)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"1fe52b0d28058ae3b4b6ea7da8a785f8f38a962b","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Test cases are added to guard the above policy changes."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe"},{"line_number":28,"context_line":"Closes-Bug: 1818725"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"7faddb67_d9fa6a41","line":28,"updated":"2019-07-16 19:20:36.000000000","message":"I think you could close this one too https://bugs.launchpad.net/keystone/+bug/1750615","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"cf3ecc944928c8284b299becc7961377268c29d7","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Test cases are added to guard the above policy changes."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Change-Id: I26ee11571b6d0f700a5fe3a62ad2e8fc7f5316fe"},{"line_number":28,"context_line":"Closes-Bug: 1818725"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"7faddb67_7eb2394b","line":28,"in_reply_to":"7faddb67_d9fa6a41","updated":"2019-07-16 21:27:08.000000000","message":"Done","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"}],"etc/policy.v3cloudsample.json":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"1fe52b0d28058ae3b4b6ea7da8a785f8f38a962b","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    \"system_admin\": \"role:admin and system_scope:all\","},{"line_number":9,"context_line":"    \"system_reader\": \"role:reader and system_scope:all\","},{"line_number":10,"context_line":"    \"system_admin_or_owner\": \"rule:system_admin or rule:owner\","},{"line_number":11,"context_line":"    \"system_reader_or_owner\": \"rule:system_reader or rule:owner\","},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"    \"default\": \"rule:admin_required\","},{"line_number":14,"context_line":""}],"source_content_type":"application/json","patch_set":2,"id":"7faddb67_d9734a15","line":11,"updated":"2019-07-16 19:20:36.000000000","message":"We\u0027re actually aiming for removing policies from this file https://bugs.launchpad.net/keystone/+bug/1806762","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7297439a56cdc0aad19bb1938fa6941c486081ca","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    \"system_admin\": \"role:admin and system_scope:all\","},{"line_number":9,"context_line":"    \"system_reader\": \"role:reader and system_scope:all\","},{"line_number":10,"context_line":"    \"system_admin_or_owner\": \"rule:system_admin or rule:owner\","},{"line_number":11,"context_line":"    \"system_reader_or_owner\": \"rule:system_reader or rule:owner\","},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"    \"default\": \"rule:admin_required\","},{"line_number":14,"context_line":""}],"source_content_type":"application/json","patch_set":2,"id":"7faddb67_e1268868","line":11,"in_reply_to":"7faddb67_9e9a95b6","updated":"2019-07-16 22:38:52.000000000","message":"These shouldn\u0027t need to be added here at all, see other comment.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"cf3ecc944928c8284b299becc7961377268c29d7","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    \"system_admin\": \"role:admin and system_scope:all\","},{"line_number":9,"context_line":"    \"system_reader\": \"role:reader and system_scope:all\","},{"line_number":10,"context_line":"    \"system_admin_or_owner\": \"rule:system_admin or rule:owner\","},{"line_number":11,"context_line":"    \"system_reader_or_owner\": \"rule:system_reader or rule:owner\","},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"    \"default\": \"rule:admin_required\","},{"line_number":14,"context_line":""}],"source_content_type":"application/json","patch_set":2,"id":"7faddb67_9e9a95b6","line":11,"in_reply_to":"7faddb67_d9734a15","updated":"2019-07-16 21:27:08.000000000","message":"what should I do with this one? There are a couple of test failures if I don\u0027t add these default rules here as well.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"8d5928bdf7cb01d6f14df0acd8837a4a8984d73a","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    \"system_admin\": \"role:admin and system_scope:all\","},{"line_number":9,"context_line":"    \"system_reader\": \"role:reader and system_scope:all\","},{"line_number":10,"context_line":"    \"system_admin_or_owner\": \"rule:system_admin or rule:owner\","},{"line_number":11,"context_line":"    \"system_reader_or_owner\": \"rule:system_reader or rule:owner\","},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"    \"default\": \"rule:admin_required\","},{"line_number":14,"context_line":""}],"source_content_type":"application/json","patch_set":2,"id":"7faddb67_a162d008","line":11,"in_reply_to":"7faddb67_e1268868","updated":"2019-07-17 00:23:50.000000000","message":"Done","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"}],"keystone/common/policies/application_credential.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"1fe52b0d28058ae3b4b6ea7da8a785f8f38a962b","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        # project. scope_types will remain commented out for now and will be"},{"line_number":52,"context_line":"        # updated when we have an answer for this. The same applies to the"},{"line_number":53,"context_line":"        # other policies in this file."},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Show application credential details.\u0027,"},{"line_number":56,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":57,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_1957a25a","line":54,"updated":"2019-07-16 19:20:36.000000000","message":"These still need to allow for a project scope in the scope type. The reason is that when [oslo_policy]/enforce_scope\u003dtrue, oslo.policy will enforce the scope regardless of the check string. Users who only have a role assignment on a project and are using a project-scoped token need to be able to use this API.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"b51023e8567e42204e003bf5ff2a4b114c7bc858","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        # project. scope_types will remain commented out for now and will be"},{"line_number":52,"context_line":"        # updated when we have an answer for this. The same applies to the"},{"line_number":53,"context_line":"        # other policies in this file."