)]}'
{"keystone/api/users.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"36da42be549720c065ec727bf485004082953e08","unresolved":false,"context_lines":[{"line_number":669,"context_line":""},{"line_number":670,"context_line":"    @staticmethod"},{"line_number":671,"context_line":"    def _built_target_attr_enforcement():"},{"line_number":672,"context_line":"        ref \u003d None"},{"line_number":673,"context_line":"        if flask.request.view_args:"},{"line_number":674,"context_line":"            try:"},{"line_number":675,"context_line":"                ref \u003d {\u0027user\u0027: PROVIDERS.identity_api.get_user("}],"source_content_type":"text/x-python","patch_set":5,"id":"7faddb67_abb12de2","line":672,"range":{"start_line":672,"start_character":8,"end_line":672,"end_character":18},"updated":"2019-08-21 03:14:15.000000000","message":"Is \"ref \u003d None\" most correct here or is ref \u003d {} more correct?\n\nObviously this works, consider this a NIT and not -1 worthy.","commit_id":"c94ce9d21a31d38c05c3cf402a2b26601d269fcb"},{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"36da42be549720c065ec727bf485004082953e08","unresolved":false,"context_lines":[{"line_number":701,"context_line":"    member_key \u003d \u0027access_rule\u0027"},{"line_number":702,"context_line":""},{"line_number":703,"context_line":"    @staticmethod"},{"line_number":704,"context_line":"    def _build_target_attr_enforcement():"},{"line_number":705,"context_line":"        ref \u003d None"},{"line_number":706,"context_line":"        if flask.request.view_args:"},{"line_number":707,"context_line":"            try:"},{"line_number":708,"context_line":"                ref \u003d {\u0027user\u0027: PROVIDERS.identity_api.get_user("},{"line_number":709,"context_line":"                    flask.request.view_args.get(\u0027user_id\u0027))}"},{"line_number":710,"context_line":"            except ks_exception.NotFound:  # nosec"},{"line_number":711,"context_line":"                # Defer existence in the event the user doesn\u0027t exist, we\u0027ll"},{"line_number":712,"context_line":"                # check this later anyway."},{"line_number":713,"context_line":"                pass"},{"line_number":714,"context_line":"        return ref"},{"line_number":715,"context_line":""},{"line_number":716,"context_line":"    def get(self, user_id, access_rule_id):"},{"line_number":717,"context_line":"        \"\"\"Get access rule resource."}],"source_content_type":"text/x-python","patch_set":5,"id":"7faddb67_0bc2c134","line":714,"range":{"start_line":704,"start_character":0,"end_line":714,"end_character":18},"updated":"2019-08-21 03:14:15.000000000","message":"NIT: this is the same as the one on 671, this could be made a module-level function","commit_id":"c94ce9d21a31d38c05c3cf402a2b26601d269fcb"}],"keystone/application_credential/backends/base.py":[{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"87f02b01d0d36f9112073a599199e83fc121dd2d","unresolved":false,"context_lines":[{"line_number":127,"context_line":"    def delete_access_rules_for_user(self, user_id):"},{"line_number":128,"context_line":"        \"\"\"Delete all access rules for user."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"        This is called when the user itself is deleted."},{"line_number":131,"context_line":"        :param str user_id: User ID"},{"line_number":132,"context_line":"        \"\"\""},{"line_number":133,"context_line":"        raise exception.NotImplemented()  # pragma: no cover"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_6ca268fe","line":131,"range":{"start_line":130,"start_character":8,"end_line":131,"end_character":35},"updated":"2019-08-06 10:29:33.000000000","message":"NIT: space missing in between.","commit_id":"05b090d7c7c1362ae294a48671e08475001edce0"}],"keystone/application_credential/core.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"36da42be549720c065ec727bf485004082953e08","unresolved":false,"context_lines":[{"line_number":260,"context_line":"        \"\"\""},{"line_number":261,"context_line":"        access_rules \u003d self.driver.list_access_rules_for_user("},{"line_number":262,"context_line":"            user_id, driver_hints.Hints())"},{"line_number":263,"context_line":"        self.driver.delete_access_rules_for_user(user_id)"},{"line_number":264,"context_line":"        for rule in access_rules:"},{"line_number":265,"context_line":"            self.get_access_rule.invalidate(self, rule[\u0027id\u0027])"}],"source_content_type":"text/x-python","patch_set":5,"id":"7faddb67_abffed63","line":263,"range":{"start_line":263,"start_character":0,"end_line":263,"end_character":57},"updated":"2019-08-21 03:14:15.000000000","message":"Do we need audit notification(s) here?","commit_id":"c94ce9d21a31d38c05c3cf402a2b26601d269fcb"}],"keystone/common/policies/access_rule.py":[{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"824e999ccd6b6564153ba81f261b9df52f2b0227","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":34,"context_line":"        name\u003dbase.IDENTITY % \u0027get_access_rule\u0027,"},{"line_number":35,"context_line":"        check_str\u003dSYSTEM_READER_OR_OWNER,"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Show access rule details.