)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"074a1507570609d9bba21a71aeb980d386faa99e","unresolved":false,"context_lines":[{"line_number":11,"context_line":"the membership by checking inherited and group assignments."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Change-Id: If1bf5bd785a494923303265797311d42018ba7af"},{"line_number":14,"context_line":"Closes-Bug: #1825991"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"7faddb67_a4662c50","line":14,"range":{"start_line":14,"start_character":0,"end_line":14,"end_character":20},"updated":"2019-08-06 16:43:46.000000000","message":"The bug tag should be the same as that of the release notes. Closes-Bug: #1773967","commit_id":"7e312a762269d79a65490015715a06eca7c08f72"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"0854597d782223dd2584ca7fa09ccffc13fa55d6","unresolved":false,"context_lines":[{"line_number":11,"context_line":"the membership by checking inherited and group assignments."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Change-Id: If1bf5bd785a494923303265797311d42018ba7af"},{"line_number":14,"context_line":"Closes-Bug: #1825991"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"7faddb67_df2d358f","line":14,"range":{"start_line":14,"start_character":0,"end_line":14,"end_character":20},"in_reply_to":"7faddb67_a4662c50","updated":"2019-08-06 16:54:50.000000000","message":"Good catch, thanks","commit_id":"7e312a762269d79a65490015715a06eca7c08f72"}],"keystone/models/token_model.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"1b860189d9f39989214503c911b18b8a74442345","unresolved":false,"context_lines":[{"line_number":413,"context_line":"            user_id\u003dself.user_id,"},{"line_number":414,"context_line":"            project_id\u003dself.project_id,"},{"line_number":415,"context_line":"            domain_id\u003dself.domain_id,"},{"line_number":416,"context_line":"            effective\u003dTrue)"},{"line_number":417,"context_line":"        user_roles \u003d list(set([x[\u0027role_id\u0027] for x in assignment_list]))"},{"line_number":418,"context_line":""},{"line_number":419,"context_line":"        for role in app_cred_roles:"}],"source_content_type":"text/x-python","patch_set":1,"id":"ffb9cba7_03efb284","line":416,"range":{"start_line":416,"start_character":12,"end_line":416,"end_character":27},"updated":"2019-04-23 16:30:23.000000000","message":"This can only be done for non-federated users until we have renewable app-creds. The reason is to avoid the scenario where a user comes in with an assertion that grants a group to the user and the user creates an app-cred to circumvent losing access to the group on a re-auth (loss of the group in the assertion from the IDP).\n\nSo, this needs to check if the user is a federated user and set \"effective\u003dTrue\" only in the case when the user is not federated.","commit_id":"43d1955a37ae15236eeeb52ac28936d049145174"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"1b860189d9f39989214503c911b18b8a74442345","unresolved":false,"context_lines":[{"line_number":414,"context_line":"            project_id\u003dself.project_id,"},{"line_number":415,"context_line":"            domain_id\u003dself.domain_id,"},{"line_number":416,"context_line":"            effective\u003dTrue)"},{"line_number":417,"context_line":"        user_roles \u003d list(set([x[\u0027role_id\u0027] for x in assignment_list]))"},{"line_number":418,"context_line":""},{"line_number":419,"context_line":"        for role in app_cred_roles:"},{"line_number":420,"context_line":"            if role[\u0027id\u0027] in user_roles:"}],"source_content_type":"text/x-python","patch_set":1,"id":"ffb9cba7_c3851aaf","line":417,"range":{"start_line":417,"start_character":8,"end_line":417,"end_character":71},"updated":"2019-04-23 16:30:23.000000000","message":"This can just be a set, we don\u0027t need it to be a list. order doesn\u0027t really matter, a set comprehension would be sufficient:\n\n    {x[\u0027role_id\u0027] for x in assignment_list}\n\nIf you don\u0027t want a set-comprehension:\n\n   set([x[\u0027role_id\u0027] for x in assignment_list])\n\nThis also will be faster lookup(s) than the list scan on line 419 (only matters in really large sets of roles)","commit_id":"43d1955a37ae15236eeeb52ac28936d049145174"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"4510daeaa272c439f14a3e817cd7dc05642c9cbf","unresolved":false,"context_lines":[{"line_number":414,"context_line":"            project_id\u003dself.project_id,"},{"line_number":415,"context_line":"            domain_id\u003dself.domain_id,"},{"line_number":416,"context_line":"            effective\u003dnot self.is_federated)"},{"line_number":417,"context_line":"        user_roles \u003d {set([x[\u0027role_id\u0027] for x in