},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Show application credential details.\u0027,"},{"line_number":56,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":57,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_74348d93","line":54,"in_reply_to":"7faddb67_0443b214","updated":"2019-07-17 15:20:05.000000000","message":"Oh ok. Didn\u0027t know old policy is still being used. Let me update.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"cf3ecc944928c8284b299becc7961377268c29d7","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        # project. scope_types will remain commented out for now and will be"},{"line_number":52,"context_line":"        # updated when we have an answer for this. The same applies to the"},{"line_number":53,"context_line":"        # other policies in this file."},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Show application credential details.\u0027,"},{"line_number":56,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":57,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_1e92254d","line":54,"in_reply_to":"7faddb67_1957a25a","updated":"2019-07-16 21:27:08.000000000","message":"Owner can still create application credential with a project-scoped token. Just that project admin cannot manager application credential on behalf of another user.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7297439a56cdc0aad19bb1938fa6941c486081ca","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        # project. scope_types will remain commented out for now and will be"},{"line_number":52,"context_line":"        # updated when we have an answer for this. The same applies to the"},{"line_number":53,"context_line":"        # other policies in this file."},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Show application credential details.\u0027,"},{"line_number":56,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":57,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_413d1c8d","line":54,"in_reply_to":"7faddb67_1e92254d","updated":"2019-07-16 22:38:52.000000000","message":"scope_types\u003dsystem when enforce_scope\u003dtrue will make it so you cannot use a project-scoped token to use this API.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"8d5928bdf7cb01d6f14df0acd8837a4a8984d73a","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        # project. scope_types will remain commented out for now and will be"},{"line_number":52,"context_line":"        # updated when we have an answer for this. The same applies to the"},{"line_number":53,"context_line":"        # other policies in this file."},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Show application credential details.\u0027,"},{"line_number":56,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":57,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_a443be41","line":54,"in_reply_to":"7faddb67_413d1c8d","updated":"2019-07-17 00:23:50.000000000","message":"Can you take a look at https://review.opendev.org/#/c/670926/2/keystone/tests/unit/protection/v3/test_application_credential.py line 55-80. The application credential was successfully created by owner with an project-scoped token. All the tests are performed with enforce_scope\u003dTrue. What am I missing?","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"eb0ec27f167b9597cd2b1db4ca3ab2aa1a81ca88","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        # project. scope_types will remain commented out for now and will be"},{"line_number":52,"context_line":"        # updated when we have an answer for this. The same applies to the"},{"line_number":53,"context_line":"        # other policies in this file."},{"line_number":54,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":55,"context_line":"        description\u003d\u0027Show application credential details.\u0027,"},{"line_number":56,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"},{"line_number":57,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_0443b214","line":54,"in_reply_to":"7faddb67_a443be41","updated":"2019-07-17 00:57:33.000000000","message":"The deprecated policies are still active because oslo.policy ORs the new and deprecated policies. They need to be overridden in the tests, like this: https://opendev.org/openstack/keystone/src/commit/10eab4824249a2ba190d80cc58e404f07c3d51e8/keystone/tests/unit/protection/v3/test_projects.py#L625-L646","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"df5d0d902a34a54e5741f22e7aa8e644647a6f50","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    check_str\u003dbase.RULE_ADMIN_OR_OWNER"},{"line_number":32,"context_line":")"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":35,"context_line":"As of the Train release, the application credential API understands how to"},{"line_number":36,"context_line":"handle system-scoped tokens in addition to project tokens, making the API"},{"line_number":37,"context_line":"more accessible to users without compromising security or manageability for"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_2516e556","line":34,"range":{"start_line":34,"start_character":20,"end_line":34,"end_character":23},"updated":"2019-07-18 07:05:24.000000000","message":"The deprecated reason can be written the same as [1] to have consistency all over the keystone.