)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"5878958b6029bf65c59fb7ff8c885b88102cdb67","unresolved":false,"context_lines":[{"line_number":12,"context_line":"how domain users are expected to behave with the limits API. A"},{"line_number":13,"context_line":"subsequent patch will do the same for project users."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"The policy that protects the GET /v3/limits/{limit_id} API was broken"},{"line_number":16,"context_line":"into three separate policies. This was done because writing a single"},{"line_number":17,"context_line":"check_str for project-scoped, domain-scoped, and system-scoped tokens"},{"line_number":18,"context_line":"when project_id or domain_id might not be in the limit body exposed a"},{"line_number":19,"context_line":"False positive in the policy engine logic. For example, if a user"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":14,"id":"3fa7e38b_03a9938e","line":16,"range":{"start_line":15,"start_character":0,"end_line":16,"end_character":29},"updated":"2019-09-25 02:13:26.000000000","message":"needs update","commit_id":"91edc773b11d45358eb36d0f006b60d400dd0b54"}],"doc/source/getting-started/policy_mapping.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"e1de954c4a4bcc860aadfcf31e36fa4f3cd53339","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"identity:project-limit:get                                 GET /v3/limits/{limit_id}"},{"line_number":35,"context_line":"identity:domain-limit:get                                  GET /v3/limits/{limit_id}"},{"line_number":36,"context_line":"identity:system-limit:get                                  GET /v3/limits/{limit_id}"},{"line_number":37,"context_line":"identity:list_limits                                       GET /v3/limits"},{"line_number":38,"context_line":"identity:create_limits                                     POST /v3/limits"},{"line_number":39,"context_line":"identity:update_limit                                      PATCH /v3/limits/{limit_id}"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5fc1f717_9170b7de","line":36,"updated":"2019-03-08 10:55:29.000000000","message":"Is this in alignment with the check string standardization discussion? It\u0027s totally inconsistent with the rest of our policy strings :(\n\nI\u0027m wary of having different policies for the same (method, path) tuple, that seems to bring us further away from consistent policy management.","commit_id":"b9510d489819612c60fb713bf3356e64fda7ffac"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d236b710df948adb9b8d2aace62ff9a908763f2","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"identity:project-limit:get                                 GET /v3/limits/{limit_id}"},{"line_number":35,"context_line":"identity:domain-limit:get                                  GET /v3/limits/{limit_id}"},{"line_number":36,"context_line":"identity:system-limit:get                                  GET /v3/limits/{limit_id}"},{"line_number":37,"context_line":"identity:list_limits                                       GET /v3/limits"},{"line_number":38,"context_line":"identity:create_limits                                     POST /v3/limits"},{"line_number":39,"context_line":"identity:update_limit                                      PATCH /v3/limits/{limit_id}"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9fb8cfa7_ea91479c","line":36,"in_reply_to":"5fc1f717_9170b7de","updated":"2019-07-02 14:54:51.000000000","message":"Done","commit_id":"b9510d489819612c60fb713bf3356e64fda7ffac"}],"keystone/api/limits.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6b92742209b3790c2e07a1b2477d8dc43957877c","unresolved":false,"context_lines":[{"line_number":92,"context_line":"        # FIXME(lbragstad): This if statement should be removed if/when"},{"line_number":93,"context_line":"        # oslo.policy supports the ability to check key existence in policy"},{"line_number":94,"context_line":"        # rules."},{"line_number":95,"context_line":"        if self.oslo_context.domain_id:"},{"line_number":96,"context_line":"            ENFORCER.enforce_call("},{"line_number":97,"context_line":"                action\u003d\u0027identity:domain-limit:get\u0027,"},{"line_number":98,"context_line":"                build_target\u003d_build_limit_enforcement_target"},{"line_number":99,"context_line":"            )"},{"line_number":100,"context_line":"        else:"},{"line_number":101,"context_line":"            ENFORCER.enforce_call("},{"line_number":102,"context_line":"                action\u003d\u0027identity:project-limit:get\u0027,"},{"line_number":103,"context_line":"                build_target\u003d_build_limit_enforcement_target"},{"line_number":104,"context_line":"            )"},{"line_number":105,"context_line":"        ref \u003d PROVIDERS.unified_limit_api.get_limit(limit_id)"},{"line_number":106,"context_line":"        