)]}'
{"keystone/models/token_model.py":[{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"9fe127b6e84ea498b9e9098416ccba1da63f96c9","unresolved":false,"context_lines":[{"line_number":334,"context_line":"        access_token_roles \u003d ["},{"line_number":335,"context_line":"            {\u0027role_id\u0027: r} for r in jsonutils.loads(access_token_roles)]"},{"line_number":336,"context_line":"        effective_access_token_roles \u003d ("},{"line_number":337,"context_line":"            PROVIDERS.assignment_api.add_implied_roles(access_token_roles)"},{"line_number":338,"context_line":"        )"},{"line_number":339,"context_line":"        user_roles \u003d [r[\u0027id\u0027] for r in self._get_project_roles()]"},{"line_number":340,"context_line":"        for role in effective_access_token_roles:"}],"source_content_type":"text/x-python","patch_set":1,"id":"1f493fa4_f238493c","line":337,"range":{"start_line":337,"start_character":12,"end_line":337,"end_character":74},"updated":"2020-05-06 16:34:03.000000000","message":"Will changing implied roles invalidate existing access tokens? Otherwise, this seem a bit dangerous as the roles can still change after the access token had issued.","commit_id":"6c73690f779a42a5c62914b6bc37f0ac2f41a3e3"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"eccabc62368676c1a832ccbc09b92b3e64f7a036","unresolved":false,"context_lines":[{"line_number":334,"context_line":"        access_token_roles \u003d ["},{"line_number":335,"context_line":"            {\u0027role_id\u0027: r} for r in jsonutils.loads(access_token_roles)]"},{"line_number":336,"context_line":"        effective_access_token_roles \u003d ("},{"line_number":337,"context_line":"            PROVIDERS.assignment_api.add_implied_roles(access_token_roles)"},{"line_number":338,"context_line":"        )"},{"line_number":339,"context_line":"        user_roles \u003d [r[\u0027id\u0027] for r in self._get_project_roles()]"},{"line_number":340,"context_line":"        for role in effective_access_token_roles:"}],"source_content_type":"text/x-python","patch_set":1,"id":"1f493fa4_d5b1b7e3","line":337,"range":{"start_line":337,"start_character":12,"end_line":337,"end_character":74},"in_reply_to":"1f493fa4_75a383b2","updated":"2020-05-06 17:06:26.000000000","message":"Do we need to point this out in the doc for now?","commit_id":"6c73690f779a42a5c62914b6bc37f0ac2f41a3e3"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"adb322202d0924fc9ba383ffa90d40155be3fae6","unresolved":false,"context_lines":[{"line_number":334,"context_line":"        access_token_roles \u003d ["},{"line_number":335,"context_line":"            {\u0027role_id\u0027: r} for r in jsonutils.loads(access_token_roles)]"},{"line_number":336,"context_line":"        effective_access_token_roles \u003d ("},{"line_number":337,"context_line":"            PROVIDERS.assignment_api.add_implied_roles(access_token_roles)"},{"line_number":338,"context_line":"        )"},{"line_number":339,"context_line":"        user_roles \u003d [r[\u0027id\u0027] for r in self._get_project_roles()]"},{"line_number":340,"context_line":"        for role in effective_access_token_roles:"}],"source_content_type":"text/x-python","patch_set":1,"id":"1f493fa4_10d7ad51","line":337,"range":{"start_line":337,"start_character":12,"end_line":337,"end_character":74},"in_reply_to":"1f493fa4_d5b1b7e3","updated":"2020-05-06 17:33:42.000000000","message":"Which doc? I\u0027ll help review if someone wants to write it up and find the right place for it. Right now it seems like the way we handle these are so inconsistent that I wouldn\u0027t know what to document.","commit_id":"6c73690f779a42a5c62914b6bc37f0ac2f41a3e3"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7a7313d173f7f315fb1618a549c03a065013bbe9","unresolved":false,"context_lines":[{"line_number":334,"context_line":"        access_token_roles \u003d ["},{"line_number":335,"context_line":"            {\u0027role_id\u0027: r} for r in jsonutils.loads(access_token_roles)]"},{"line_number":336,"context_line":"        effective_access_token_roles \u003d ("},{"line_number":337,"context_line":"            PROVIDERS.assignment_api.add_implied_roles(access_token_roles)"},{"line_number":338,"context_line":"        )"},{"line_number":339,"context_line":"        user_roles \u003d [r[\u0027id\u0027] for r in self._get_project_roles()]"},{"line_number":340,"context_line":"        for role in effective_access_token_roles:"}],"source_content_type":"text/x-python","patch_set":1,"id":"1f493fa4_75a383b2","line":337,"range":{"start_line":337,"start_character":12,"end_line":337,"end_character":74},"in_reply_to":"1f493fa4_f238493c","updated":"2020-05-06 17:00:41.000000000","message":"This is the same behavior that we have for trust roles above. I don\u0027t think changing implied roles revokes active tokens, but at least the token will expire. I think this is safe enough for now and we can follow up later to make sure all of these token roles behave the same with regard to implied roles and discuss how to invalidate them.","commit_id":"6c73690f779a42a5c62914b6bc37f0ac2f41a3e3"}]}