\n\n[1] https://github.com/openstack/keystone/blob/master/keystone/common/policies/credential.py#L27","commit_id":"49a5a5f2349cfc4f8572cff095ff9d76240be9ef"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    check_str\u003dbase.RULE_ADMIN_OR_OWNER"},{"line_number":32,"context_line":")"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":35,"context_line":"As of the Train release, the application credential API understands how to"},{"line_number":36,"context_line":"handle system-scoped tokens in addition to project tokens, making the API"},{"line_number":37,"context_line":"more accessible to users without compromising security or manageability for"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_d191ba48","line":34,"range":{"start_line":34,"start_character":20,"end_line":34,"end_character":23},"in_reply_to":"7faddb67_2516e556","updated":"2019-07-19 00:21:40.000000000","message":"it is right? I am basing this off one of the existing ones.","commit_id":"49a5a5f2349cfc4f8572cff095ff9d76240be9ef"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"10f968cc3006b4c05930faa05fe2834621735546","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    check_str\u003dbase.RULE_ADMIN_OR_OWNER"},{"line_number":32,"context_line":")"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":35,"context_line":"As of the Train release, the application credential API understands how to"},{"line_number":36,"context_line":"handle system-scoped tokens in addition to project tokens, making the API"},{"line_number":37,"context_line":"more accessible to users without compromising security or manageability for"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_6a01dd69","line":34,"range":{"start_line":34,"start_character":20,"end_line":34,"end_character":23},"in_reply_to":"7faddb67_d191ba48","updated":"2019-07-19 17:20:54.000000000","message":"This looks fine to me.","commit_id":"49a5a5f2349cfc4f8572cff095ff9d76240be9ef"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"df5d0d902a34a54e5741f22e7aa8e644647a6f50","unresolved":false,"context_lines":[{"line_number":81,"context_line":"                     \u0027method\u0027: \u0027POST\u0027}]),"},{"line_number":82,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":83,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_application_credential\u0027,"},{"line_number":84,"context_line":"        check_str\u003dbase.RULE_SYSTEM_ADMIN_OR_OWNER,"},{"line_number":85,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":86,"context_line":"        description\u003d\u0027Delete an application credential.\u0027,"},{"line_number":87,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_734ed938","line":84,"range":{"start_line":84,"start_character":23,"end_line":84,"end_character":49},"updated":"2019-07-18 07:05:24.000000000","message":"It might be easier implementing system-reader support before incorporating system admin?","commit_id":"49a5a5f2349cfc4f8572cff095ff9d76240be9ef"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":81,"context_line":"                     \u0027method\u0027: \u0027POST\u0027}]),"},{"line_number":82,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":83,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_application_credential\u0027,"},{"line_number":84,"context_line":"        check_str\u003dbase.RULE_SYSTEM_ADMIN_OR_OWNER,"},{"line_number":85,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":86,"context_line":"        description\u003d\u0027Delete an application credential.\u0027,"},{"line_number":87,"context_line":"        operations\u003d[{\u0027path\u0027: resource_path,"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_71a00691","line":84,"range":{"start_line":84,"start_character":23,"end_line":84,"end_character":49},"in_reply_to":"7faddb67_734ed938","updated":"2019-07-19 00:21:40.000000000","message":"not sure if I understand. Are you saying we should break this patch up into two?","commit_id":"49a5a5f2349cfc4f8572cff095ff9d76240be9ef"}],"keystone/common/policies/base.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7297439a56cdc0aad19bb1938fa6941c486081ca","unresolved":false,"context_lines":[{"line_number":87,"context_line":"        check_str\u003d\u0027rule:system_admin or rule:owner\u0027),"},{"line_number":88,"context_line":"    policy.RuleDefault("},{"line_number":89,"context_line":"        name\u003d\u0027system_reader_or_owner\u0027,"},{"line_number":90,"context_line":"        check_str\u003d\u0027rule:system_reader or rule:owner\u0027),"},{"line_number":91,"context_line":"]"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_213100a4","line":90,"updated":"2019-07-16 22:38:52.000000000","message":"You shouldn\u0027t need to add these here, they are accessible from the module as base.SYSTEM_READER etc already and are just used by other policies, they don\u0027t need to be compiled into the full policies list. This is why the unit tests fail when these rules aren\u0027t added to the sample file.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"8d5928bdf7cb01d6f14df0acd8837a4a8984d73a","unresolved":false,"context_lines":[{"line_number":87,"context_line":"        check_str\u003d\u0027rule:system_admin or rule:owner\u0027),"},{"line_number":88,"context_line":"    policy.RuleDefault("},{"line_number":89,"context_line":"        name\u003d\u0027system_reader_or_owner\u0027,"},{"line_number":90,"context_line":"        check_str\u003d\u0027rule:system_reader or rule:owner\u0027),"},{"line_number":91,"context_line":"]"},{"line_number":92,"context_line":""},{"line_number":93,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_c1226cb9","line":90,"in_reply_to":"7faddb67_213100a4","updated":"2019-07-17 00:23:50.000000000","message":"Done","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"df5d0d902a34a54e5741f22e7aa8e644647a6f50","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    \u0027rule:service_admin_or_token_subject\u0027)  # nosec"},{"line_number":32,"context_line":"RULE_SERVICE_OR_ADMIN \u003d \u0027rule:service_or_admin\u0027"},{"line_number":33,"context_line":"RULE_TRUST_OWNER \u003d \u0027user_id:%(trust.trustor_user_id)s\u0027"},{"line_number":34,"context_line":"RULE_SYSTEM_ADMIN_OR_OWNER \u003d \u0027(role:admin and system_scope:all) or rule:owner\u0027"},{"line_number":35,"context_line":"RULE_SYSTEM_READER_OR_OWNER \u003d \u0027(role:reader and system_scope:all) or rule:owner\u0027"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"# We are explicitly setting system_scope:all in these check strings because"},{"line_number":38,"context_line":"# they provide backwards compatibility in the event a deployment sets"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_b3e4510e","line":35,"range":{"start_line":34,"start_character":0,"end_line":35,"end_character":80},"updated":"2019-07-18 07:05:24.000000000","message":"The rules for SYSTEM_READER and SYSTEM_ADMIN is already defined in L49 and L50. Why not reusing