\u0027,"},{"line_number":38,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":39,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_43e27c03","line":36,"range":{"start_line":36,"start_character":8,"end_line":36,"end_character":41},"updated":"2019-07-09 08:16:25.000000000","message":"These access rules are not scoped to domains?","commit_id":"39ba14f1b7546b8cf4c39d37590c113bb4a7a147"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"798803e5e1dfad42748e953cb8091666e35af5c0","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":34,"context_line":"        name\u003dbase.IDENTITY % \u0027get_access_rule\u0027,"},{"line_number":35,"context_line":"        check_str\u003dSYSTEM_READER_OR_OWNER,"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Show access rule details.\u0027,"},{"line_number":38,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":39,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_df2b9c7f","line":36,"range":{"start_line":36,"start_character":8,"end_line":36,"end_character":41},"in_reply_to":"7faddb67_43e27c03","updated":"2019-07-09 14:29:40.000000000","message":"I think not. For the moment, you can only create application credentials for projects, so project members should be able to see their application credentials, and I think system readers should be able to see users\u0027 access rules but I can\u0027t really think of a reason domain readers should need to. I\u0027m open to discuss it though.","commit_id":"39ba14f1b7546b8cf4c39d37590c113bb4a7a147"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"f99650ba2b9fae11e6d5c6dae06a4b88aec9a1ab","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":34,"context_line":"        name\u003dbase.IDENTITY % \u0027get_access_rule\u0027,"},{"line_number":35,"context_line":"        check_str\u003dSYSTEM_READER_OR_OWNER,"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Show access rule details.\u0027,"},{"line_number":38,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":39,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_e5ac4dee","line":36,"range":{"start_line":36,"start_character":8,"end_line":36,"end_character":41},"in_reply_to":"7faddb67_df2b9c7f","updated":"2019-07-17 10:36:13.000000000","message":"Yes, I think domain readers should not need to see the application credentials but domain admin should be able to?","commit_id":"39ba14f1b7546b8cf4c39d37590c113bb4a7a147"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"22abbb8f1cccbb2ab6b499e9053d5a1006db94b5","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":34,"context_line":"        name\u003dbase.IDENTITY % \u0027get_access_rule\u0027,"},{"line_number":35,"context_line":"        check_str\u003dSYSTEM_READER_OR_OWNER,"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Show access rule details.\u0027,"},{"line_number":38,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":39,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_eaf654d7","line":36,"range":{"start_line":36,"start_character":8,"end_line":36,"end_character":41},"in_reply_to":"7faddb67_e5ac4dee","updated":"2019-07-17 17:08:01.000000000","message":"I think the reader role should be able to do any GET action so I don\u0027t think we should distinguish between reader and admin for get_access_rule here.\n\nWe had a related discussion about domain admins and application credentials yesterday: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2019-07-16.log.html#t2019-07-16T17:01:50\n\nI think the gist is that while domain admins can manage users themselves, we don\u0027t need them to manage things that the users own, i.e. application credentials, trusts, or access rules.\n\nWhen we add support for scoping an application credential to a domain, we\u0027ll have to add \u0027domain\u0027 to the scope type here, but we\u0027ll still have to ensure that users can only manage their own app creds and not another user\u0027s.","commit_id":"39ba14f1b7546b8cf4c39d37590c113bb4a7a147"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"f648f6bfd6535cda230ba2961c59da36aa833486","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":34,"context_line":"        name\u003dbase.IDENTITY % \u0027get_access_rule\u0027,"},{"line_number":35,"context_line":"        check_str\u003dSYSTEM_READER_OR_OWNER,"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Show access rule details.