)]}'
{"id":"openstack%2Fkeystone~908807","triplet_id":"openstack%2Fkeystone~stable%2F2023.2~Iffbe11c57c61bbd1b045a6567a9249c12dff403c","project":"openstack/keystone","branch":"stable/2023.2","topic":"secure-rbac-stable/2023.2","attention_set":{},"removed_from_attention_set":{"14250":{"account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"last_update":"2024-02-14 14:21:04.000000000","reason":"\u003cGERRIT_ACCOUNT_14250\u003e replied on the change","reason_account":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}},"7973":{"account":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"last_update":"2024-02-14 16:06:09.000000000","reason":"Change was submitted"},"7414":{"account":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"last_update":"2024-02-13 19:06:47.000000000","reason":"\u003cGERRIT_ACCOUNT_7414\u003e replied on the change","reason_account":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}}},"hashtags":[],"change_id":"Iffbe11c57c61bbd1b045a6567a9249c12dff403c","subject":"Normalize policy checks for domain-scoped tokens","status":"MERGED","created":"2024-02-12 19:17:46.000000000","updated":"2024-02-14 16:08:39.000000000","submitted":"2024-02-14 16:06:09.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"908807-secure-rbac-stable/2023.2","cherry_pick_of_change":908524,"cherry_pick_of_patch_set":2,"meta_rev_id":"1b5d79085430bd548ad15e39724b0b7ccc1fcfe3","_number":908807,"virtual_id_number":908807,"owner":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2024-02-14 16:06:09.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":0,"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2024-02-14 14:21:04.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":2,"date":"2024-02-13 19:06:47.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":1,"date":"2024-02-14 14:21:04.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"value":0,"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2024-02-12 19:28:04.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"CC"},{"updated":"2024-02-12 20:39:17.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2024-02-13 15:12:31.000000000","updated_by":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"reviewer":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"state":"REVIEWER"},{"updated":"2024-02-13 15:12:31.000000000","updated_by":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"reviewer":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"state":"REVIEWER"}],"messages":[{"id":"4decab6c78f619cb3021231c78b4e4cdaf94a756","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"date":"2024-02-12 19:17:46.000000000","message":"Patch Set 1: Cherry Picked from branch master.","accounts_in_message":[],"_revision_number":1},{"id":"d9e83452a43b9dd506c004d4f1da03552f80c888","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-02-12 19:28:04.000000000","message":"Patch Set 1:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/773738b9489b47d3b8a8f0b461c99da1\n\n- openstack-tox-py38-arm64 https://zuul.opendev.org/t/openstack/build/b116ef1bf36c4035bc03f099f17060ba : SUCCESS in 8m 35s (non-voting)\n- openstack-tox-py39-arm64 https://zuul.opendev.org/t/openstack/build/38984ca727b7436b87d694792ccd9fd9 : SUCCESS in 9m 15s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"9a44d598dd6463c31764e3a63d4bdb0f8e0b1533","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-02-12 20:39:17.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/c1ff075aa4ee464f98589b5f9c85f5a0\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/48cf0ce8c07c414bb47ffadee80b1d02 : SUCCESS in 19m 37s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/94d2154615ea46b2956f8e01713331bd : SUCCESS in 4m 51s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/46b3d40ee44b4b1cb7124ef990cc3dc3 : SUCCESS in 23m 08s\n- openstack-tox-py39 https://zuul.opendev.org/t/openstack/build/7535f77a58b642ee83130789494ec9bb : SUCCESS in 14m 20s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/15770d0717c447439225016d4d4df9a8 : SUCCESS in 23m 58s\n- openstack-tox-py311 https://zuul.opendev.org/t/openstack/build/8809ad5c36dc46429417134e786b9db5 : RETRY_LIMIT in 1m 45s (non-voting)\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/460651b89b4f4e358c247c9802f7ec1e : SUCCESS in 12m 08s\n- grenade https://zuul.opendev.org/t/openstack/build/fb92b7b3debe45e0a06aba1e34e503af : SUCCESS in 1h 00m 32s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/540ef391f52246e89b6c77c1b2f777b3 : SUCCESS in 1h 19m 46s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/63ba4af246ef41e0883e48d508f6f648 : SUCCESS in 26m 23s\n- keystone-dsvm-py3-functional-fips https://zuul.opendev.org/t/openstack/build/5f010b56b08149b4a809709ff25707db : SUCCESS in 49m 18s (non-voting)\n- keystone-dsvm-py3-functional-federation-ubuntu-jammy https://zuul.opendev.org/t/openstack/build/c54a107fa3c54a4b95e2b095b1f3e404 : FAILURE in 33m 26s (non-voting)\n- keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k https://zuul.opendev.org/t/openstack/build/f10bb435fb0446e6b059e0f6e44d4328 : SUCCESS in 26m 38s\n- keystoneclient-devstack-functional https://zuul.opendev.org/t/openstack/build/12b724431d1e4307a5f3ee3448f0c1de : SUCCESS in 20m 52s (non-voting)\n- keystone-dsvm-ldap-domain-specific-driver https://zuul.opendev.org/t/openstack/build/d79e2c610a34439f80b5feb098f16f57 : FAILURE in 23m 