those?","commit_id":"49a5a5f2349cfc4f8572cff095ff9d76240be9ef"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"29e41627bf7660c6134366a5ce614110b02b04ab","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    \u0027rule:service_admin_or_token_subject\u0027)  # nosec"},{"line_number":32,"context_line":"RULE_SERVICE_OR_ADMIN \u003d \u0027rule:service_or_admin\u0027"},{"line_number":33,"context_line":"RULE_TRUST_OWNER \u003d \u0027user_id:%(trust.trustor_user_id)s\u0027"},{"line_number":34,"context_line":"RULE_SYSTEM_ADMIN_OR_OWNER \u003d \u0027(role:admin and system_scope:all) or rule:owner\u0027"},{"line_number":35,"context_line":"RULE_SYSTEM_READER_OR_OWNER \u003d \u0027(role:reader and system_scope:all) or rule:owner\u0027"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"# We are explicitly setting system_scope:all in these check strings because"},{"line_number":38,"context_line":"# they provide backwards compatibility in the event a deployment sets"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_9f658820","line":35,"range":{"start_line":34,"start_character":0,"end_line":35,"end_character":80},"in_reply_to":"7faddb67_b3e4510e","updated":"2019-07-19 00:24:20.000000000","message":"Done","commit_id":"49a5a5f2349cfc4f8572cff095ff9d76240be9ef"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"e4370e839e35f524ba317855a08440f57e3ad52d","unresolved":false,"context_lines":[{"line_number":47,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":48,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":49,"context_line":"DOMAIN_READER \u003d \u0027role:reader and domain_id:%(target.domain_id)s\u0027"},{"line_number":50,"context_line":"RULE_SYSTEM_ADMIN_OR_OWNER \u003d \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or rule:owner\u0027"},{"line_number":51,"context_line":"RULE_SYSTEM_READER_OR_OWNER \u003d \u0027(\u0027 + SYSTEM_READER + \u0027) or rule:owner\u0027"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":6,"id":"7faddb67_b3514d65","line":50,"range":{"start_line":50,"start_character":56,"end_line":50,"end_character":66},"updated":"2019-07-24 21:35:47.000000000","message":"We seem to have a rule:owner and a RULE_OWNER which are different. I don\u0027t see rule:owner defined in keystone, should we really be using it? Or why not use RULE_OWNER here?","commit_id":"52da4d0e129048d1b808bdde07364cde698cf475"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"64055d1598c815befd6e1654c793f13fe4b2dfcc","unresolved":false,"context_lines":[{"line_number":47,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":48,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":49,"context_line":"DOMAIN_READER \u003d \u0027role:reader and domain_id:%(target.domain_id)s\u0027"},{"line_number":50,"context_line":"RULE_SYSTEM_ADMIN_OR_OWNER \u003d \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or rule:owner\u0027"},{"line_number":51,"context_line":"RULE_SYSTEM_READER_OR_OWNER \u003d \u0027(\u0027 + SYSTEM_READER + \u0027) or rule:owner\u0027"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":6,"id":"7faddb67_cef1be03","line":50,"range":{"start_line":50,"start_character":56,"end_line":50,"end_character":66},"in_reply_to":"7faddb67_4eb70e3c","updated":"2019-07-24 22:11:55.000000000","message":"Oh you\u0027re right it is. Changing this to RULE_OWNER would make it slightly less confusing but that\u0027s kind of a nitpick.","commit_id":"52da4d0e129048d1b808bdde07364cde698cf475"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"e58a63534df2a84a995c16cbc8fa3a9461558447","unresolved":false,"context_lines":[{"line_number":47,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":48,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":49,"context_line":"DOMAIN_READER \u003d \u0027role:reader and domain_id:%(target.domain_id)s\u0027"},{"line_number":50,"context_line":"RULE_SYSTEM_ADMIN_OR_OWNER \u003d \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or rule:owner\u0027"},{"line_number":51,"context_line":"RULE_SYSTEM_READER_OR_OWNER \u003d \u0027(\u0027 + SYSTEM_READER + \u0027) or rule:owner\u0027"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":6,"id":"7faddb67_4eb70e3c","line":50,"range":{"start_line":50,"start_character":56,"end_line":50,"end_character":66},"in_reply_to":"7faddb67_b3514d65","updated":"2019-07-24 22:04:49.000000000","message":"it is defined in line 64 as part of the default rules. But I can change \u0027rule:owner\u0027 to RULE_OWNER here if it makes it less confusing.","commit_id":"52da4d0e129048d1b808bdde07364cde698cf475"}],"keystone/tests/unit/core.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":447,"context_line":"    else:"},{"line_number":448,"context_line":"        raise NotImplementedError(\u0027Unexpected value for \"expires\"\u0027)"},{"line_number":449,"context_line":""},{"line_number":450,"context_line":"    return ref"},{"line_number":451,"context_line":""},{"line_number":452,"context_line":""},{"line_number":453,"context_line":"def new_role_ref(**kwargs):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_72dd7ade","line":450,"updated":"2019-07-17 22:00:12.000000000","message":"Could extract this from https://opendev.org/openstack/keystone/src/commit/815140f10aa1d7ea2cdf5d5c3132b5cb33afae44/keystone/tests/unit/application_credential/test_backends.py#L30 (just an idea, could be done later)","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":447,"context_line":"    else:"},{"line_number":448,"context_line":"        raise NotImplementedError(\u0027Unexpected value for \"expires\"\u0027)"},{"line_number":449,"context_line":""},{"line_number":450,"context_line":"    return ref"},{"line_number":451,"context_line":""},{"line_number":452,"context_line":""},{"line_number":453,"context_line":"def new_role_ref(**kwargs):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_00662cc2","line":450,"in_reply_to":"7faddb67_72dd7ade","updated":"2019-07-19 00:21:40.000000000","message":"Maybe I\u0027ll use that for the backend port. This is more for the API frontend though.