)]}'
{"keystone/api/credentials.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0fd29a7e763c0cfbfe9d201146373781d88d96f3","unresolved":false,"context_lines":[{"line_number":94,"context_line":"            target \u003d {\u0027credential\u0027: {\u0027user_id\u0027: self.oslo_context.user_id}}"},{"line_number":95,"context_line":"        else:"},{"line_number":96,"context_line":"            target \u003d None"},{"line_number":97,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:list_credentials\u0027,"},{"line_number":98,"context_line":"                              filters\u003dfilters, target_attr\u003dtarget)"},{"line_number":99,"context_line":"        hints \u003d self.build_driver_hints(filters)"},{"line_number":100,"context_line":"        refs \u003d PROVIDERS.credential_api.list_credentials(hints)"},{"line_number":101,"context_line":"        # If the request was filtered, make sure to return only the"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_71393fd6","line":98,"range":{"start_line":97,"start_character":8,"end_line":98,"end_character":66},"updated":"2019-12-05 19:06:54.000000000","message":"So - to make sure I understand it properly. This was failing because policy checks don\u0027t filter responses and this policy was being or\u0027d with the deprecated base.RULE_ADMIN_REQUIRED policy?","commit_id":"17c337dbdbfb9d548ad531c2ad0483c9bce5b98f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"572e3d49e6b359ca814e60294f8c8fc6e250b6f3","unresolved":false,"context_lines":[{"line_number":94,"context_line":"            target \u003d {\u0027credential\u0027: {\u0027user_id\u0027: self.oslo_context.user_id}}"},{"line_number":95,"context_line":"        else:"},{"line_number":96,"context_line":"            target \u003d None"},{"line_number":97,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:list_credentials\u0027,"},{"line_number":98,"context_line":"                              filters\u003dfilters, target_attr\u003dtarget)"},{"line_number":99,"context_line":"        hints \u003d self.build_driver_hints(filters)"},{"line_number":100,"context_line":"        refs \u003d PROVIDERS.credential_api.list_credentials(hints)"},{"line_number":101,"context_line":"        # If the request was filtered, make sure to return only the"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_91507b60","line":98,"range":{"start_line":97,"start_character":8,"end_line":98,"end_character":66},"in_reply_to":"3fa7e38b_51c0c34a","updated":"2019-12-05 19:42:34.000000000","message":"Yeah - I should have clarified I was referring the behavior of the bug in general.","commit_id":"17c337dbdbfb9d548ad531c2ad0483c9bce5b98f"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"397e9f77c80046047819432e233d2be17ad3ecbe","unresolved":false,"context_lines":[{"line_number":94,"context_line":"            target \u003d {\u0027credential\u0027: {\u0027user_id\u0027: self.oslo_context.user_id}}"},{"line_number":95,"context_line":"        else:"},{"line_number":96,"context_line":"            target \u003d None"},{"line_number":97,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:list_credentials\u0027,"},{"line_number":98,"context_line":"                              filters\u003dfilters, target_attr\u003dtarget)"},{"line_number":99,"context_line":"        hints \u003d self.build_driver_hints(filters)"},{"line_number":100,"context_line":"        refs \u003d PROVIDERS.credential_api.list_credentials(hints)"},{"line_number":101,"context_line":"        # If the request was filtered, make sure to return only the"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_51c0c34a","line":98,"range":{"start_line":97,"start_character":8,"end_line":98,"end_character":66},"in_reply_to":"3fa7e38b_71393fd6","updated":"2019-12-05 19:27:41.000000000","message":"Not sure which \"this\" you mean by \"this was failing\" -\n\nThe tempest test was failing on the first patchset because it is testing using the project-admin with enforce_scope\u003dfalse and expecting that user to be able to list all credentials. This enforcer call wasn\u0027t failing in that tempest test, it was the filtering happening below that was over-filtering the results into an empty list.\n\nOr if you\u0027re referring to the bug itself, it had nothing to do with rule:admin_required, the problem was that the target is target.credential.user_id.