)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04d8516be74fd87c5c03a9021871a08f5ed26e26","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"8d85c35a_0172bdfd","updated":"2024-04-18 21:20:16.000000000","message":"this lgtm, also you need to update test also which are failing now https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_0c9/914759/2/check/keystone-protection-functional/0c9f5da/testr_results.html","commit_id":"9162501c5f842817bde1e6d49986ad1e3068add7"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"d92118b16f4964b25e37751b5a6a01d0e4aeb0f0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"c8556f59_ead92f68","in_reply_to":"6fd1b05e_b8aa8582","updated":"2024-04-23 05:55:27.000000000","message":"I\u0027ve submitted https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/916705 to fix these test cases. Because of cross-dependencies between keystone and keystone-tempest-plugin, the protection job is made non-voting now but will be made voting after these are merged (and probably backported).","commit_id":"9162501c5f842817bde1e6d49986ad1e3068add7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"71bf4dfe7539484599f7e36a13c1e5f92c8d60da","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6fd1b05e_b8aa8582","in_reply_to":"8d85c35a_0172bdfd","updated":"2024-04-18 22:18:30.000000000","message":"what needs to be change in keystone_tempest_plugin test is, domain admin user to allow to get the role of domain[1].\n\nEasy can be to remove all three tests from the DomainAdminTests class[2] and tests definition[3] from its base class SystemAdminTests can be executed as it is for DomainAdminTests class also.\n\n[1] https://github.com/openstack/keystone-tempest-plugin/blob/c0ae2d9930bad1f9e041d85b17e32eb5a9466079/keystone_tempest_plugin/tests/rbac/v3/test_role.py#L331\n\n[2] https://github.com/openstack/keystone-tempest-plugin/blob/c0ae2d9930bad1f9e041d85b17e32eb5a9466079/keystone_tempest_plugin/tests/rbac/v3/test_role.py#L322\n\n[3] https://github.com/openstack/keystone-tempest-plugin/blob/c0ae2d9930bad1f9e041d85b17e32eb5a9466079/keystone_tempest_plugin/tests/rbac/v3/test_role.py#L171","commit_id":"9162501c5f842817bde1e6d49986ad1e3068add7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a1d7a1c948babdc1fb3750add99d57bd6350e0f3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"5fce2c70_dcbc224d","updated":"2024-04-30 18:02:18.000000000","message":"lgtm, agree to make job non voting to unblock the cross dependency.","commit_id":"522627de3c66113d03019122735cdfc3e0d245c8"}],"keystone/common/policies/role.py":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"898f7f535ab75ca73681a8ad694cc9ef33239ca3","unresolved":true,"context_lines":[{"line_number":103,"context_line":"                     \u0027method\u0027: \u0027HEAD\u0027}],"},{"line_number":104,"context_line":"        deprecated_rule\u003ddeprecated_list_role),"},{"line_number":105,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":106,"context_line":"        name\u003dbase.IDENTITY % \u0027create_role\u0027,"},{"line_number":107,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":108,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":109,"context_line":"        description\u003d\u0027Create role.\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"5e2ba69f_c72601f9","line":106,"range":{"start_line":106,"start_character":30,"end_line":106,"end_character":41},"updated":"2024-04-23 09:09:08.000000000","message":"I wonder if we want to accept create/update/delete role by domain admin here as well, if we haven\u0027t yet implemented domain scope separation.","commit_id":"522627de3c66113d03019122735cdfc3e0d245c8"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"de1fc161e7df7b73b97931347a1c0303900f4cc7","unresolved":true,"context_lines":[{"line_number":103,"context_line":"                     \u0027method\u0027: \u0027HEAD\u0027}],"},{"line_number":104,"context_line":"        deprecated_rule\u003ddeprecated_list_role),"},{"line_number":105,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":106,"context_line":"        name\u003dbase.IDENTITY % \u0027create_role\u0027,"},{"line_number":107,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":108,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":109,"context_line":"        description\u003d\u0027Create role.