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"}],"keystone/tests/unit/protection/v3/test_application_credential.py":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"1fe52b0d28058ae3b4b6ea7da8a785f8f38a962b","unresolved":false,"context_lines":[{"line_number":81,"context_line":""},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"class _NonSystemUserTests(object):"},{"line_number":84,"context_line":"    \"\"\"Non-system users should not be able to perform app cred operations.\"\"\""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"    def test_user_cannot_list_application_credentials(self):"},{"line_number":87,"context_line":"        # create a couple of application credentials"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_f9de46d8","line":84,"range":{"start_line":84,"start_character":4,"end_line":84,"end_character":77},"updated":"2019-07-16 19:20:36.000000000","message":"no - we definitely want non-system users to be able to perform app cred operations. Currently app creds are per-project and consequently only project users can create them.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7297439a56cdc0aad19bb1938fa6941c486081ca","unresolved":false,"context_lines":[{"line_number":81,"context_line":""},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"class _NonSystemUserTests(object):"},{"line_number":84,"context_line":"    \"\"\"Non-system users should not be able to perform app cred operations.\"\"\""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"    def test_user_cannot_list_application_credentials(self):"},{"line_number":87,"context_line":"        # create a couple of application credentials"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_e1dbe84b","line":84,"range":{"start_line":84,"start_character":4,"end_line":84,"end_character":77},"in_reply_to":"7faddb67_3ebe01b4","updated":"2019-07-16 22:38:52.000000000","message":"Oh got it, yes this comment should be reworded to explain that domain and project users should not be able to perform app cred operations for app creds owned by other users.","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"cf3ecc944928c8284b299becc7961377268c29d7","unresolved":false,"context_lines":[{"line_number":81,"context_line":""},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"class _NonSystemUserTests(object):"},{"line_number":84,"context_line":"    \"\"\"Non-system users should not be able to perform app cred operations.\"\"\""},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"    def test_user_cannot_list_application_credentials(self):"},{"line_number":87,"context_line":"        # create a couple of application credentials"}],"source_content_type":"text/x-python","patch_set":2,"id":"7faddb67_3ebe01b4","line":84,"range":{"start_line":84,"start_character":4,"end_line":84,"end_character":77},"in_reply_to":"7faddb67_f9de46d8","updated":"2019-07-16 21:27:08.000000000","message":"Only owner, with a project-scoped token, can create application credentials. Non-system users cannot manager application credential other their own. Should I word this differently?","commit_id":"b92060e9f93fb971d1b621836d1ff64d51080765"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":28,"context_line":"PROVIDERS \u003d provider_api.ProviderAPIs"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"class _TestCaseWithBootstrapAppCred(base_classes.TestCaseWithBootstrap):"},{"line_number":32,"context_line":"    \"\"\"Bootstrap with an application credential for testing.\"\"\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"    def setUp(self):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_b5cafc9d","line":31,"range":{"start_line":31,"start_character":6,"end_line":31,"end_character":35},"updated":"2019-07-17 22:00:12.000000000","message":"Maybe just _TestAppCredBase? The bootstrap part isn\u0027t an important part of this class, just of its parent.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":28,"context_line":"PROVIDERS \u003d provider_api.ProviderAPIs"},{"line_number":29,"context_line":""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"class _TestCaseWithBootstrapAppCred(base_classes.TestCaseWithBootstrap):"},{"line_number":32,"context_line":"    \"\"\"Bootstrap with an application credential for testing.\"\"\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"    def setUp(self):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_4c10cc4e","line":31,"range":{"start_line":31,"start_character":6,"end_line":31,"end_character":35},"in_reply_to":"7faddb67_b5cafc9d","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":34,"context_line":"    def setUp(self):"},{"line_number":35,"context_line":"        super(_TestCaseWithBootstrapAppCred, self).setUp()"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"        # bootstrap a user with app credential"},{"line_number":38,"context_line":"        new_user_ref \u003d unit.new_user_ref("},{"line_number":39,"context_line":"            domain_id\u003dCONF.identity.default_domain_id"},{"line_number":40,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_9201163b","line":37,"range":{"start_line":37,"start_character":10,"end_line":37,"end_character":19},"updated":"2019-07-17 22:00:12.000000000","message":"Confusing choice of word here, as the TestCaseWithBootstrap class is all about using `keystone-manage bootstrap` to create the initial admin user, which is different from what the create_user call is doing here.