{current_user} which matches the policy check \u0027or user_id:%(target.credential.user_id)s\u0027, so the enforcer here passes - and correct, the enforcer doesn\u0027t do any filtering, we were relying on the filtering below. I was hoping the filters\u003dfilters could be used somehow here but that only checks the flask query params which aren\u0027t the problem here.","commit_id":"17c337dbdbfb9d548ad531c2ad0483c9bce5b98f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0fd29a7e763c0cfbfe9d201146373781d88d96f3","unresolved":false,"context_lines":[{"line_number":101,"context_line":"        # If the request was filtered, make sure to return only the"},{"line_number":102,"context_line":"        # credentials specific to that user. This makes it so that users with"},{"line_number":103,"context_line":"        # roles on projects can\u0027t see credentials that aren\u0027t theirs."},{"line_number":104,"context_line":"        filtered_refs \u003d []"},{"line_number":105,"context_line":"        for ref in refs:"},{"line_number":106,"context_line":"            # Check each credential again to make sure the user has access to"},{"line_number":107,"context_line":"            # it, either by owning it, being a project admin with"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_d15593fa","line":104,"updated":"2019-12-05 19:06:54.000000000","message":"Looking at the policy for identity:list_credentials, it\u0027s too bad we can\u0027t actually leverage the `or user_id:..` bit.","commit_id":"17c337dbdbfb9d548ad531c2ad0483c9bce5b98f"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"397e9f77c80046047819432e233d2be17ad3ecbe","unresolved":false,"context_lines":[{"line_number":101,"context_line":"        # If the request was filtered, make sure to return only the"},{"line_number":102,"context_line":"        # credentials specific to that user. This makes it so that users with"},{"line_number":103,"context_line":"        # roles on projects can\u0027t see credentials that aren\u0027t theirs."},{"line_number":104,"context_line":"        filtered_refs \u003d []"},{"line_number":105,"context_line":"        for ref in refs:"},{"line_number":106,"context_line":"            # Check each credential again to make sure the user has access to"},{"line_number":107,"context_line":"            # it, either by owning it, being a project admin with"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa7e38b_b1c57792","line":104,"in_reply_to":"3fa7e38b_d15593fa","updated":"2019-12-05 19:27:41.000000000","message":"Yeah, it\u0027s almost like we need some flag to trigger based on which part of the check string passed the enforcer.","commit_id":"17c337dbdbfb9d548ad531c2ad0483c9bce5b98f"}],"releasenotes/notes/bug-1855080-08b28181b7cb2470.yaml":[{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"eceb20ca7ac3da7992debf3c4edf9c9871671e6e","unresolved":false,"context_lines":[{"line_number":17,"context_line":"    list any credential object with the /v3/credentials API when"},{"line_number":18,"context_line":"    ``[oslo_policy]/enforce_scope`` was set to false, which is the default."},{"line_number":19,"context_line":"    This has been addressed: users with non-admin roles on a project may not"},{"line_number":20,"context_line":"    list other users\u0027 credentials. However, users with the admin role on a"},{"line_number":21,"context_line":"    project may still list any users credentials when"},{"line_number":22,"context_line":"    ``[oslo_policy]/enforce_scope`` is false due to `bug 968696"},{"line_number":23,"context_line":"    \u003chttps://bugs.launchpad.net/keystone/+bug/968696\u003e`_."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_a93d248f","line":21,"range":{"start_line":20,"start_character":35,"end_line":21,"end_character":48},"updated":"2019-12-04 20:29:22.000000000","message":"Is this still true?","commit_id":"137bd97be978faa5c77986f1f0166deca03b05e4"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"0146d757bae3c74361bdfc31f7a73c3153228301","unresolved":false,"context_lines":[{"line_number":17,"context_line":"    list any credential object with the /v3/credentials API when"},{"line_number":18,"context_line":"    ``[oslo_policy]/enforce_scope`` was set to false, which is the default."},{"line_number":19,"context_line":"    This has been addressed: users with non-admin roles on a project may not"},{"line_number":20,"context_line":"    list other users\u0027 credentials. However, users with the admin role on a"},{"line_number":21,"context_line":"    project may still list any users credentials when"},{"line_number":22,"context_line":"    ``[oslo_policy]/enforce_scope`` is false due to `bug 968696"},{"line_number":23,"context_line":"    \u003chttps://bugs.launchpad.net/keystone/+bug/968696\u003e`_."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"3fa7e38b_c95bc083","line":21,"range":{"start_line":20,"start_character":35,"end_line":21,"end_character":48},"in_reply_to":"3fa7e38b_a93d248f","updated":"2019-12-04 20:54:52.000000000","message":"Yes, when enforce_scope is false due to bug 968696","commit_id":"137bd97be978faa5c77986f1f0166deca03b05e4"}]}