)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"061c3c5b7e592116819855c8fd43b0c9d3dbb646","unresolved":false,"context_lines":[{"line_number":20,"context_line":"aren\u0027t loaded for the is_admin user we need to continue explicitly"},{"line_number":21,"context_line":"blocking it."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"This change does not use the formal oslo.policy deprecation system"},{"line_number":24,"context_line":"because \"\" OR\u0027d with the new default is entirely useless as a policy."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Change-Id: Ib5a6a87313aa7b2a73211f512b8a8c675a21b52f"},{"line_number":27,"context_line":"Partial-bug: #1818850"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"7faddb67_1b46fac1","line":24,"range":{"start_line":23,"start_character":0,"end_line":24,"end_character":69},"updated":"2019-08-29 16:19:47.000000000","message":"nice :-)","commit_id":"09e699baba89b94a020682ab7d916d67360f4481"}],"keystone/api/trusts.py":[{"author":{"_account_id":2903,"name":"Morgan Fainberg","email":"morgan.fainberg@gmail.com","username":"mdrnstm"},"change_message_id":"5914cdb4d10e4a9b1650d4b8ef7fcc0832ef9a9a","unresolved":false,"context_lines":[{"line_number":402,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:get_role_for_trust\u0027,"},{"line_number":403,"context_line":"                              build_target\u003d_build_trust_target_enforcement)"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"        if self.oslo_context.is_admin:"},{"line_number":406,"context_line":"            # policies are not loaded for the is_admin context, so need to"},{"line_number":407,"context_line":"            # block access here"},{"line_number":408,"context_line":"            raise exception.ForbiddenAction("},{"line_number":409,"context_line":"                action\u003d_(\u0027Requested user has no relation to this trust\u0027))"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"        trust \u003d PROVIDERS.trust_api.get_trust(trust_id)"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"7faddb67_991392b8","line":409,"range":{"start_line":405,"start_character":0,"end_line":409,"end_character":73},"updated":"2019-08-19 15:06:08.000000000","message":"Shouldn\u0027t is_admin work like the old \"admin\" context? I\u0027m not sure why an admin is forbidden here.\n\nAdmin is like system scope. are we changing behavior here?","commit_id":"09e699baba89b94a020682ab7d916d67360f4481"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42503a233e6e6d7c1cee89e977e8bd4f1adc9648","unresolved":false,"context_lines":[{"line_number":402,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:get_role_for_trust\u0027,"},{"line_number":403,"context_line":"                              build_target\u003d_build_trust_target_enforcement)"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"        if self.oslo_context.is_admin:"},{"line_number":406,"context_line":"            # policies are not loaded for the is_admin context, so need to"},{"line_number":407,"context_line":"            # block access here"},{"line_number":408,"context_line":"            raise exception.ForbiddenAction("},{"line_number":409,"context_line":"                action\u003d_(\u0027Requested user has no relation to this trust\u0027))"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"        trust \u003d PROVIDERS.trust_api.get_trust(trust_id)"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"5faad753_7c98aa69","line":409,"range":{"start_line":405,"start_character":0,"end_line":409,"end_character":73},"in_reply_to":"5faad753_dc3bde99","updated":"2019-09-06 21:20:06.000000000","message":"I had a similar question in a previous patch. Colleen cleared it up.","commit_id":"09e699baba89b94a020682ab7d916d67360f4481"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"8b2f639f3adae88232437385d8a0567af7befec8","unresolved":false,"context_lines":[{"line_number":402,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:get_role_for_trust\u0027,"},{"line_number":403,"context_line":"                              build_target\u003d_build_trust_target_enforcement)"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"        if self.oslo_context.is_admin:"},{"line_number":406,"context_line":"            # policies are not loaded for the is_admin context, so need to"},{"line_number":407,"context_line":"            # block access here"},{"line_number":408,"context_line":"            raise exception.ForbiddenAction("},{"line_number":409,"context_line":"                action\u003d_(\u0027Requested user has no relation to this trust\u0027))"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"        trust \u003d PROVIDERS.trust_api.get_trust(trust_id)"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"7faddb67_f8b4f983","line":409,"range":{"start_line":405,"start_character":0,"end_line":409,"end_character":73},"in_reply_to":"7faddb67_991392b8","updated":"2019-08-19 20:38:20.000000000","message":"Talked about it in IRC but to follow up here - the _trustor_trustee_only function implicitly excludes the is_admin admin. By moving the logic into policies, we lose that exclusion because the policies aren\u0027t loaded for is_admin. So this makes the exclusion explicit.\n\nIn a later patch in the stack, we change the behavior by allowing the system admin to access these APIs. Since we\u0027re already doing that, maybe we should drop this here too - it seems pretty silly to exclude the admin from this resource.","commit_id":"09e699baba89b94a020682ab7d916d67360f4481"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5c4338eb142f33df960a9d5f8326a63a36d43c76","unresolved":false,"context_lines":[{"line_number":402,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:get_role_for_trust\u0027,"},{"line_number":403,"context_line":"                              build_target\u003d_build_trust_target_enforcement)"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"        if self.oslo_context.is_admin:"},{"line_number":406,"context_line":"            # policies are not loaded for the is_admin context, so need to"},{"line_number":407,"context_line":"            # block access here"},{"line_number":408,"context_line":"            raise exception.ForbiddenAction("},{"line_number":409,"context_line":"                action\u003d_(\u0027Requested user has no relation to this trust\u0027))"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"        trust \u003d PROVIDERS.trust_api.get_trust(trust_id)"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"5faad753_dc3bde99","line":409,"range":{"start_line":405,"start_character":0,"end_line":409,"end_character":73},"in_reply_to":"7faddb67_bd697af8","updated":"2019-09-06 21:05:18.000000000","message":"\u003e What does \"oslo_context.is_admin\" means anyway? Is that God or\n \u003e Jesus?\n\nTechnically, it\u0027s the Holy Spirit\n\nI think the is_admin was just a trigger to bypass authorization. It was ambiguous and developed before we started grouping identities by scope (e.g., project, domain, or system).","commit_id":"09e699baba89b94a020682ab7d916d67360f4481"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"2a0241f34689bc471c6866c398ecb969819ead0c","unresolved":false,"context_lines":[{"line_number":402,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:get_role_for_trust\u0027,"},{"line_number":403,"context_line":"                              build_target\u003d_build_trust_target_enforcement)"},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"        if self.oslo_context.is_admin:"},{"line_number":406,"context_line":"            # policies are not loaded for the is_admin context, so need to"},{"line_number":407,"context_line":"            # block access here"},{"line_number":408,"context_line":"            raise exception.ForbiddenAction("},{"line_number":409,"context_line":"                action\u003d_(\u0027Requested user has no relation to this trust\u0027))"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"        trust \u003d PROVIDERS.trust_api.get_trust(trust_id)"},{"line_number":412,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"7faddb67_bd697af8","line":409,"range":{"start_line":405,"start_character":0,"end_line":409,"end_character":73},"in_reply_to":"7faddb67_f8b4f983","updated":"2019-08-20 20:43:05.000000000","message":"What does \"oslo_context.is_admin\" means anyway? Is that God or Jesus?","commit_id":"09e699baba89b94a020682ab7d916d67360f4481"}]}