)]}'
{"keystone/api/trusts.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"3dd706230f187f1264afe16d486bcd77e84dfaf4","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"def _build_trust_target_enforcement():"},{"line_number":50,"context_line":"    target \u003d {}"},{"line_number":51,"context_line":"    # NOTE(cmurphy) unlike other APIs, in the event the trust doesn\u0027t exist or"},{"line_number":52,"context_line":"    # has 0 remaining uses, we actually do expect it to return a 404 and not a"},{"line_number":53,"context_line":"    # 403, so don\u0027t catch NotFound here (lp#1840288)"},{"line_number":54,"context_line":"    target[\u0027trust\u0027] \u003d PROVIDERS.trust_api.get_trust("},{"line_number":55,"context_line":"        flask.request.view_args.get(\u0027trust_id\u0027)"},{"line_number":56,"context_line":"    )"}],"source_content_type":"text/x-python","patch_set":7,"id":"7faddb67_39913e53","line":53,"range":{"start_line":51,"start_character":0,"end_line":53,"end_character":52},"updated":"2019-08-19 15:01:13.000000000","message":"Thanks for the note. This makes me a bit sad, but it\u0027s the right choice \u003d/.","commit_id":"a09163a3202c32f05cf636559a95fe45c6ea272b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"57c44c66728f516d12511ef61e22f4148e8ad6f9","unresolved":false,"context_lines":[{"line_number":298,"context_line":"            )"},{"line_number":299,"context_line":"            trust \u003d PROVIDERS.trust_api.get_trust(trust_id)"},{"line_number":300,"context_line":"            if (self.oslo_context.user_id !\u003d trust.get(\u0027trustor_user_id\u0027) and"},{"line_number":301,"context_line":"                    not self.oslo_context.is_admin):"},{"line_number":302,"context_line":"                action \u003d _(\u0027Only admin or trustor can delete a trust\u0027)"},{"line_number":303,"context_line":"                raise exception.ForbiddenAction(action\u003daction)"},{"line_number":304,"context_line":"        PROVIDERS.trust_api.delete_trust(trust_id,"}],"source_content_type":"text/x-python","patch_set":7,"id":"5faad753_fcb7ba39","line":301,"range":{"start_line":301,"start_character":24,"end_line":301,"end_character":50},"updated":"2019-09-06 20:56:18.000000000","message":"Is is_admin here effectively a system-administrator?","commit_id":"a09163a3202c32f05cf636559a95fe45c6ea272b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"38da1911e78dbbeaf8a4d5919f2ff2a34ed6e761","unresolved":false,"context_lines":[{"line_number":298,"context_line":"            )"},{"line_number":299,"context_line":"            trust \u003d PROVIDERS.trust_api.get_trust(trust_id)"},{"line_number":300,"context_line":"            if (self.oslo_context.user_id !\u003d trust.get(\u0027trustor_user_id\u0027) and"},{"line_number":301,"context_line":"                    not self.oslo_context.is_admin):"},{"line_number":302,"context_line":"                action \u003d _(\u0027Only admin or trustor can delete a trust\u0027)"},{"line_number":303,"context_line":"                raise exception.ForbiddenAction(action\u003daction)"},{"line_number":304,"context_line":"        PROVIDERS.trust_api.delete_trust(trust_id,"}],"source_content_type":"text/x-python","patch_set":7,"id":"5faad753_3cdc7273","line":301,"range":{"start_line":301,"start_character":24,"end_line":301,"end_character":50},"in_reply_to":"5faad753_fcb7ba39","updated":"2019-09-06 20:59:38.000000000","message":"No, it is not. is_admin is the god-mode admin that you would get if you used the admin token set in keystone.conf. It has no scope, and very importantly, all policies are ignored for it.","commit_id":"a09163a3202c32f05cf636559a95fe45c6ea272b"}],"keystone/common/policies/trust.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"12443c9d68c34db88b6ce3fc9d2970072112eb80","unresolved":false,"context_lines":[{"line_number":75,"context_line":"                     \u0027method\u0027: \u0027HEAD\u0027}]),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_trust\u0027,"},{"line_number":78,"context_line":"        check_str\u003dRULE_TRUSTOR,"},{"line_number":79,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":80,"context_line":"        description\u003d\u0027Revoke trust.\u0027,"},{"line_number":81,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/OS-TRUST/trusts/{trust_id}\u0027,"}],"source_content_type":"text/x-python","patch_set":7,"id":"5faad753_1c6096ce","line":78,"range":{"start_line":78,"start_character":18,"end_line":78,"end_character":30},"updated":"2019-09-06 20:54:03.000000000","message":"So system-admins can no longer cleanup trusts?","commit_id":"a09163a3202c32f05cf636559a95fe45c6ea272b"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"23bef553856364050abbb06bf8191908a9b274ef","unresolved":false,"context_lines":[{"line_number":75,"context_line":"                     \u0027method\u0027: \u0027HEAD\u0027}]),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_trust\u0027,"},{"line_number":78,"context_line":"        check_str\u003dRULE_TRUSTOR,"},{"line_number":79,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":80,"context_line":"        description\u003d\u0027Revoke trust.\u0027,"},{"line_number":81,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/OS-TRUST/trusts/{trust_id}\u0027,"}],"source_content_type":"text/x-python","patch_set":7,"id":"5faad753_5c94ce8b","line":78,"range":{"start_line":78,"start_character":18,"end_line":78,"end_character":30},"in_reply_to":"5faad753_1c6096ce","updated":"2019-09-06 20:57:57.000000000","message":"They couldn\u0027t before. This change is only about maintaining 100% backwards compatibility with the extremely odd behavior that was being enforced in the controller code and not in policy. The change to allow system admins to clean up trusts is introduced in https://review.opendev.org/677004","commit_id":"a09163a3202c32f05cf636559a95fe45c6ea272b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"574cd17a608e0176ff7a7ad0af60bb55f4a9db38","unresolved":false,"context_lines":[{"line_number":75,"context_line":"                     \u0027method\u0027: \u0027HEAD\u0027}]),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_trust\u0027,"},{"line_number":78,"context_line":"        check_str\u003dRULE_TRUSTOR,"},{"line_number":79,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":80,"context_line":"        description\u003d\u0027Revoke trust.\u0027,"},{"line_number":81,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/OS-TRUST/trusts/{trust_id}\u0027,"}],"source_content_type":"text/x-python","patch_set":7,"id":"5faad753_3c7d521c","line":78,"range":{"start_line":78,"start_character":18,"end_line":78,"end_character":30},"in_reply_to":"5faad753_5c94ce8b","updated":"2019-09-06 21:19:21.000000000","message":"++ thanks for the clarification","commit_id":"a09163a3202c32f05cf636559a95fe45c6ea272b"}]}