)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"ae57f335461c01d5aaf8097cbd10c36118b9705d","unresolved":true,"context_lines":[{"line_number":13,"context_line":"The protection test job is marked non-voting since tempest does not yet"},{"line_number":14,"context_line":"expect these policy changes.  A follow-up patch will make it voting"},{"line_number":15,"context_line":"again after the test changes have merged into tempest."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Change-Id: I31b5a1f85d994a90578657bc77fa46ace0748582"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"87cb4d25_93238d8b","line":16,"updated":"2023-12-14 15:28:39.000000000","message":"If we know they will fail, maybe we should disable those, to not overload the CI with jobs we know will fail?","commit_id":"89b82d8102ba02dadbd4daa815869adeeafd46a5"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"b87ddec720b3209d7c9cdef022ab96a81b8cc5b5","unresolved":false,"context_lines":[{"line_number":13,"context_line":"The protection test job is marked non-voting since tempest does not yet"},{"line_number":14,"context_line":"expect these policy changes.  A follow-up patch will make it voting"},{"line_number":15,"context_line":"again after the test changes have merged into tempest."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Change-Id: I31b5a1f85d994a90578657bc77fa46ace0748582"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"e2cbfde7_fbb70523","line":16,"in_reply_to":"87cb4d25_93238d8b","updated":"2023-12-14 15:58:03.000000000","message":"Sure, I can do that.","commit_id":"89b82d8102ba02dadbd4daa815869adeeafd46a5"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8ebad36bc7f3a6258d6e574969a286c2dc0c7890","unresolved":true,"context_lines":[{"line_number":10,"context_line":"tokens so that operators can continue to use the \"admin\" role to access"},{"line_number":11,"context_line":"system level APIs."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The protection test job is marked non-voting since tempest does not yet"},{"line_number":14,"context_line":"expect these policy changes.  A follow-up patch will make it voting"},{"line_number":15,"context_line":"again after the test changes have merged into tempest."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1"},{"line_number":18,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"957f84f5_fbfa11aa","line":15,"range":{"start_line":13,"start_character":45,"end_line":15,"end_character":54},"updated":"2023-12-14 19:43:22.000000000","message":"As we are allowing the project scope token to access in same way it was previously I think tempest should pass. Let me test it. At least tempest full job enabling the keystone and other services new RBAC should pass.","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2024d0cf74038290387cf63c6d9e44ed4d64e870","unresolved":false,"context_lines":[{"line_number":10,"context_line":"tokens so that operators can continue to use the \"admin\" role to access"},{"line_number":11,"context_line":"system level APIs."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The protection test job is marked non-voting since tempest does not yet"},{"line_number":14,"context_line":"expect these policy changes.  A follow-up patch will make it voting"},{"line_number":15,"context_line":"again after the test changes have merged into tempest."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1"},{"line_number":18,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"b821dc87_ed414cba","line":15,"range":{"start_line":13,"start_character":45,"end_line":15,"end_character":54},"in_reply_to":"6dfe092d_b38b8ee6","updated":"2023-12-14 22:27:34.000000000","message":"I see, by Tempest i thought tempest in-tree tests but I got it now you mean kesytone-tempest-plugin tests.\n\nAnyways, I am also testing these changes across services if all fine - https://review.opendev.org/q/topic:%22keystone-srbac-test%22","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"03415c522afa6d1ab808529e1114bfcdb49f52b8","unresolved":false,"context_lines":[{"line_number":10,"context_line":"tokens so that operators can continue to use the \"admin\" role to access"},{"line_number":11,"context_line":"system level APIs."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The protection test job is marked non-voting since tempest does not yet"},{"line_number":14,"context_line":"expect these policy changes.  A follow-up patch will make it voting"},{"line_number":15,"context_line":"again after the test changes have merged into tempest."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1"},{"line_number":18,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"6dfe092d_b38b8ee6","line":15,"range":{"start_line":13,"start_character":45,"end_line":15,"end_character":54},"in_reply_to":"957f84f5_fbfa11aa","updated":"2023-12-14 19:50:15.000000000","message":"The failures are because of the increase in permissions to Project-Admin.  Since they are now able to do things that they were previously not allowed to.  