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":34,"context_line":"    def setUp(self):"},{"line_number":35,"context_line":"        super(_TestCaseWithBootstrapAppCred, self).setUp()"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"        # bootstrap a user with app credential"},{"line_number":38,"context_line":"        new_user_ref \u003d unit.new_user_ref("},{"line_number":39,"context_line":"            domain_id\u003dCONF.identity.default_domain_id"},{"line_number":40,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_2c431044","line":37,"range":{"start_line":37,"start_character":10,"end_line":37,"end_character":19},"in_reply_to":"7faddb67_9201163b","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        PROVIDERS.assignment_api.create_grant("},{"line_number":52,"context_line":"            self.bootstrapper.member_role_id,"},{"line_number":53,"context_line":"            user_id\u003dself.app_cred_user_id,"},{"line_number":54,"context_line":"            project_id\u003dapp_cred_project_ref[\u0027id\u0027]"},{"line_number":55,"context_line":"        )"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"    def _auth_app_cred_user(self):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_129be617","line":54,"range":{"start_line":54,"start_character":23,"end_line":54,"end_character":49},"updated":"2019-07-17 22:00:12.000000000","message":"Could use self.app_cred_project_id here for consistency with the line above","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":51,"context_line":"        PROVIDERS.assignment_api.create_grant("},{"line_number":52,"context_line":"            self.bootstrapper.member_role_id,"},{"line_number":53,"context_line":"            user_id\u003dself.app_cred_user_id,"},{"line_number":54,"context_line":"            project_id\u003dapp_cred_project_ref[\u0027id\u0027]"},{"line_number":55,"context_line":"        )"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"    def _auth_app_cred_user(self):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_ec48985c","line":54,"range":{"start_line":54,"start_character":23,"end_line":54,"end_character":49},"in_reply_to":"7faddb67_129be617","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":55,"context_line":"        )"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"    def _auth_app_cred_user(self):"},{"line_number":58,"context_line":"        # auth as app credential test user and create an app credential"},{"line_number":59,"context_line":"        auth \u003d self.build_authentication_request("},{"line_number":60,"context_line":"            user_id\u003dself.app_cred_user_id,"},{"line_number":61,"context_line":"            password\u003dself.app_cred_user_password,"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_f2c08ae3","line":58,"range":{"start_line":58,"start_character":43,"end_line":58,"end_character":71},"updated":"2019-07-17 22:00:12.000000000","message":"That\u0027s not what this method is doing","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":55,"context_line":"        )"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"    def _auth_app_cred_user(self):"},{"line_number":58,"context_line":"        # auth as app credential test user and create an app credential"},{"line_number":59,"context_line":"        auth \u003d self.build_authentication_request("},{"line_number":60,"context_line":"            user_id\u003dself.app_cred_user_id,"},{"line_number":61,"context_line":"            password\u003dself.app_cred_user_password,"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_8c71e4aa","line":58,"range":{"start_line":58,"start_character":43,"end_line":58,"end_character":71},"in_reply_to":"7faddb67_f2c08ae3","updated":"2019-07-19 00:21:40.000000000","message":"I\u0027ll remove it. We can just use the PROVIDERS to create the app cred for testing.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":76,"context_line":"                json\u003dapp_cred_body,"},{"line_number":77,"context_line":"                expected_status_code\u003dhttp_client.CREATED,"},{"line_number":78,"context_line":"                headers\u003d{\u0027X-Auth-Token\u0027: self._auth_app_cred_user()})"},{"line_number":79,"context_line":"            return r.json[\u0027application_credential\u0027]"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"    def _override_policy(self):"},{"line_number":82,"context_line":"        # TODO(gyee): Remove this once the deprecated policies in"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_b26bf2ee","line":79,"updated":"2019-07-17 22:00:12.000000000","message":"You could just use PROVIDERS.application_credential_api.create_application_credential(unit.new_application_credential_ref()) to create the app cred, if you\u0027re not actually testing the user\u0027s ability to create it.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":76,"context_line":"                json\u003dapp_cred_body,"},{"line_number":77,"context_line":"                expected_status_code\u003dhttp_client.CREATED,"},{"line_number":78,"context_line":"                headers\u003d{\u0027X-Auth-Token\u0027: self._auth_app_cred_user()})"},{"line_number":79,"context_line":"            return r.json[\u0027application_credential\u0027]"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"    def _override_policy(self):"},{"line_number":82,"context_line":"        # TODO(gyee): Remove this once the deprecated policies in"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_0c8bb467","line":79,"in_reply_to":"7faddb67_b26bf2ee","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":162,"context_line":"                    app_cred[\u0027id\u0027]),"},{"line_number":163,"context_line":"                expected_status_code\u003dhttp_client.FORBIDDEN,"},{"line_number":164,"context_line":"                headers\u003dself.headers)"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"class _SystemUserTests(object):"},{"line_number":168,"context_line":"    \"\"\"Common default functionality for all system users.\"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_d2478e76","line":165,"updated":"2019-07-17 22:00:12.000000000","message":"I suggest to also have a test that ensures trying to look up a nonexistent app cred for another user results in a FORBIDDEN (as opposed to a NOT FOUND), e.g. https://opendev.org/openstack/keystone/src/commit/815140f10aa1d7ea2cdf5d5c3132b5cb33afae44/keystone/tests/unit/protection/v3/test_credentials.py#L198-L203","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ba13cdfbff5a12828062dcdb2a999827b5e5a7b3","unresolved":false,"context_lines":[{"line_number":162,"context_line":"                    app_cred[\u0027id\u0027]),"},{"line_number":163,"context_line":"                expected_status_code\u003dhttp_client.FORBIDDEN,"},{"line_number":164,"context_line":"                headers\u003dself.headers)"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"class _SystemUserTests(object):"},{"line_number":168,"context_line":"    \"\"\"Common default functionality for all system users.