)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"change_message_id":"a03ace8fcbb30b70da6602ef7c7681dce0bb7dcc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9d904181_a41eedd1","updated":"2025-12-05 16:10:18.000000000","message":"which user (role/access) is radosgw using now? I think I understand the intention from the Rados pov, but the change in this form breaks the least privilege concept - it grants too much access to all service users - i.e. Nova does not need this access.","commit_id":"bb0745a204f7941e935dedc2bb98d0eb4f8472d1"},{"author":{"_account_id":16137,"name":"Tobias Urdin","email":"tobias.urdin@binero.com","username":"tobasco"},"change_message_id":"62a0fb395b1ca6edc046d5ba6479890b1a9f6eec","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"e3d84a18_a2a689cd","in_reply_to":"9d904181_a41eedd1","updated":"2025-12-16 15:23:50.000000000","message":"Hello Artem, today the RadosGW service needs the ``admin`` role _or_ a custom role that allows the ``identity:ec2_get_credential`` and ``identity:s3tokens_validate`` (new since OSSA-2025-002) policies, or the `service` role (since OSSA-2025-002) for `identity:s3tokens_validate`` and a custom role for ``identity:ec2_get_credential``\n\nPlease see my mailing list post about what Keystone access RadosGW needs [1].\n\nI\u0027m open to any suggestions, I don\u0027t remember why listing is included here so I can probably narrow this down but if that\u0027s not enough what is the next step, do we add a new default role? do we leave this as a problem for operators to solve with custom roles?\n\n[1] https://marc.info/?l\u003dceph-users\u0026m\u003d176241342607057\u0026w\u003d2","commit_id":"bb0745a204f7941e935dedc2bb98d0eb4f8472d1"},{"author":{"_account_id":16137,"name":"Tobias Urdin","email":"tobias.urdin@binero.com","username":"tobasco"},"change_message_id":"066c6a3b208ddf97399c6547ff560e10a46f4d5a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"7080a8cb_49c2ccc5","in_reply_to":"e3d84a18_a2a689cd","updated":"2025-12-16 15:25:06.000000000","message":"I should also note that I\u0027m also not satisfied with the global/shared ``service`` approach, but it\u0027s what we have today unless we start introducing more roles.","commit_id":"bb0745a204f7941e935dedc2bb98d0eb4f8472d1"}]}