\u0027,"},{"line_number":38,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":39,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_ce58db57","line":36,"range":{"start_line":36,"start_character":8,"end_line":36,"end_character":41},"in_reply_to":"7faddb67_eaf654d7","updated":"2019-07-25 06:34:16.000000000","message":"Got it. Thanks a lot","commit_id":"39ba14f1b7546b8cf4c39d37590c113bb4a7a147"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"aeeede9b6085ccb0dc72f22b9e57a59eddff8e03","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":34,"context_line":"        name\u003dbase.IDENTITY % \u0027get_access_rule\u0027,"},{"line_number":35,"context_line":"        check_str\u003dSYSTEM_READER_OR_OWNER,"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Show access rule details.\u0027,"},{"line_number":38,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":39,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_1e285332","line":36,"updated":"2019-09-10 15:45:55.000000000","message":"Access rules are indirectly project specific, right? You can\u0027t create them directly with the API but only by creating an application credential (with access rules as an argument) and since app creds require projects each set of access rules are indirectly associated to a project, yeah?\n\nI\u0027m thinking about cases where we have many duplicate access rules in the backed. Each would be specific to an application credential. I\u0027m wondering if in the future we going to be able to optimize that case?","commit_id":"8e0d08bb741f40ad43e978739ef7c80b199683f4"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"b6585b424e9f23a91d47b8dcc65665857b3a4db4","unresolved":false,"context_lines":[{"line_number":33,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":34,"context_line":"        name\u003dbase.IDENTITY % \u0027get_access_rule\u0027,"},{"line_number":35,"context_line":"        check_str\u003dSYSTEM_READER_OR_OWNER,"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Show access rule details.\u0027,"},{"line_number":38,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":39,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":8,"id":"5faad753_7ef38774","line":36,"in_reply_to":"5faad753_1e285332","updated":"2019-09-10 15:54:06.000000000","message":"Creating access rules are indirectly project specific, yes. My thinking here was that a system admin should be able to manage them and clean them up, since they aren\u0027t automatically deleted when an app cred is deleted. An access rule record isn\u0027t specific to a particular app cred, they are only specific to a user, so they won\u0027t be duplicated except when different users create the same ones.","commit_id":"8e0d08bb741f40ad43e978739ef7c80b199683f4"}],"keystone/exception.py":[{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"87f02b01d0d36f9112073a599199e83fc121dd2d","unresolved":false,"context_lines":[{"line_number":550,"context_line":""},{"line_number":551,"context_line":""},{"line_number":552,"context_line":"class AccessRuleNotFound(NotFound):"},{"line_number":553,"context_line":"    message_format \u003d _(\"Could not find Access Rule: %(access_rule_id)s.\")"},{"line_number":554,"context_line":""},{"line_number":555,"context_line":""},{"line_number":556,"context_line":"class Conflict(Error):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_8cab2486","line":553,"range":{"start_line":553,"start_character":24,"end_line":553,"end_character":69},"updated":"2019-08-06 10:29:33.000000000","message":"Since access_rule_id is not independent of app_creds. Should we add more details to the message returning the app creds id too?","commit_id":"05b090d7c7c1362ae294a48671e08475001edce0"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"2edad435db1774ca3028859b504e785538945d0b","unresolved":false,"context_lines":[{"line_number":550,"context_line":""},{"line_number":551,"context_line":""},{"line_number":552,"context_line":"class AccessRuleNotFound(NotFound):"},{"line_number":553,"context_line":"    message_format \u003d _(\"Could not find Access Rule: %(access_rule_id)s.\")"},{"line_number":554,"context_line":""},{"line_number":555,"context_line":""},{"line_number":556,"context_line":"class Conflict(Error):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_3898dc19","line":553,"range":{"start_line":553,"start_character":24,"end_line":553,"end_character":69},"in_reply_to":"7faddb67_8cab2486","updated":"2019-08-09 18:07:32.000000000","message":"The functions that raise this error only use the ID, it would add an unnecessary amount of complexity to have them also look up the app cred or user in order to raise this error.","commit_id":"05b090d7c7c1362ae294a48671e08475001edce0"}]}