\"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_9051e738","line":165,"in_reply_to":"7faddb67_4a0c2193","updated":"2019-07-20 00:52:49.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"10f968cc3006b4c05930faa05fe2834621735546","unresolved":false,"context_lines":[{"line_number":162,"context_line":"                    app_cred[\u0027id\u0027]),"},{"line_number":163,"context_line":"                expected_status_code\u003dhttp_client.FORBIDDEN,"},{"line_number":164,"context_line":"                headers\u003dself.headers)"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"class _SystemUserTests(object):"},{"line_number":168,"context_line":"    \"\"\"Common default functionality for all system users.\"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_4a0c2193","line":165,"in_reply_to":"7faddb67_6c5828f9","updated":"2019-07-19 17:20:54.000000000","message":"Without accounting for policy, it would return a 404. The test should assure us that the default policy prevents users from getting information about the existence of an app cred.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":162,"context_line":"                    app_cred[\u0027id\u0027]),"},{"line_number":163,"context_line":"                expected_status_code\u003dhttp_client.FORBIDDEN,"},{"line_number":164,"context_line":"                headers\u003dself.headers)"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"class _SystemUserTests(object):"},{"line_number":168,"context_line":"    \"\"\"Common default functionality for all system users.\"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_6c5828f9","line":165,"in_reply_to":"7faddb67_d2478e76","updated":"2019-07-19 00:21:40.000000000","message":"Is it how it is implemented, that the API will return a 403 if app cred doesn\u0027t exist?","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":""},{"line_number":344,"context_line":"# NOTE(gyee): we are reusing the test cases from _SystemUserTests as the"},{"line_number":345,"context_line":"# authorization for owner and system user are almost identical."},{"line_number":346,"context_line":"class OwnerTests(_TestCaseWithBootstrapAppCred,"},{"line_number":347,"context_line":"                 common_auth.AuthTestMixin,"},{"line_number":348,"context_line":"                 _SystemUserTests):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_b57c3c72","line":345,"updated":"2019-07-17 22:00:12.000000000","message":"I find this confusing, let\u0027s rename _SystemUserTests to  something else if it\u0027s not specific to system users","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"10f968cc3006b4c05930faa05fe2834621735546","unresolved":false,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":""},{"line_number":344,"context_line":"# NOTE(gyee): we are reusing the test cases from _SystemUserTests as the"},{"line_number":345,"context_line":"# authorization for owner and system user are almost identical."},{"line_number":346,"context_line":"class OwnerTests(_TestCaseWithBootstrapAppCred,"},{"line_number":347,"context_line":"                 common_auth.AuthTestMixin,"},{"line_number":348,"context_line":"                 _SystemUserTests):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_0a2aa9d9","line":345,"in_reply_to":"7faddb67_4c1f6c07","updated":"2019-07-19 17:20:54.000000000","message":"wfm","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":342,"context_line":""},{"line_number":343,"context_line":""},{"line_number":344,"context_line":"# NOTE(gyee): we are reusing the test cases from _SystemUserTests as the"},{"line_number":345,"context_line":"# authorization for owner and system user are almost identical."},{"line_number":346,"context_line":"class OwnerTests(_TestCaseWithBootstrapAppCred,"},{"line_number":347,"context_line":"                 common_auth.AuthTestMixin,"},{"line_number":348,"context_line":"                 _SystemUserTests):"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_4c1f6c07","line":345,"in_reply_to":"7faddb67_b57c3c72","updated":"2019-07-19 00:21:40.000000000","message":"How about _SystemUserAndOwnerTests?","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":343,"context_line":""},{"line_number":344,"context_line":"# NOTE(gyee): we are reusing the test cases from _SystemUserTests as the"},{"line_number":345,"context_line":"# authorization for owner and system user are almost identical."},{"line_number":346,"context_line":"class OwnerTests(_TestCaseWithBootstrapAppCred,"},{"line_number":347,"context_line":"                 common_auth.AuthTestMixin,"},{"line_number":348,"context_line":"                 _SystemUserTests):"},{"line_number":349,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_922276b8","line":346,"range":{"start_line":346,"start_character":6,"end_line":346,"end_character":16},"updated":"2019-07-17 22:00:12.000000000","message":"This seems to be missing a test for being able to create one\u0027s own app cred?\n\nI think you may as well incorporate this into the Project*Tests or create a _ProjectUserTests class. Add tests there to show that users can create app creds for themselves but not for others.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":343,"context_line":""},{"line_number":344,"context_line":"# NOTE(gyee): we are reusing the test cases from _SystemUserTests as the"},{"line_number":345,"context_line":"# authorization for owner and system user are almost identical."