)]}'
{"doc/source/admin/service-api-protection.rst":[{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"8e87cf4747092d3d3c78f96ed897b1da58d56310","unresolved":true,"context_lines":[{"line_number":21,"context_line":"service developers can use this document as a guide for implementing similar"},{"line_number":22,"context_line":"patterns in their services."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Default roles and behaviors across scopes allow operators to delegate more"},{"line_number":25,"context_line":"functionality to their team, auditors, customers, and users without maintaining"},{"line_number":26,"context_line":"custom policies."},{"line_number":27,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"a6359b7d_e8cbc920","line":24,"range":{"start_line":24,"start_character":35,"end_line":24,"end_character":41},"updated":"2021-02-01 15:26:58.000000000","message":"A suggestion (outside scope of this PR but this is the first time I\u0027m reading the doc. I have heard \u0027scope\u0027 used to refer to project, domain, or system, so I suggest sticking with that (if that\u0027s the desired term) and mention it above (L12-13) and replace \u0027target\u0027 (L17) with \u0027scope\u0027.","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"57624fe72a81b0147ab0b9ea81944768833d05ad","unresolved":false,"context_lines":[{"line_number":21,"context_line":"service developers can use this document as a guide for implementing similar"},{"line_number":22,"context_line":"patterns in their services."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Default roles and behaviors across scopes allow operators to delegate more"},{"line_number":25,"context_line":"functionality to their team, auditors, customers, and users without maintaining"},{"line_number":26,"context_line":"custom policies."},{"line_number":27,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1c2b34ba_5f089f35","line":24,"range":{"start_line":24,"start_character":35,"end_line":24,"end_character":41},"in_reply_to":"6454ee65_fa5e579e","updated":"2021-02-05 14:32:35.000000000","message":"Done","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5364d1e1f331140def7d12bb2d9b27deda2bac6e","unresolved":true,"context_lines":[{"line_number":21,"context_line":"service developers can use this document as a guide for implementing similar"},{"line_number":22,"context_line":"patterns in their services."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Default roles and behaviors across scopes allow operators to delegate more"},{"line_number":25,"context_line":"functionality to their team, auditors, customers, and users without maintaining"},{"line_number":26,"context_line":"custom policies."},{"line_number":27,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"6454ee65_fa5e579e","line":24,"range":{"start_line":24,"start_character":35,"end_line":24,"end_character":41},"in_reply_to":"a6359b7d_e8cbc920","updated":"2021-02-01 19:24:26.000000000","message":"Good suggestion. I can clarify that in the next patch set, depending on how we want to handle the auditor clarification below.","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"627dcad6a3772c1f9bf217dda23f2dd19ce64eec","unresolved":true,"context_lines":[{"line_number":70,"context_line":"   an elevated read-only role, that implies ``reader``, but also exposes"},{"line_number":71,"context_line":"   sensitive information, where applicable."},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"   This will allow operators to grant third-party auditors a permissive role"},{"line_number":74,"context_line":"   for viewing sensitive information, specifically for compliance targets that"},{"line_number":75,"context_line":"   require it."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"The ``reader`` role provides read-only access to resources within the system, a"},{"line_number":78,"context_line":"domain, or a project. Depending on the assignment scope, two users with the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5d61eec2_3e14d614","line":75,"range":{"start_line":73,"start_character":1,"end_line":75,"end_character":14},"updated":"2021-01-21 19:11:12.000000000","message":"+1. we can keep it something like \u0027public\u0027 or so. That can be used for all non-sensitive info and for audit or restricting some end user based on billing or so etc","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"8e87cf4747092d3d3c78f96ed897b1da58d56310","unresolved":true,"context_lines":[{"line_number":99,"context_line":"should be explicitly protected, and not implicitly exposed."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"The ``reader`` role should be implemented and used from the perspective of"},{"line_number":102,"context_line":"least-privilege, which may or may not fill your auditing use case."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Member"},{"line_number":105,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8742a07f_1340b98d","line":102,"range":{"start_line":102,"start_character":38,"end_line":102,"end_character":42},"updated":"2021-02-01 15:26:58.000000000","message":"fit? (\u0027fill\u0027 might be right, might just be that I\u0027m not used to it in this context.)","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"57624fe72a81b0147ab0b9ea81944768833d05ad","unresolved":false,"context_lines":[{"line_number":99,"context_line":"should be explicitly protected, and not implicitly exposed."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"The ``reader`` role should be implemented and used from the perspective of"},{"line_number":102,"context_line":"least-privilege, which may or may not fill your auditing use case."