return self.wrap_member(ref)"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"9fdfeff1_7c717244","line":104,"range":{"start_line":95,"start_character":0,"end_line":104,"end_character":13},"updated":"2019-03-05 16:19:54.000000000","message":"Do we need/want a system-scope version to be explicit?","commit_id":"d31b767c131ab4c49ef8d5ef89b2218b6cbfd2dd"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"54d15c54cab8c9ca0a2c5444fc163a5d7f906b9a","unresolved":false,"context_lines":[{"line_number":92,"context_line":"        # FIXME(lbragstad): This if statement should be removed if/when"},{"line_number":93,"context_line":"        # oslo.policy supports the ability to check key existence in policy"},{"line_number":94,"context_line":"        # rules."},{"line_number":95,"context_line":"        if self.oslo_context.domain_id:"},{"line_number":96,"context_line":"            ENFORCER.enforce_call("},{"line_number":97,"context_line":"                action\u003d\u0027identity:domain-limit:get\u0027,"},{"line_number":98,"context_line":"                build_target\u003d_build_limit_enforcement_target"},{"line_number":99,"context_line":"            )"},{"line_number":100,"context_line":"        else:"},{"line_number":101,"context_line":"            ENFORCER.enforce_call("},{"line_number":102,"context_line":"                action\u003d\u0027identity:project-limit:get\u0027,"},{"line_number":103,"context_line":"                build_target\u003d_build_limit_enforcement_target"},{"line_number":104,"context_line":"            )"},{"line_number":105,"context_line":"        ref \u003d PROVIDERS.unified_limit_api.get_limit(limit_id)"},{"line_number":106,"context_line":"        return self.wrap_member(ref)"},{"line_number":107,"context_line":""}],"source_content_type":"text/x-python","patch_set":9,"id":"5fc1f717_3004a67b","line":104,"range":{"start_line":95,"start_character":0,"end_line":104,"end_character":13},"in_reply_to":"9fdfeff1_7c717244","updated":"2019-03-05 18:28:56.000000000","message":"Yeah, we could do that. So long as we\u0027re fine just collapsing all three back into a single policy once we get proper support in oslo.policy for None matching?","commit_id":"d31b767c131ab4c49ef8d5ef89b2218b6cbfd2dd"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"e1de954c4a4bcc860aadfcf31e36fa4f3cd53339","unresolved":false,"context_lines":[{"line_number":38,"context_line":"        target[\u0027limit\u0027] \u003d limit"},{"line_number":39,"context_line":"        if limit.get(\u0027project_id\u0027):"},{"line_number":40,"context_line":"            project \u003d PROVIDERS.resource_api.get_project(limit[\u0027project_id\u0027])"},{"line_number":41,"context_line":"            target[\u0027limit\u0027][\u0027project\u0027] \u003d project"},{"line_number":42,"context_line":"    except exception.NotFound:  # nosec"},{"line_number":43,"context_line":"        # Defer the existence check in the event the limit doesn\u0027t exist, this"},{"line_number":44,"context_line":"        # is checked later anyway."}],"source_content_type":"text/x-python","patch_set":11,"id":"5fc1f717_51724fe5","line":41,"updated":"2019-03-08 10:55:29.000000000","message":"What about domain ID?","commit_id":"b9510d489819612c60fb713bf3356e64fda7ffac"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d236b710df948adb9b8d2aace62ff9a908763f2","unresolved":false,"context_lines":[{"line_number":38,"context_line":"        target[\u0027limit\u0027] \u003d limit"},{"line_number":39,"context_line":"        if limit.get(\u0027project_id\u0027):"},{"line_number":40,"context_line":"            project \u003d PROVIDERS.resource_api.get_project(limit[\u0027project_id\u0027])"},{"line_number":41,"context_line":"            target[\u0027limit\u0027][\u0027project\u0027] \u003d project"},{"line_number":42,"context_line":"    except exception.NotFound:  # nosec"},{"line_number":43,"context_line":"        # Defer the existence check in the event the limit doesn\u0027t exist, this"},{"line_number":44,"context_line":"        # is checked later anyway."}],"source_content_type":"text/x-python","patch_set":11,"id":"9fb8cfa7_ea6dc799","line":41,"in_reply_to":"5fc1f717_51724fe5","updated":"2019-07-02 14:54:51.000000000","message":"Done","commit_id":"b9510d489819612c60fb713bf3356e64fda7ffac"}],"keystone/common/policies/limit.