)]}'
{"id":"openstack%2Fkeystone~985095","triplet_id":"openstack%2Fkeystone~master~I8faa502b1b2e5516c9a0a984d535740e0e764ebf","project":"openstack/keystone","branch":"master","attention_set":{"13478":{"account":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"last_update":"2026-04-21 11:21:56.000000000","reason":"\u003cGERRIT_ACCOUNT_28619\u003e replied on the change","reason_account":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}}},"removed_from_attention_set":{},"hashtags":[],"change_id":"I8faa502b1b2e5516c9a0a984d535740e0e764ebf","subject":"Docs - add security considerations for projects_json","status":"NEW","created":"2026-04-17 12:02:18.000000000","updated":"2026-04-21 11:21:56.000000000","submit_type":"MERGE_IF_NECESSARY","mergeable":true,"submittable":false,"total_comment_count":1,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"db5ad42d55ac5c752c824133a6a1e686f65613ee","_number":985095,"virtual_id_number":985095,"owner":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"actions":{},"labels":{"Verified":{"recommended":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:check","value":1,"date":"2026-04-17 12:19:31.000000000","permitted_voting_range":{"min":-2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","value":1,"default_value":0,"optional":true},"Code-Review":{"recommended":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"all":[{"value":0,"permitted_voting_range":{"min":-1,"max":1},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":1,"date":"2026-04-21 11:21:56.000000000","permitted_voting_range":{"min":-1,"max":1},"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","value":1,"default_value":0,"optional":true},"Workflow":{"all":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2026-04-17 12:19:31.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2026-04-21 11:21:56.000000000","updated_by":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"reviewer":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"state":"REVIEWER"}],"messages":[{"id":"d0ad8807b2ffc2ecb70a10a0ecd742947ff05656","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"date":"2026-04-17 12:02:18.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"0a2616a1e7c1332432831a97eeda76b2726e6c62","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"date":"2026-04-17 12:04:13.000000000","message":"Patch Set 2: Commit message was updated.","accounts_in_message":[],"_revision_number":2},{"id":"4975a8322446ddffea373ba35b77acc4fbaf49cd","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2026-04-17 12:19:31.000000000","message":"Patch Set 2: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/484fd99518cf49bd8306fa12002a8e3c\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/bcee87d0abbf4c7e8186a1a3b4c8f1fd : SUCCESS in 5m 12s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/c55eabaa9102460d94e0fec022566699 : SUCCESS in 12m 32s\n- codegenerator-openapi-identity-tips-with-api-ref https://zuul.opendev.org/t/openstack/build/2d787610e17d41658958253c5ff74584 : SUCCESS in 8m 20s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"db5ad42d55ac5c752c824133a6a1e686f65613ee","author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"date":"2026-04-21 11:21:56.000000000","message":"Patch Set 2: Code-Review+1\n\n(1 comment)","accounts_in_message":[],"_revision_number":2}],"current_revision_number":2,"current_revision":"1466f8afb0a5a26f600cb426e0929d86f2c8c149","revisions":{"2e5f1607ee27c41d749ace7bd805c230cf4f6170":{"kind":"REWORK","_number":1,"created":"2026-04-17 12:02:18.000000000","uploader":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"ref":"refs/changes/95/985095/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/95/985095/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/95/985095/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/95/985095/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/95/985095/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/95/985095/1"}}},"commit":{"parents":[{"commit":"80d5b7bf50448073223723cf1f6001a367695e80","subject":"Merge \"Fix pagination next link duplicating URL prefix\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/80d5b7bf50448073223723cf1f6001a367695e80"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-17 12:01:27.000000000","tz":120},"committer":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-17 12:01:27.000000000","tz":120},"subject":"Add security considerations for projects_json","message":"Add security considerations for projects_json\n\nDocument the trust implications of using schema version 3.0 with\nthe projects_json attribute in federation mappings. When an IdP\ncontrols the projects_json content, it can target any existing\nproject in any domain, request any global role including admin,\nand bypass oslo.policy enforcement. This is safe when the IdP\nand Keystone share the same trust domain, but poses risks in\nmulti-tenant deployments where customers operate their own IdPs.\n\nPartial-Bug: #2148599\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: I8faa502b1b2e5516c9a0a984d535740e0e764ebf\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/2e5f1607ee27c41d749ace7bd805c230cf4f6170"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/2e5f1607ee27c41d749ace7bd805c230cf4f6170"}]},"branch":"refs/heads/master"},"1466f8afb0a5a26f600cb426e0929d86f2c8c149":{"kind":"NO_CODE_CHANGE","_number":2,"created":"2026-04-17 12:04:13.000000000","uploader":{"_account_id":13478,"name":"Boris Bobrov","email":"b.bobrov@sap.com","username":"bbobrov"},"ref":"refs/changes/95/985095/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/keystone","ref":"refs/changes/95/985095/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/keystone refs/changes/95/985095/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/keystone refs/changes/95/985095/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/keystone refs/changes/95/985095/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/keystone refs/changes/95/985095/2"}}},"commit":{"parents":[{"commit":"80d5b7bf50448073223723cf1f6001a367695e80","subject":"Merge \"Fix pagination next link duplicating URL prefix\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/80d5b7bf50448073223723cf1f6001a367695e80"}]}],"author":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-17 12:01:27.000000000","tz":120},"committer":{"name":"Boris Bobrov","email":"b.bobrov@sap.com","date":"2026-04-17 12:04:13.000000000","tz":0},"subject":"Docs - add security considerations for projects_json","message":"Docs - add security considerations for projects_json\n\nDocument the trust implications of using schema version 3.0 with\nthe projects_json attribute in federation mappings. When an IdP\ncontrols the projects_json content, it can target any existing\nproject in any domain, request any global role including admin,\nand bypass oslo.policy enforcement. This is safe when the IdP\nand Keystone share the same trust domain, but poses risks in\nmulti-tenant deployments where customers operate their own IdPs.\n\nPartial-Bug: #2148599\nGenerated-By: claude-opus-4-6 (OpenCode)\nSigned-off-by: Boris Bobrov \u003cb.bobrov@sap.com\u003e\nChange-Id: I8faa502b1b2e5516c9a0a984d535740e0e764ebf\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1466f8afb0a5a26f600cb426e0929d86f2c8c149"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/keystone/commit/1466f8afb0a5a26f600cb426e0929d86f2c8c149"}]},"branch":"refs/heads/master","description":"Edit commit message"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"OK","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"}},{"label":"Workflow","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Verified\u003dMAX","label:Verified\u003dMIN"],"atom_explanations":{"label:Verified\u003dMAX":"","label:Verified\u003dMIN":""}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Code-Review\u003dMAX","label:Code-Review\u003dMIN"],"atom_explanations":{"label:Code-Review\u003dMAX":"","label:Code-Review\u003dMIN":""}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"UNSATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":false,"status":"FAIL","passing_atoms":[],"failing_atoms":["label:Workflow\u003dMAX","label:Workflow\u003dMIN"],"atom_explanations":{"label:Workflow\u003dMAX":"","label:Workflow\u003dMIN":""}}}]}