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Member"},{"line_number":105,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"80fdb604_be565a29","line":102,"range":{"start_line":102,"start_character":38,"end_line":102,"end_character":42},"in_reply_to":"8742a07f_1340b98d","updated":"2021-02-05 14:32:35.000000000","message":"Done","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"8e87cf4747092d3d3c78f96ed897b1da58d56310","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":".. code-block:: console"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"    $ openstack role assignment list --names --system all"},{"line_number":152,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"},{"line_number":153,"context_line":"    | Role  | User             | Group                 | Project | Domain | System | Inherited |"},{"line_number":154,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e29aa103_0a5bf853","line":151,"updated":"2021-02-01 15:26:58.000000000","message":"sorry, outside the scope of this PR. I thought this command would return all the roles \u0026 users, not just \u0027admin\u0027 role.","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b680bb05c3ef27f2175121727534ddd045dca85c","unresolved":false,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":".. code-block:: console"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"    $ openstack role assignment list --names --system all"},{"line_number":152,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"},{"line_number":153,"context_line":"    | Role  | User             | Group                 | Project | Domain | System | Inherited |"},{"line_number":154,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"}],"source_content_type":"text/x-rst","patch_set":1,"id":"79f974d6_1e6e3936","line":151,"in_reply_to":"08dd3665_2c03ece3","updated":"2021-02-05 14:59:15.000000000","message":"Done\n\nhttps://review.opendev.org/c/openstack/keystone/+/774247","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d0fe81ef0bc5408ce79a13d6b8f68b73e4cbcdf4","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":".. code-block:: console"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"    $ openstack role assignment list --names --system all"},{"line_number":152,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"},{"line_number":153,"context_line":"    | Role  | User             | Group                 | Project | Domain | System | Inherited |"},{"line_number":154,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"}],"source_content_type":"text/x-rst","patch_set":1,"id":"629dbe0a_65c1666b","line":151,"in_reply_to":"1ebe0a04_e77c700c","updated":"2021-02-04 17:18:52.000000000","message":"is this example meant to be compatible with the example below (L176). The one below is also for system scope, but only the member and reader roles, not admin role. Right? If so, and this one shows all roles in the system scope, maybe it could have non-admin roles in the example too (eg, include the results from the example below.)","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d90695f639e2c27c563f4c7073f54b2ab13b51f9","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":".. code-block:: console"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"    $ openstack role assignment list --names --system all"},{"line_number":152,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"},{"line_number":153,"context_line":"    | Role  | User             | Group                 | Project | Domain | System | Inherited |"},{"line_number":154,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"}],"source_content_type":"text/x-rst","patch_set":1,"id":"08dd3665_2c03ece3","line":151,"in_reply_to":"629dbe0a_65c1666b","updated":"2021-02-05 14:28:13.000000000","message":"I think I see where you\u0027re coming from though. This example is written as a superset (e.g., show me all users with roles on the system), instead of a specific query for system administrators like the preceding paragraph described (e.g., show me all users with the \u0027admin\u0027 role on the system).\n\nI can propose a separate patch to clarify this by adding a short section describing how you can find all users with system role assignments, regardless of the role.","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5364d1e1f331140def7d12bb2d9b27deda2bac6e","unresolved":true,"context_lines":[{"line_number":148,"context_line":""},{"line_number":149,"context_line":".. code-block:: console"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"    $ openstack role assignment list --names --system all"},{"line_number":152,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"},{"line_number":153,"context_line":"    | Role  | User             | Group                 | Project | Domain | System | Inherited |"},{"line_number":154,"context_line":"    +-------+------------------+-----------------------+---------+--------+--------+-----------+"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1ebe0a04_e77c700c","line":151,"in_reply_to":"e29aa103_0a5bf853","updated":"2021-02-01 19:24:26.000000000","message":"The --system all filter removes project or domain role assignments from the response. The following will give you all role assignments in the deployment:\n\n  $ openstack role assignment list --names","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"8e87cf4747092d3d3c78f96ed897b1da58d56310","unresolved":true,"context_lines":[{"line_number":238,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":239,"context_line":"    | Role   | User            | Group | Project | Domain | System | Inherited |"},{"line_number":240,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":241,"context_line":"    | reader | auditor@Default |       |         | foobar |        | False     |"},{"line_number":242,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"de808411_3d8383f6","line":241,"range":{"start_line":241,"start_character":15,"end_line":241,"end_character":23},"updated":"2021-02-01 15:26:58.000000000","message":"want to make sure, we\u0027re good with \u0027auditor\u0027 here?","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d90695f639e2c27c563f4c7073f54b2ab13b51f9","unresolved":false,"context_lines":[{"line_number":238,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":239,"context_line":"    | Role   | User            | Group | Project | Domain | System | Inherited |"},{"line_number":240,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":241,"context_line":"    | reader | auditor@Default |       |         | foobar |        | False     |"},{"line_number":242,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9c079d2a_2c088b87","line":241,"range":{"start_line":241,"start_character":15,"end_line":241,"end_character":23},"in_reply_to":"223f5794_e8c1c66a","updated":"2021-02-05 14:28:13.000000000","message":"Correct. Some audit means different things to different people.\n\nI\u0027ll remove it.","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"d0fe81ef0bc5408ce79a13d6b8f68b73e4cbcdf4","unresolved":true,"context_lines":[{"line_number":238,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":239,"context_line":"    | Role   | User            | Group | Project | Domain | System | Inherited |"},{"line_number":240,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":241,"context_line":"    | reader | auditor@Default |       |         | foobar |        | False     |"},{"line_number":242,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"223f5794_e8c1c66a","line":241,"range":{"start_line":241,"start_character":15,"end_line":241,"end_character":23},"in_reply_to":"3692877a_6c698f7b","updated":"2021-02-04 17:18:52.000000000","message":"personally, i\u0027d just remove it. no confusion then. cuz we don\u0027t really know for sure how auditing stuff will work (or err, guidelines wrt auditing), do we?","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5364d1e1f331140def7d12bb2d9b27deda2bac6e","unresolved":true,"context_lines":[{"line_number":238,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":239,"context_line":"    | Role   | User            | Group | Project | Domain | System | Inherited |"},{"line_number":240,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":241,"context_line":"    | reader | auditor@Default |       |         | foobar |        | False     |"},{"line_number":242,"context_line":"    +--------+-----------------+-------+---------+--------+--------+-----------+"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3692877a_6c698f7b","line":241,"range":{"start_line":241,"start_character":15,"end_line":241,"end_character":23},"in_reply_to":"de808411_3d8383f6","updated":"2021-02-01 19:24:26.000000000","message":"I thought about keeping it here just for one auditing example, but maybe it\u0027s too conflicting with the statement at the beginning of the document.","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":6618,"name":"Ruby Loo","email":"opensrloo@gmail.com","username":"rloo"},"change_message_id":"8e87cf4747092d3d3c78f96ed897b1da58d56310","unresolved":true,"context_lines":[{"line_number":291,"context_line":"    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+"},{"line_number":292,"context_line":"    | Role   | User            | Group                      | Project           | Domain | System | Inherited |"},{"line_number":293,"context_line":"    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+"},{"line_number":294,"context_line":"    | reader | auditor@Default |                            | production@foobar |        |        | False     |"},{"line_number":295,"context_line":"    | reader |                 | production-support@Default | production@foobar |        |        | False     |"},{"line_number":296,"context_line":"    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+"},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"b11975da_6f663222","line":294,"range":{"start_line":294,"start_character":15,"end_line":294,"end_character":22},"updated":"2021-02-01 15:26:58.000000000","message":"ditto","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d90695f639e2c27c563f4c7073f54b2ab13b51f9","unresolved":false,"context_lines":[{"line_number":291,"context_line":"    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+"},{"line_number":292,"context_line":"    | Role   | User            | Group                      | Project           | Domain | System | Inherited |"},{"line_number":293,"context_line":"    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+"},{"line_number":294,"context_line":"    | reader | auditor@Default |                            | production@foobar |        |        | False     |"},{"line_number":295,"context_line":"    | reader |                 | production-support@Default | production@foobar |        |        | False     |"},{"line_number":296,"context_line":"    +--------+-----------------+----------------------------+-------------------+--------+--------+-----------+"},{"line_number":297,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"8aa402ff_8c9a3fbf","line":294,"range":{"start_line":294,"start_character":15,"end_line":294,"end_character":22},"in_reply_to":"b11975da_6f663222","updated":"2021-02-05 14:28:13.000000000","message":"Done","commit_id":"59dc27358ef34d8aff0e9777cb7cf4eefb60a040"}]}