14224193d82f34fd5ded512407138d09ad7a45","unresolved":false,"context_lines":[{"line_number":209,"context_line":"            c.post(\u0027/v3/users/%s/credentials/OS-EC2\u0027 % user[\u0027id\u0027],"},{"line_number":210,"context_line":"                   json\u003d{\u0027tenant_id\u0027: project[\u0027id\u0027]}, headers\u003dself.headers,"},{"line_number":211,"context_line":"                   expected_status_code\u003dhttp_client.FORBIDDEN)"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"class SystemReaderTests(base_classes.TestCaseWithBootstrap,"},{"line_number":215,"context_line":"                        common_auth.AuthTestMixin,"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_9a50c60c","line":212,"updated":"2019-09-10 23:14:21.000000000","message":"How about cannot_delete?","commit_id":"d9864af2417488edf51ea5b4ca721f54dd289c0d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3b14224193d82f34fd5ded512407138d09ad7a45","unresolved":false,"context_lines":[{"line_number":352,"context_line":"        with self.test_client() as c:"},{"line_number":353,"context_line":"            c.post(\u0027/v3/users/%s/credentials/OS-EC2\u0027 % user[\u0027id\u0027],"},{"line_number":354,"context_line":"                   json\u003d{\u0027tenant_id\u0027: project[\u0027id\u0027]}, headers\u003dself.headers)"},{"line_number":355,"context_line":""},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"class ProjectAdminTests(base_classes.TestCaseWithBootstrap,"},{"line_number":358,"context_line":"                        common_auth.AuthTestMixin,"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_fa121a58","line":355,"updated":"2019-09-10 23:14:21.000000000","message":"How about delete?","commit_id":"d9864af2417488edf51ea5b4ca721f54dd289c0d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"3b14224193d82f34fd5ded512407138d09ad7a45","unresolved":false,"context_lines":[{"line_number":357,"context_line":"class ProjectAdminTests(base_classes.TestCaseWithBootstrap,"},{"line_number":358,"context_line":"                        common_auth.AuthTestMixin,"},{"line_number":359,"context_line":"                        _UserEC2CredentialTests,"},{"line_number":360,"context_line":"                        _SystemReaderMemberAndAdminUserTests):"},{"line_number":361,"context_line":""},{"line_number":362,"context_line":"    def setUp(self):"},{"line_number":363,"context_line":"        super(ProjectAdminTests, self).setUp()"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_ba1ca26a","line":360,"range":{"start_line":360,"start_character":24,"end_line":360,"end_character":60},"updated":"2019-09-10 23:14:21.000000000","message":"This contains two tests test_user_can_delete_ec2_credentials_for_others and test_user_can_get_ec2_credentials_for_others I\u0027m pretty sure a project admin should not be able to do either of those things.","commit_id":"d9864af2417488edf51ea5b4ca721f54dd289c0d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1ce073cf175d236896412173cebf5e4136c6f574","unresolved":false,"context_lines":[{"line_number":71,"context_line":"                self.assertEqual("},{"line_number":72,"context_line":"                    self.user_id, credential[\u0027user_id\u0027]"},{"line_number":73,"context_line":"                )"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"    def test_user_create_their_ec2_credentials(self):"},{"line_number":76,"context_line":"        project \u003d unit.new_project_ref("},{"line_number":77,"context_line":"            domain_id\u003dCONF.identity.default_domain_id"}],"source_content_type":"text/x-python","patch_set":11,"id":"5faad753_b18a45bc","line":74,"updated":"2019-09-13 13:30:35.000000000","message":"We could add some testing to make sure users (who aren\u0027t system administrators) can\u0027t list credentials for other people. But I\u0027m fine with that being a follow up.\n\nSomething like https://opendev.org/openstack/keystone/src/branch/master/keystone/tests/unit/protection/v3/test_credentials.py#L205-L239","commit_id":"cf2b02829d8ea809f3180de62d5e36e189c92df1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"f983121c1604bdfa65661b2003766a9b9c7de883","unresolved":false,"context_lines":[{"line_number":71,"context_line":"                self.assertEqual("},{"line_number":72,"context_line":"                    self.user_id, credential[\u0027user_id\u0027]"},{"line_number":73,"context_line":"                )"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"    def test_user_create_their_ec2_credentials(self):"},{"line_number":76,"context_line":"        project \u003d unit.new_project_ref("},{"line_number":77,"context_line":"            domain_id\u003dCONF.identity.default_domain_id"}],"source_content_type":"text/x-python","patch_set":11,"id":"3fa7e38b_cb9a466d","line":74,"in_reply_to":"5faad753_b18a45bc","updated":"2019-09-16 21:08:58.000000000","message":"Those exist under _SystemReaderAndMemberTests","commit_id":"cf2b02829d8ea809f3180de62d5e36e189c92df1"}]}