The follow up patch in Tempest is here:\n\nhttps://review.opendev.org/c/openstack/keystone-tempest-plugin/+/903713","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"5c5f1469cdbbc55472f98b185bed84dcd28fcf29","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"ff9f044a_b7b5e17b","updated":"2023-12-13 22:14:11.000000000","message":"Recheck - cinder ssh issue","commit_id":"89b82d8102ba02dadbd4daa815869adeeafd46a5"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2024d0cf74038290387cf63c6d9e44ed4d64e870","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"b81cc324_36677042","updated":"2023-12-14 22:27:34.000000000","message":"Testing across service in these https://review.opendev.org/q/topic:%22keystone-srbac-test%22","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a5e7146bb5c1ec5a07149fab2aefcbdac139dbdc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"126b8832_f589bc58","updated":"2023-12-15 00:41:02.000000000","message":"it seems existing tempest tests also failing https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_3d0/903722/1/check/tempest-full-enforce-scope-new-defaults/3d0c7a3/testr_results.html\n\nare new RBAC changed the things instead of just adding system scope access?","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d9f8ef9cb796745b2c8b0f4a8ddb6f4827e98693","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"fda5cbf6_f9a212bf","updated":"2023-12-15 00:41:30.000000000","message":"just -1 to get more clarity on tests failing in case it get merged before that.","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8ebad36bc7f3a6258d6e574969a286c2dc0c7890","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"9b1d94cc_65080107","updated":"2023-12-14 19:43:22.000000000","message":"overall lgtm, let me test the changes with other services new RBAC if there is any issue","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"d07ff498b45a13ebc045b3e588a7080c66b70c6c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"f2883887_0198aa46","in_reply_to":"126b8832_f589bc58","updated":"2023-12-15 15:14:27.000000000","message":"This patch is just allowing project-admin to do the things that only system-users were allowed to do before.","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6604397f4e6de445a76c2aec601072fd8c2335e8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"9ff6fa0a_7b0cd996","in_reply_to":"f2883887_0198aa46","updated":"2023-12-15 18:27:50.000000000","message":"yeah, let me debug it more and see if anything breaking. From changes and as you mentioned it only retore the legacy admin access which is what we want and should be ok. I will debug tempest tests failure and update here early next week.","commit_id":"c51758182cb8a62ecd6b5cd885d92d0708db145f"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"26e2c14d0fe33e8884043384661dd90c887ce181","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"a013b277_7aeb5518","updated":"2023-12-19 17:15:24.000000000","message":"recheck","commit_id":"aeaae18829e73eb68b55956952b1ee36ec4dacb8"}],"keystone/common/policies/grant.py":[{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"ed52163eaa5af2713800dbe42c65069980002751","unresolved":true,"context_lines":[{"line_number":60,"context_line":"    \u0027(role:admin and \u0027 + DOMAIN_MATCHES_GROUP_DOMAIN + \u0027 and\u0027"},{"line_number":61,"context_line":"    \u0027 \u0027 + DOMAIN_MATCHES_TARGET_DOMAIN + \u0027)\u0027"},{"line_number":62,"context_line":")"},{"line_number":63,"context_line":"SYSTEM_ADMIN_OR_DOMAIN_ADMIN \u003d ("},{"line_number":64,"context_line":"    \u0027(\u0027 + base.SYSTEM_ADMIN + \u0027) or \u0027"},{"line_number":65,"context_line":"    \u0027(\u0027 + GRANTS_DOMAIN_ADMIN + \u0027) and \u0027"},{"line_number":66,"context_line":"    \u0027(\u0027 + DOMAIN_MATCHES_ROLE + \u0027)\u0027"}],"source_content_type":"text/x-python","patch_set":9,"id":"83e4d30f_36d71ebb","line":63,"updated":"2024-01-19 15:38:09.000000000","message":"nit - this variable is no longer used","commit_id":"0e525fd841a6bd3309e0705621e80971f3a3a5b6"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"2b3754c9e3b56b731269e17d80c1967fcc1ce234","unresolved":false,"context_lines":[{"line_number":60,"context_line":"    \u0027(role:admin and \u0027 + DOMAIN_MATCHES_GROUP_DOMAIN + \u0027 and\u0027"},{"line_number":61,"context_line":"    \u0027 \u0027 + DOMAIN_MATCHES_TARGET_DOMAIN + \u0027)\u0027"},{"line_number":62,"context_line":")"},{"line_number":63,"context_line":"SYSTEM_ADMIN_OR_DOMAIN_ADMIN \u003d ("},{"line_number":64,"context_line":"    \u0027(\u0027 + base.SYSTEM_ADMIN + \u0027) or \u0027"},{"line_number":65,"context_line":"    \u0027(\u0027 + GRANTS_DOMAIN_ADMIN + \u0027) and \u0027"},{"line_number":66,"context_line":"    \u0027(\u0027 + DOMAIN_MATCHES_ROLE + \u0027)\u0027"}],"source_content_type":"text/x-python","patch_set":9,"id":"412e473d_9637a018","line":63,"in_reply_to":"83e4d30f_36d71ebb","updated":"2024-01-19 19:49:37.000000000","message":"Done","commit_id":"0e525fd841a6bd3309e0705621e80971f3a3a5b6"}],"keystone/common/policies/group.py":[{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"650bb026239399b716743e2cebb0b04be79e6b72","unresolved":true,"context_lines":[{"line_number":36,"context_line":"    SYSTEM_READER_OR_DOMAIN_READER_FOR_TARGET_GROUP_USER"},{"line_number":37,"context_line":")"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"SYSTEM_ADMIN_OR_DOMAIN_ADMIN_FOR_TARGET_GROUP_USER \u003d ("},{"line_number":40,"context_line":"    \u0027(role:admin and system_scope:all) or \u0027"},{"line_number":41,"context_line":"    \u0027(role:admin and \u0027"},{"line_number":42,"context_line":"    \u0027domain_id:%(target.group.domain_id)s and \u0027"}],"source_content_type":"text/x-python","patch_set":9,"id":"5170ed64_ff81f3b4","line":39,"updated":"2024-01-19 15:41:25.000000000","message":"Per xek, delete unused consts","commit_id":"0e525fd841a6bd3309e0705621e80971f3a3a5b6"}],"keystone/common/policies/user.py":[{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"650bb026239399b716743e2cebb0b04be79e6b72","unresolved":true,"context_lines":[{"line_number":34,"context_line":"    SYSTEM_READER_OR_DOMAIN_READER"},{"line_number":35,"context_line":")"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"SYSTEM_ADMIN_OR_DOMAIN_ADMIN \u003d ("},{"line_number":38,"context_line":"    \u0027(role:admin and system_scope:all) or \u0027"},{"line_number":39,"context_line":"    \u0027(role:admin and token.domain.id:%(target.user.domain_id)s)\u0027"},{"line_number":40,"context_line":")"}],"source_content_type":"text/x-python","patch_set":9,"id":"c79bcc9a_94f3ac10","line":37,"updated":"2024-01-19 15:41:25.000000000","message":"Remove this one as well.","commit_id":"0e525fd841a6bd3309e0705621e80971f3a3a5b6"}]}