\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"a853e4fd_1e3d272d","line":106,"range":{"start_line":106,"start_character":30,"end_line":106,"end_character":41},"in_reply_to":"08283ce0_8204ec51","updated":"2024-05-17 11:23:21.000000000","message":"so we should really move away form using domain admin and isntead have domain manager\n\ni.e. use the manager role within domain to allow the crfeation of user and proejct in a domian and the ablity to view/assing roles to user in that domain.\n\n\nideally everything that currently requires an admin role to do in a domain would be possibel with a domain scopoed manager token.","commit_id":"522627de3c66113d03019122735cdfc3e0d245c8"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"267579e8d1c69d8f543114454c477793a65360b1","unresolved":true,"context_lines":[{"line_number":103,"context_line":"                     \u0027method\u0027: \u0027HEAD\u0027}],"},{"line_number":104,"context_line":"        deprecated_rule\u003ddeprecated_list_role),"},{"line_number":105,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":106,"context_line":"        name\u003dbase.IDENTITY % \u0027create_role\u0027,"},{"line_number":107,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":108,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":109,"context_line":"        description\u003d\u0027Create role.\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"08283ce0_8204ec51","line":106,"range":{"start_line":106,"start_character":30,"end_line":106,"end_character":41},"in_reply_to":"5e2ba69f_c72601f9","updated":"2024-05-03 16:38:44.000000000","message":"From the latest version of the SRBAC community goal:\n\n\u003e we are keeping the legacy admin same as it is currently, legacy admin (meaning anyone with the admin role on a project) will continue to be able to list all the resources across the deployment\n\nSo then, given that a user with \"admin\" role on a project should be authorized to see cross-project and cross-domain resources, and given that role assignments on a domain grant that same access to projects within it, then it probably makes sense to allow domain-admin here.\n\nI think a domain-admin would be able to get a project-admin token for a project in that domain and get access with the current policy anyway.","commit_id":"522627de3c66113d03019122735cdfc3e0d245c8"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"898f7f535ab75ca73681a8ad694cc9ef33239ca3","unresolved":true,"context_lines":[{"line_number":129,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":130,"context_line":"        name\u003dbase.IDENTITY % \u0027get_domain_role\u0027,"},{"line_number":131,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_SYSTEM_READER,"},{"line_number":132,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":133,"context_line":"        description\u003d\u0027Show domain role.\u0027,"},{"line_number":134,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/roles/{role_id}\u0027,"},{"line_number":135,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":3,"id":"3fa70652_6a1d89a9","line":132,"range":{"start_line":132,"start_character":28,"end_line":132,"end_character":32},"updated":"2024-04-23 09:09:08.000000000","message":"ditto. should domain admin be able to manage domain roles ?","commit_id":"522627de3c66113d03019122735cdfc3e0d245c8"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"267579e8d1c69d8f543114454c477793a65360b1","unresolved":true,"context_lines":[{"line_number":129,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":130,"context_line":"        name\u003dbase.IDENTITY % \u0027get_domain_role\u0027,"},{"line_number":131,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_SYSTEM_READER,"},{"line_number":132,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":133,"context_line":"        description\u003d\u0027Show domain role.\u0027,"},{"line_number":134,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/roles/{role_id}\u0027,"},{"line_number":135,"context_line":"                     \u0027method\u0027: \u0027GET\u0027},"}],"source_content_type":"text/x-python","patch_set":3,"id":"f44a3b29_875ebe18","line":132,"range":{"start_line":132,"start_character":28,"end_line":132,"end_character":32},"in_reply_to":"3fa70652_6a1d89a9","updated":"2024-05-03 16:38:44.000000000","message":"domain-specific-roles are just regular roles with a reference to a domain_id, so, if we allow domain-admin to create regular roles, then we might as well allow creating roles across any domain.\n\ndomain-manager, whenever we implement that, should only be able to CRUD roles in their own domain.","commit_id":"522627de3c66113d03019122735cdfc3e0d245c8"}]}