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"6b92742209b3790c2e07a1b2477d8dc43957877c","unresolved":false,"context_lines":[{"line_number":15,"context_line":"from keystone.common.policies import base"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"SYSTEM_USER_OR_DOMAIN_USER \u003d ("},{"line_number":18,"context_line":"    \u0027(role:reader and system_scope:all) or \u0027"},{"line_number":19,"context_line":"    \u0027domain_id:%(target.limit.domain_id)s or \u0027"},{"line_number":20,"context_line":"    \u0027domain_id:%(target.limit.project.domain_id)s\u0027"},{"line_number":21,"context_line":")"}],"source_content_type":"text/x-python","patch_set":9,"id":"9fdfeff1_3cdf6a0d","line":18,"range":{"start_line":18,"start_character":4,"end_line":18,"end_character":44},"updated":"2019-03-05 16:19:54.000000000","message":"System scope isn\u0027t needed here, right? Domain scope is explicitly checked. \n\nWith the way policy works, I\u0027d like to see 3 explicit checks: System, Domain, Project rather than lumping these together.","commit_id":"d31b767c131ab4c49ef8d5ef89b2218b6cbfd2dd"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"54d15c54cab8c9ca0a2c5444fc163a5d7f906b9a","unresolved":false,"context_lines":[{"line_number":15,"context_line":"from keystone.common.policies import base"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"SYSTEM_USER_OR_DOMAIN_USER \u003d ("},{"line_number":18,"context_line":"    \u0027(role:reader and system_scope:all) or \u0027"},{"line_number":19,"context_line":"    \u0027domain_id:%(target.limit.domain_id)s or \u0027"},{"line_number":20,"context_line":"    \u0027domain_id:%(target.limit.project.domain_id)s\u0027"},{"line_number":21,"context_line":")"}],"source_content_type":"text/x-python","patch_set":9,"id":"5fc1f717_702f8ef6","line":18,"range":{"start_line":18,"start_character":4,"end_line":18,"end_character":44},"in_reply_to":"9fdfeff1_3cdf6a0d","updated":"2019-03-05 18:28:56.000000000","message":"Done","commit_id":"d31b767c131ab4c49ef8d5ef89b2218b6cbfd2dd"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"970dbcfbb70286f25c61dec88a7f6ead4d5ccf33","unresolved":false,"context_lines":[{"line_number":18,"context_line":"    \u0027(\u0027 + base.SYSTEM_READER + \u0027) or \u0027"},{"line_number":19,"context_line":"    \u0027(\u0027"},{"line_number":20,"context_line":"    \u0027domain_id:%(target.limit.domain.id)s or \u0027"},{"line_number":21,"context_line":"    \u0027domain_id:%(target.limit.project.domain_id)s\u0027"},{"line_number":22,"context_line":"    \u0027) or \u0027"},{"line_number":23,"context_line":"    \u0027(\u0027"},{"line_number":24,"context_line":"    \u0027project_id:%(target.limit.project_id)s and not \u0027"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_f822d2b8","line":21,"range":{"start_line":21,"start_character":4,"end_line":21,"end_character":50},"updated":"2019-09-25 16:30:17.000000000","message":"Won\u0027t you need the None check here if a project user attempts to call this API on a project-limit?","commit_id":"f249c9e2b0f39b688ba356feaca7818adfc9f739"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d3695dbcf48774de6f0a3ed3b972b1637db464c","unresolved":false,"context_lines":[{"line_number":18,"context_line":"    \u0027(\u0027 + base.SYSTEM_READER + \u0027) or \u0027"},{"line_number":19,"context_line":"    \u0027(\u0027"},{"line_number":20,"context_line":"    \u0027domain_id:%(target.limit.domain.id)s or \u0027"},{"line_number":21,"context_line":"    \u0027domain_id:%(target.limit.project.domain_id)s\u0027"},{"line_number":22,"context_line":"    \u0027) or \u0027"},{"line_number":23,"context_line":"    \u0027(\u0027"},{"line_number":24,"context_line":"    \u0027project_id:%(target.limit.project_id)s and not \u0027"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_ee6a0cb1","line":21,"range":{"start_line":21,"start_character":4,"end_line":21,"end_character":50},"in_reply_to":"3fa7e38b_ae32d4f0","updated":"2019-09-25 17:16:56.000000000","message":"This API is still experimental anyway, so I don\u0027t feel bad following up this patch with one that adds an explicit test.","commit_id":"f249c9e2b0f39b688ba356feaca7818adfc9f739"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"49b9b96d6accfd639a1b6b9af5ed31549e5a4d53","unresolved":false,"context_lines":[{"line_number":18,"context_line":"    \u0027(\u0027 + base.SYSTEM_READER + \u0027) or \u0027"},{"line_number":19,"context_line":"    \u0027(\u0027"},{"line_number":20,"context_line":"    \u0027domain_id:%(target.limit.domain.id)s or \u0027"},{"line_number":21,"context_line":"    \u0027domain_id:%(target.limit.project.domain_id)s\u0027"},{"line_number":22,"context_line":"    \u0027) or \u0027"},{"line_number":23,"context_line":"    \u0027(\u0027"},{"line_number":24,"context_line":"    \u0027project_id:%(target.limit.project_id)s and not \u0027"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_ae32d4f0","line":21,"range":{"start_line":21,"start_character":4,"end_line":21,"end_character":50},"in_reply_to":"3fa7e38b_f33c33c9","updated":"2019-09-25 17:14:21.000000000","message":"Yeah - I think that\u0027s what I was trying to say. With a project-scoped token domain_id \u003d\u003d None and with a domain limit target.limit.project.domain_id\u003d\u003dNone.","commit_id":"f249c9e2b0f39b688ba356feaca7818adfc9f739"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"f3650078836d4abccc8f59d5fd6cce640925e76a","unresolved":false,"context_lines":[{"line_number":18,"context_line":"    \u0027(\u0027 + base.SYSTEM_READER + \u0027) or \u0027"},{"line_number":19,"context_line":"    \u0027(\u0027"},{"line_number":20,"context_line":"    \u0027domain_id:%(target.limit.domain.id)s or \u0027"},{"line_number":21,"context_line":"    \u0027domain_id:%(target.limit.project.domain_id)s\u0027"},{"line_number":22,"context_line":"    \u0027) or \u0027"},{"line_number":23,"context_line":"    \u0027(\u0027"},{"line_number":24,"context_line":"    \u0027project_id:%(target.limit.project_id)s and not \u0027"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_f33c33c9","line":21,"range":{"start_line":21,"start_character":4,"end_line":21,"end_character":50},"in_reply_to":"3fa7e38b_f822d2b8","updated":"2019-09-25 16:33:14.000000000","message":"Do you mean \"if a project user attempts to call this API on a *domain*-limit?\"\n\nMaybe, will have to add another test case for it.","commit_id":"f249c9e2b0f39b688ba356feaca7818adfc9f739"}],"keystone/tests/unit/protection/v3/test_limits.py":[{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"4edeb14674ec169d8ebdbc1d06c62bd2d0592439","unresolved":false,"context_lines":[{"line_number":300,"context_line":"            c.delete(\u0027/v3/limits/%s\u0027 % limit[\u0027id\u0027], headers\u003dself.headers)"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"class DomainUserTests(base_classes.TestCaseWithBootstrap,"},{"line_number":304,"context_line":"                      common_auth.AuthTestMixin,"},{"line_number":305,"context_line":"                      _UserLimitTests):"},{"line_number":306,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"bfdaf3ff_f49690f0","line":303,"range":{"start_line":303,"start_character":5,"end_line":303,"end_character":21},"updated":"2019-01-17 16:28:16.000000000","message":"we don\u0027t have any domain related negative cases for limits. If user tries to get or list limits of another domain to which he is not authorized?","commit_id":"e0f8fce136d8b7e5429d7bae7f224fd94219eaf4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"70a0cc397edd14ee439b46198848ec7c6dd82a03","unresolved":false,"context_lines":[{"line_number":300,"context_line":"            c.delete(\u0027/v3/limits/%s\u0027 % limit[\u0027id\u0027], headers\u003dself.headers)"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"class DomainUserTests(base_classes.TestCaseWithBootstrap,"},{"line_number":304,"context_line":"                      common_auth.AuthTestMixin,"},{"line_number":305,"context_line":"                      _UserLimitTests):"},{"line_number":306,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"9fdfeff1_ebd29534","line":303,"range":{"start_line":303,"start_character":5,"end_line":303,"end_character":21},"in_reply_to":"9fdfeff1_0b6599b5","updated":"2019-01-21 21:01:39.000000000","message":"Actually it looks like we prevent project users from accessing limits for projects they don\u0027t have access to [0].\n\nBut we should have similar testing for domain users, to make sure they only get the project limits within the domain they have authorization on, instead of all project limits in the deployment.\n\n[0] https://review.openstack.org/#/c/621024/8/keystone/tests/unit/protection/v3/test_limits.py","commit_id":"e0f8fce136d8b7e5429d7bae7f224fd94219eaf4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"2942ce3df779d94de4b2830ed8afb19a51ebca3b","unresolved":false,"context_lines":[{"line_number":300,"context_line":"            c.delete(\u0027/v3/limits/%s\u0027 % limit[\u0027id\u0027], headers\u003dself.headers)"},{"line_number":301,"context_line":""},{"line_number":302,"context_line":""},{"line_number":303,"context_line":"class DomainUserTests(base_classes.TestCaseWithBootstrap,"},{"line_number":304,"context_line":"                      common_auth.AuthTestMixin,"},{"line_number":305,"context_line":"                      _UserLimitTests):"},{"line_number":306,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"9fdfeff1_0b6599b5","line":303,"range":{"start_line":303,"start_character":5,"end_line":303,"end_character":21},"in_reply_to":"bfdaf3ff_f49690f0","updated":"2019-01-21 20:58:21.000000000","message":"Domain limits are still being developed [0]. These tests are just making sure a user with a domain-scoped token can access the unified limits API, or at least some of it.\n\nWe should have some testing or discussion around whether or not a user should be able to list limit information for a project they\u0027re not authorized to access. Right now, the default is that the get limit API is unprotected, meaning anyone with a token can get a limit.\n\nYour comment makes me think we need to change that.\n\n[0] https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/domain-level-limit","commit_id":"e0f8fce136d8b7e5429d7bae7f224fd94219eaf4"}]}