},{"line_number":346,"context_line":"class OwnerTests(_TestCaseWithBootstrapAppCred,"},{"line_number":347,"context_line":"                 common_auth.AuthTestMixin,"},{"line_number":348,"context_line":"                 _SystemUserTests):"},{"line_number":349,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_8cdec43b","line":346,"range":{"start_line":346,"start_character":6,"end_line":346,"end_character":16},"in_reply_to":"7faddb67_922276b8","updated":"2019-07-19 00:21:40.000000000","message":"We already have test_user_cannot_create_app_credential_for_another_user(). I\u0027ll add a test for user creating the app cred for themselves.","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":372,"context_line":"        self._test_delete_application_credential()"},{"line_number":373,"context_line":""},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"class DomainAdminTests(_TestCaseWithBootstrapAppCred,"},{"line_number":376,"context_line":"                       common_auth.AuthTestMixin,"},{"line_number":377,"context_line":"                       _DomainAndProjectUserTests):"},{"line_number":378,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_f21c0a79","line":375,"range":{"start_line":375,"start_character":6,"end_line":375,"end_character":22},"updated":"2019-07-17 22:00:12.000000000","message":"Missing domain member and domain reader tests","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":372,"context_line":"        self._test_delete_application_credential()"},{"line_number":373,"context_line":""},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"class DomainAdminTests(_TestCaseWithBootstrapAppCred,"},{"line_number":376,"context_line":"                       common_auth.AuthTestMixin,"},{"line_number":377,"context_line":"                       _DomainAndProjectUserTests):"},{"line_number":378,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_9f16e8a7","line":375,"range":{"start_line":375,"start_character":6,"end_line":375,"end_character":22},"in_reply_to":"7faddb67_f21c0a79","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":412,"context_line":"            self.headers \u003d {\u0027X-Auth-Token\u0027: self.token_id}"},{"line_number":413,"context_line":""},{"line_number":414,"context_line":""},{"line_number":415,"context_line":"class ProjectAdminTests(_TestCaseWithBootstrapAppCred,"},{"line_number":416,"context_line":"                        common_auth.AuthTestMixin,"},{"line_number":417,"context_line":"                        _DomainAndProjectUserTests):"},{"line_number":418,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_1220c6ab","line":415,"range":{"start_line":415,"start_character":6,"end_line":415,"end_character":23},"updated":"2019-07-17 22:00:12.000000000","message":"Missing project member and project reader tests","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":412,"context_line":"            self.headers \u003d {\u0027X-Auth-Token\u0027: self.token_id}"},{"line_number":413,"context_line":""},{"line_number":414,"context_line":""},{"line_number":415,"context_line":"class ProjectAdminTests(_TestCaseWithBootstrapAppCred,"},{"line_number":416,"context_line":"                        common_auth.AuthTestMixin,"},{"line_number":417,"context_line":"                        _DomainAndProjectUserTests):"},{"line_number":418,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_1f6f582b","line":415,"range":{"start_line":415,"start_character":6,"end_line":415,"end_character":23},"in_reply_to":"7faddb67_1220c6ab","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0b4fc32593d3c25ade50d6979e0dbde08e1627eb","unresolved":false,"context_lines":[{"line_number":116,"context_line":"    \"\"\"Domain and project user tests."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"    Domain and project users should not be able to manage application"},{"line_number":119,"context_line":"    credentials other then their own."},{"line_number":120,"context_line":"    \"\"\""},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"    def test_user_cannot_list_application_credentials(self):"}],"source_content_type":"text/x-python","patch_set":6,"id":"7faddb67_987222ad","line":119,"range":{"start_line":119,"start_character":22,"end_line":119,"end_character":26},"updated":"2019-07-25 15:16:39.000000000","message":"than*","commit_id":"52da4d0e129048d1b808bdde07364cde698cf475"}],"releasenotes/notes/bug-1818725-96d698e22e648764.yaml":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[{"line_number":24,"context_line":"    ``rule:admin_required or user_id:%(user_id)s``. The"},{"line_number":25,"context_line":"    ``identity:delete_application_credential`` policy now use"},{"line_number":26,"context_line":"    ``(role:admin and system_scope:all) or user_id:%(user_id)s`` instead of"},{"line_number":27,"context_line":"    ``rule:admin_required or user_id:%(user_id)s``. "},{"line_number":28,"context_line":"    These new defaults automatically account for system-scope and support"},{"line_number":29,"context_line":"    a read-only role, making it easier for system administrators to delegate"},{"line_number":30,"context_line":"    subsets of responsibility without compromising security. Please consider"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_75c804a5","line":27,"range":{"start_line":27,"start_character":51,"end_line":27,"end_character":52},"updated":"2019-07-17 22:00:12.000000000","message":"whitespace","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[{"line_number":24,"context_line":"    ``rule:admin_required or user_id:%(user_id)s``. The"},{"line_number":25,"context_line":"    ``identity:delete_application_credential`` policy now use"},{"line_number":26,"context_line":"    ``(role:admin and system_scope:all) or user_id:%(user_id)s`` instead of"},{"line_number":27,"context_line":"    ``rule:admin_required or user_id:%(user_id)s``. "},{"line_number":28,"context_line":"    These new defaults automatically account for system-scope and support"},{"line_number":29,"context_line":"    a read-only role, making it easier for system administrators to delegate"},{"line_number":30,"context_line":"    subsets of responsibility without compromising security. Please consider"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"7faddb67_e0be70d3","line":27,"range":{"start_line":27,"start_character":51,"end_line":27,"end_character":52},"in_reply_to":"7faddb67_75c804a5","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"d9e9f5e2f8051075a3e11a8e22be93f999065015","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"7faddb67_d5cd38b7","line":38,"updated":"2019-07-17 22:00:12.000000000","message":"Also bug 1750615","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"ef11d3ec8e62c3715ebd04f693dc5a640970026a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"7faddb67_00c2ac59","line":38,"in_reply_to":"7faddb67_d5cd38b7","updated":"2019-07-19 00:21:40.000000000","message":"Done","commit_id":"ca73912fb93d30eae8b4bde4a21b33e0fca52fc1"}]}