assignment_list])}"},{"line_number":418,"context_line":""},{"line_number":419,"context_line":"        for role in app_cred_roles:"},{"line_number":420,"context_line":"            if role[\u0027id\u0027] in user_roles:"}],"source_content_type":"text/x-python","patch_set":2,"id":"ffb9cba7_42a256b0","line":417,"range":{"start_line":417,"start_character":21,"end_line":417,"end_character":67},"updated":"2019-04-25 14:46:44.000000000","message":"NIT: No need for the outer {} in this case, it is already a set. Either use:\n\n  {x[\u0027role_id\u0027] for x in assignment_list}\n\nor\n\n  set([x[\u0027role_id\u0027] for x in assignment_list])","commit_id":"82fae8ea7bf304856a4ab36185a7975f2782f22b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"9185cdbef8d665a4eb2dc708fdec586e2fe3a2d7","unresolved":false,"context_lines":[{"line_number":417,"context_line":"            user_id\u003dself.user_id,"},{"line_number":418,"context_line":"            project_id\u003dself.project_id,"},{"line_number":419,"context_line":"            domain_id\u003dself.domain_id,"},{"line_number":420,"context_line":"            effective\u003dFalse)"},{"line_number":421,"context_line":"        user_roles \u003d {x[\u0027role_id\u0027] for x in assignment_list}"},{"line_number":422,"context_line":""},{"line_number":423,"context_line":"        for role in app_cred_roles:"}],"source_content_type":"text/x-python","patch_set":5,"id":"dfbec78f_fe74096a","line":420,"range":{"start_line":420,"start_character":12,"end_line":420,"end_character":27},"updated":"2019-05-13 16:59:45.000000000","message":"This isn\u0027t really fixing anything yet. Can we partially fix it setting effective\u003dTrue for non-federated users?","commit_id":"c444ef29d6c9b93672076f32a39684f8a1e17a95"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"f3c05359585814188fad2cf5c938210068db4799","unresolved":false,"context_lines":[{"line_number":417,"context_line":"            user_id\u003dself.user_id,"},{"line_number":418,"context_line":"            project_id\u003dself.project_id,"},{"line_number":419,"context_line":"            domain_id\u003dself.domain_id,"},{"line_number":420,"context_line":"            effective\u003dFalse)"},{"line_number":421,"context_line":"        user_roles \u003d {x[\u0027role_id\u0027] for x in assignment_list}"},{"line_number":422,"context_line":""},{"line_number":423,"context_line":"        for role in app_cred_roles:"}],"source_content_type":"text/x-python","patch_set":5,"id":"dfbec78f_3e3861ec","line":420,"range":{"start_line":420,"start_character":12,"end_line":420,"end_character":27},"in_reply_to":"dfbec78f_fe74096a","updated":"2019-05-13 17:39:43.000000000","message":"Part of the issue is that detecting all the forms of federated users was not clear. This is aligning code so that the change can be a minimal fix.","commit_id":"c444ef29d6c9b93672076f32a39684f8a1e17a95"}],"keystone/tests/unit/test_v3_auth.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"4510daeaa272c439f14a3e817cd7dc05642c9cbf","unresolved":false,"context_lines":[{"line_number":5696,"context_line":"            app_cred_id\u003dapp_cred_ref[\u0027id\u0027], secret\u003dapp_cred_ref[\u0027secret\u0027])"},{"line_number":5697,"context_line":"        self.v3_create_token(auth_data, expected_status\u003dhttp_client.NOT_FOUND)"},{"line_number":5698,"context_line":""},{"line_number":5699,"context_line":"    def test_application_credential_through_group_membership(self):"},{"line_number":5700,"context_line":"        user1 \u003d unit.create_user("},{"line_number":5701,"context_line":"            PROVIDERS.identity_api, domain_id\u003dself.domain_id"},{"line_number":5702,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":2,"id":"ffb9cba7_a29a326b","line":5699,"range":{"start_line":5699,"start_character":3,"end_line":5699,"end_character":67},"updated":"2019-04-25 14:46:44.000000000","message":"Needs a federation test-case.","commit_id":"82fae8ea7bf304856a4ab36185a7975f2782f22b"}],"keystone/tests/unit/test_v3_federation.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"46314380f82b05f933603e5af8e5a2db1ac40638","unresolved":false,"context_lines":[{"line_number":3287,"context_line":""},{"line_number":3288,"context_line":"        auth_data \u003d self.build_authentication_request("},{"line_number":3289,"context_line":"            app_cred_id\u003dapp_cred_ref[\u0027id\u0027], secret\u003dapp_cred_ref[\u0027secret\u0027])"},{"line_number":3290,"context_line":"        self.v3_create_token(auth_data, expected_status\u003dhttp_client.CREATED)"},{"line_number":3291,"context_line":""},{"line_number":3292,"context_line":"        # remove user from group"},{"line_number":3293,"context_line":"        PROVIDERS.identity_api.remove_user_from_group("}],"source_content_type":"text/x-python","patch_set":4,"id":"ffb9cba7_b2d4abbe","line":3290,"updated":"2019-04-26 