39s (non-voting)\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/165b361bf94a42a884f266dfce5c186e : SUCCESS in 1h 04m 27s","accounts_in_message":[],"_revision_number":1},{"id":"b8966183e71fe1cf36573a3110554d69ab4ef751","author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"date":"2024-02-13 19:06:47.000000000","message":"Patch Set 1: Code-Review+2","accounts_in_message":[],"_revision_number":1},{"id":"f39e5d7f9c979e0bd2862102bca4198d67a5aa7e","author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"date":"2024-02-14 14:21:04.000000000","message":"Patch Set 1: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":1},{"id":"3aaeec235000e0b5d627c5f96958d26d685e37e5","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-02-14 14:21:50.000000000","message":"Patch Set 1: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":1},{"id":"defe3ff5215ced1994ac3c70da68aeff4ae419be","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-02-14 16:06:09.000000000","message":"Patch Set 1: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/43394e2baddf41e4b2c72b69edafd7ed\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/a6d84e4710004f4d858911c6059d7406 : SUCCESS in 5m 59s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/7a5259f6352c4163af6b1390c360d0a4 : SUCCESS in 11m 07s\n- openstack-tox-py39 https://zuul.opendev.org/t/openstack/build/ba1831f0f237481293c557bf0f44cab1 : SUCCESS in 14m 20s\n- openstack-tox-py310 https://zuul.opendev.org/t/openstack/build/b1768fd292b449d8a912a6d45fdd1034 : SUCCESS in 11m 11s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/1b21bb776f1646579276bfbcb0d116cd : SUCCESS in 11m 18s\n- grenade https://zuul.opendev.org/t/openstack/build/4d767b638bd14db1b978df9785068c60 : SUCCESS in 59m 02s\n- tempest-full-py3 https://zuul.opendev.org/t/openstack/build/aad3a7b9ce9d443588a483fd159acc29 : SUCCESS in 1h 20m 04s\n- keystone-dsvm-py3-functional https://zuul.opendev.org/t/openstack/build/0ef3c8c12e4149c9b4efcfc247ce979d : SUCCESS in 25m 04s\n- keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k https://zuul.opendev.org/t/openstack/build/09b560aff46f4dc4b7fefa15ffd8bbd7 : SUCCESS in 29m 44s\n- tempest-ipv6-only https://zuul.opendev.org/t/openstack/build/6bb84780c33345a58ca6ba7cbef39cb8 : SUCCESS in 1h 01m 34s","accounts_in_message":[],"_revision_number":1},{"id":"e3d00416b4f0b2b5f1a0ecdd6052813397b470c2","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-02-14 16:06:09.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":1},{"id":"1b5d79085430bd548ad15e39724b0b7ccc1fcfe3","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-02-14 16:08:39.000000000","message":"Patch Set 1:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/8e380d234b644b9b8ac39c8399ae48c4\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/498a8eca03a04e1b8d6b338e1d910c52 : SUCCESS in 1m 06s","accounts_in_message":[],"_revision_number":1}],"current_revision_number":1,"current_revision":"5a55e9de15c7f390e43addc5f3ff1a4809ec1a5b","revisions":{"5a55e9de15c7f390e43addc5f3ff1a4809ec1a5b":{"kind":"REWORK","_number":1,"created":"2024-02-12 19:17:46.000000000","uploader":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"ref":"refs/changes/07/908807/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/07/908807/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/07/908807/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/07/908807/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/07/908807/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/07/908807/1"}}},"commit":{"parents":[{"commit":"7de9f7d49dd4142dccc1968028e12a3ca2b7847f","subject":"Allow users with \"admin\" role to get projects","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/7de9f7d49dd4142dccc1968028e12a3ca2b7847f"}]}],"author":{"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","date":"2024-02-08 20:36:38.000000000","tz":-360},"committer":{"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","date":"2024-02-12 19:17:46.000000000","tz":0},"subject":"Normalize policy checks for domain-scoped tokens","message":"Normalize policy checks for domain-scoped tokens\n\nThis patch fixes an inconsistency in the policies for role_assignment\nwhere the target object used for policy enforcement was being created\nwith different properties depending on the request query string.\n\nThis required policies to be written in two differnt ways to validate\ndomain IDs for domain-scoped requests.  e.g. checking for domain reader\nwas using both:\n\n    role:reader and domain_id:%(target.domain_id)s\n\nand\n\n    role:reader and domain_id:%(target.project.domain_id)s\n\nWith the former only being populated for GET /v3/role_assignments and\nthe latter only being populated for GET\n/v3/role_assignments?scope.project.id\u003dSOME_ID\n\nThis patch fixes the target object so that only target.domain_id needs\nto be checked for domain-scoped tokens.\n\nChange-Id: Iffbe11c57c61bbd1b045a6567a9249c12dff403c\n(cherry picked from commit 7dc175a41f92e3f01cf26912431d0f2c98a03b32)\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5a55e9de15c7f390e43addc5f3ff1a4809ec1a5b"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/5a55e9de15c7f390e43addc5f3ff1a4809ec1a5b"}]},"branch":"refs/heads/stable/2023.2"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"}}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{}}}]}