)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d30a1492f47d9aeec0c632d412692f76daa77150","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"4903aa32_3f9303c9","updated":"2024-05-01 17:08:03.000000000","message":"lgtm","commit_id":"5ead95ffcc597517feed53170e2d2f77cdd311a1"}],"keystone/common/policies/credential.py":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"c71b4939ea564a531f23a0c630ab5a6438734b9c","unresolved":true,"context_lines":[{"line_number":54,"context_line":"credential_policies \u003d ["},{"line_number":55,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":56,"context_line":"        name\u003dbase.IDENTITY % \u0027get_credential\u0027,"},{"line_number":57,"context_line":"        check_str\u003dbase.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,"},{"line_number":58,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027domain\u0027, \u0027project\u0027],"},{"line_number":59,"context_line":"        description\u003d\u0027Show credentials details.\u0027,"},{"line_number":60,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/credentials/{credential_id}\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"b165a477_17b07e0c","line":57,"range":{"start_line":57,"start_character":23,"end_line":57,"end_character":59},"updated":"2024-04-17 18:19:38.000000000","message":"this rule might need to be updated to avoid domain admin from accessing all credentials...","commit_id":"04a71d340fa95ccc0f883fd0bc12cecb87b9d76e"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"34f8009f4580ca43aeaf557791009c4a3c77d3a0","unresolved":true,"context_lines":[{"line_number":54,"context_line":"credential_policies \u003d ["},{"line_number":55,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":56,"context_line":"        name\u003dbase.IDENTITY % \u0027get_credential\u0027,"},{"line_number":57,"context_line":"        check_str\u003dbase.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,"},{"line_number":58,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027domain\u0027, \u0027project\u0027],"},{"line_number":59,"context_line":"        description\u003d\u0027Show credentials details.\u0027,"},{"line_number":60,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/credentials/{credential_id}\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"c03c50c5_706c09eb","line":57,"range":{"start_line":57,"start_character":23,"end_line":57,"end_character":59},"in_reply_to":"64efaf00_4b3b276e","updated":"2024-05-17 10:58:04.000000000","message":"i think this is a case where the manager role is useful\ndeomain managers shoudl be able to create users and projects with in the domain and delegate roles they have to those users\n\ni.e. a user with the manager role in a domain woudl be abel to create a porject and a user and give the user member reader or manager in that project but not admin.","commit_id":"04a71d340fa95ccc0f883fd0bc12cecb87b9d76e"},{"author":{"_account_id":7973,"name":"Douglas Mendizábal","email":"dmendiza@redhat.com","username":"dougmendizabal"},"change_message_id":"57a8fd12d632cd50de31d36a168a603dac67c20c","unresolved":true,"context_lines":[{"line_number":54,"context_line":"credential_policies \u003d ["},{"line_number":55,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":56,"context_line":"        name\u003dbase.IDENTITY % \u0027get_credential\u0027,"},{"line_number":57,"context_line":"        check_str\u003dbase.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,"},{"line_number":58,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027domain\u0027, \u0027project\u0027],"},{"line_number":59,"context_line":"        description\u003d\u0027Show credentials details.\u0027,"},{"line_number":60,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/credentials/{credential_id}\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"64efaf00_4b3b276e","line":57,"range":{"start_line":57,"start_character":23,"end_line":57,"end_character":59},"in_reply_to":"73408891_d6178b90","updated":"2024-05-03 16:45:00.000000000","message":"Like the previous patch in this chain, I think we can reference the SRBAC community goal again:\n\n\u003e we are keeping the legacy admin same as it is currently, legacy admin (meaning anyone with the admin role on a project) will continue to be able to list all the resources across the deployment \n\nI interpret this to mean that we are not going to fix https://bugs.launchpad.net/keystone/+bug/968696 and \"admin\" anywhere will continue to be admin everywhere.","commit_id":"04a71d340fa95ccc0f883fd0bc12cecb87b9d76e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1e800cab122dab5d5cb0b733ce3de979644bfaf0","unresolved":true,"context_lines":[{"line_number":54,"context_line":"credential_policies \u003d ["},{"line_number":55,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":56,"context_line":"        name\u003dbase.IDENTITY % \u0027get_credential\u0027,"},{"line_number":57,"context_line":"        check_str\u003dbase.ADMIN_OR_SYSTEM_READER_OR_CRED_OWNER,"},{"line_number":58,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027domain\u0027, \u0027project\u0027],"},{"line_number":59,"context_line":"        description\u003d\u0027Show credentials details.\u0027,"},{"line_number":60,"context_line":"        operations\u003d[{\u0027path\u0027: \u0027/v3/credentials/{credential_id}\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"73408891_d6178b90","line":57,"range":{"start_line":57,"start_character":23,"end_line":57,"end_character":59},"in_reply_to":"b165a477_17b07e0c","updated":"2024-04-18 22:18:38.000000000","message":"I think this was the same case earlier also where admin in any domain can see creds of all users? \n\n- https://review.opendev.org/c/openstack/keystone/+/916130/1/keystone/common/policies/credential.py#b24\n\nand is not the case for project admin also? I mean project admin can see all creds of other domain also?\n\nAt least seeing the test, it seem so\n\n- https://github.com/openstack/keystone-tempest-plugin/blob/c0ae2d9930bad1f9e041d85b17e32eb5a9466079/keystone_tempest_plugin/tests/rbac/v3/test_credential.py#L436\n\nIn below logs we can see project admin able to get all the creds of all users\n- https://zuul.opendev.org/t/openstack/build/9beac21cbc17449aa272bfcb794a1824/log/controller/logs/tempest_log.txt#13229-13233\n\nI am not 100% sure why domain scope was not added in new RBAC at first place. We have not solved the domain admin restriction issue yet which require a global domian admin role vs domain admin. We have discussed it many times in past but there is no solution for domain admin isolation yet and we are keeping the same  behavior in new RBAC also.","commit_id":"04a71d340fa95ccc0f883fd0bc12cecb87b9d76e"}]}