19:25:29.000000000","message":"Should this test check to see if the effective roles include the group role, also shouldn\u0027t this fail because the user is granted access via the group not directly?","commit_id":"3589d074eb07159e9380ffb767fdf06fbafddf74"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"925d721f14fe607c60016327dbb100c231b24796","unresolved":false,"context_lines":[{"line_number":3267,"context_line":"        # does not allow to use group memberships for users. Once we have"},{"line_number":3268,"context_line":"        # set the effective list of role_assignments to True, then we can"},{"line_number":3269,"context_line":"        # set this test to expect_status\u003dhttp_client.CREATED"},{"line_number":3270,"context_line":"        self.v3_create_token(auth_data, expected_status\u003dhttp_client.UNAUTHORIZED)"},{"line_number":3271,"context_line":""},{"line_number":3272,"context_line":"    def test_domain_scoped_user_role_assignment(self):"},{"line_number":3273,"context_line":"        # create domain and role"}],"source_content_type":"text/x-python","patch_set":5,"id":"dfbec78f_674a3c56","line":3270,"range":{"start_line":3270,"start_character":7,"end_line":3270,"end_character":81},"updated":"2019-05-06 17:49:55.000000000","message":"I would think that the app-cred should fail to create if you reference a group-supplied role. Can we either have this patch changed or a followup for the following:\n\n1) Do setup (user/group)\n2) Attempt to create an app-cred with a group-role, should fail to create (if this isn\u0027t an API break)\n3) Add direct role to user (duplicating group role)\n4) Create App Cred (success)\n5) Auth (success)\n6) Remove direct assignment\n7) App Cred needs to be invalidated *or* now auth should fail if app cred is not invalidated.\n\n\nThis simply is my expectation that the app-cred should communicate it is not going to work as early as possible.\n\nWith all of that said, I am not opposed to the current workflow, I need to review one more time before upgrading to +2.","commit_id":"c444ef29d6c9b93672076f32a39684f8a1e17a95"},{"author":{"_account_id":5575,"name":"Jose Castro Leon","email":"jose.castro.leon@cern.ch","username":"jose-castro-leon"},"change_message_id":"9622a063f03d58e1fed007cc84ea17f55b16ec5c","unresolved":false,"context_lines":[{"line_number":3267,"context_line":"        # does not allow to use group memberships for users. Once we have"},{"line_number":3268,"context_line":"        # set the effective list of role_assignments to True, then we can"},{"line_number":3269,"context_line":"        # set this test to expect_status\u003dhttp_client.CREATED"},{"line_number":3270,"context_line":"        self.v3_create_token(auth_data, expected_status\u003dhttp_client.UNAUTHORIZED)"},{"line_number":3271,"context_line":""},{"line_number":3272,"context_line":"    def test_domain_scoped_user_role_assignment(self):"},{"line_number":3273,"context_line":"        # create domain and role"}],"source_content_type":"text/x-python","patch_set":5,"id":"dfbec78f_9760b4a7","line":3270,"range":{"start_line":3270,"start_character":7,"end_line":3270,"end_character":81},"in_reply_to":"dfbec78f_674a3c56","updated":"2019-05-07 14:33:09.000000000","message":"Sure no problem, I need to review the tests\nAlthough I think the API allows to create the credential :S","commit_id":"c444ef29d6c9b93672076f32a39684f8a1e17a95"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"9185cdbef8d665a4eb2dc708fdec586e2fe3a2d7","unresolved":false,"context_lines":[{"line_number":3267,"context_line":"        # does not allow to use group memberships for users. Once we have"},{"line_number":3268,"context_line":"        # set the effective list of role_assignments to True, then we can"},{"line_number":3269,"context_line":"        # set this test to expect_status\u003dhttp_client.CREATED"},{"line_number":3270,"context_line":"        self.v3_create_token(auth_data, expected_status\u003dhttp_client.UNAUTHORIZED)"},{"line_number":3271,"context_line":""},{"line_number":3272,"context_line":"    def test_domain_scoped_user_role_assignment(self):"},{"line_number":3273,"context_line":"        # create domain and role"}],"source_content_type":"text/x-python","patch_set":5,"id":"dfbec78f_de4ee536","line":3270,"range":{"start_line":3270,"start_character":7,"end_line":3270,"end_character":81},"in_reply_to":"dfbec78f_9760b4a7","updated":"2019-05-13 16:59:45.000000000","message":"Right, currently the broken behavior is that the app cred does get created but is nonfunctional.\n\nI don\u0027t want us to be testing for broken behavior. I would like to wait for the core issue to be fixed and then tests added.","commit_id":"c444ef29d6c9b93672076f32a39684f8a1e17a95"}]}