)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"5afc3293afda39296f5f2db124504a89346509c8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ad2b5cf3_281210fc","updated":"2026-04-20 14:25:52.000000000","message":"Another thought, but that is probably to the spec - how is intended to resolve chicken-egg situation?\n\nAs once you deploy the keystone with plugin enabled - you are prohibited right away.\n\nI think, we should have a default rule allowing all users to enter from 0.0.0.0/0. And then likely we don\u0027t need a config option to enable/disable the plugin.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3a5c89e2feedf53381c674cc43d31e46c50d2a83","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"4fe91769_5442bc9b","updated":"2026-04-20 14:22:14.000000000","message":"The patch missing any testing","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"452440c747c845553c0396413f037af78f638f2f","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b0047e7b_b01cd785","in_reply_to":"4fe91769_5442bc9b","updated":"2026-04-20 15:53:28.000000000","message":"Will add that after spec is approved.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"452440c747c845553c0396413f037af78f638f2f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a726bd04_fa7c60ff","in_reply_to":"ad2b5cf3_281210fc","updated":"2026-04-20 15:53:28.000000000","message":"It\u0027s open by default. I.e. if no rules exist, it will allow connections from all.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"}],"keystone/api/os_ip_allowlist.py":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3a5c89e2feedf53381c674cc43d31e46c50d2a83","unresolved":true,"context_lines":[{"line_number":60,"context_line":"    def post(self, user_id):"},{"line_number":61,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:create_ip_allowlist_cidr\u0027)"},{"line_number":62,"context_line":"        body \u003d flask.request.get_json(force\u003dTrue)"},{"line_number":63,"context_line":"        entry \u003d body.get(\u0027cidr\u0027, {})"},{"line_number":64,"context_line":"        ref \u003d PROVIDERS.ip_allowlist_api.create_allowed_cidr(user_id, entry)"},{"line_number":65,"context_line":"        return {\u0027cidr\u0027: ref}, http.client.CREATED"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"ba24e333_4c189e24","line":63,"range":{"start_line":63,"start_character":0,"end_line":63,"end_character":36},"updated":"2026-04-20 14:22:14.000000000","message":"we need to verify that a valid CIDR is supplied by the user","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"5032f1a416503488440db952350200084d4dd631","unresolved":false,"context_lines":[{"line_number":60,"context_line":"    def post(self, user_id):"},{"line_number":61,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:create_ip_allowlist_cidr\u0027)"},{"line_number":62,"context_line":"        body \u003d flask.request.get_json(force\u003dTrue)"},{"line_number":63,"context_line":"        entry \u003d body.get(\u0027cidr\u0027, {})"},{"line_number":64,"context_line":"        ref \u003d PROVIDERS.ip_allowlist_api.create_allowed_cidr(user_id, entry)"},{"line_number":65,"context_line":"        return {\u0027cidr\u0027: ref}, http.client.CREATED"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"f39a198b_bc626711","line":63,"range":{"start_line":63,"start_character":0,"end_line":63,"end_character":36},"in_reply_to":"736b1303_c2c72c00","updated":"2026-04-21 04:35:16.000000000","message":"Done","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"452440c747c845553c0396413f037af78f638f2f","unresolved":true,"context_lines":[{"line_number":60,"context_line":"    def post(self, user_id):"},{"line_number":61,"context_line":"        ENFORCER.enforce_call(action\u003d\u0027identity:create_ip_allowlist_cidr\u0027)"},{"line_number":62,"context_line":"        body \u003d flask.request.get_json(force\u003dTrue)"},{"line_number":63,"context_line":"        entry \u003d body.get(\u0027cidr\u0027, {})"},{"line_number":64,"context_line":"        ref \u003d PROVIDERS.ip_allowlist_api.create_allowed_cidr(user_id, entry)"},{"line_number":65,"context_line":"        return {\u0027cidr\u0027: ref}, http.client.CREATED"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"736b1303_c2c72c00","line":63,"range":{"start_line":63,"start_character":0,"end_line":63,"end_character":36},"in_reply_to":"ba24e333_4c189e24","updated":"2026-04-20 15:53:28.000000000","message":"Good point, I will update.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"}],"keystone/common/policies/ip_allowlist.py":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3a5c89e2feedf53381c674cc43d31e46c50d2a83","unresolved":true,"context_lines":[{"line_number":41,"context_line":"    ),"},{"line_number":42,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":43,"context_line":"        name\u003dbase.IDENTITY % \u0027create_ip_allowlist_cidr\u0027,"},{"line_number":44,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":45,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":46,"context_line":"        description\u003d\u0027Create an IP allowlist CIDR entry for a user.\u0027,"},{"line_number":47,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":1,"id":"62be22e2_a10209e6","line":44,"range":{"start_line":44,"start_character":0,"end_line":44,"end_character":42},"updated":"2026-04-20 14:22:14.000000000","message":"aren\u0027t users supposed to self-manage their networks?\n\nThe only other option could be admin or domain manger though. As this would make sense for domain manager to manage user permissions.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"452440c747c845553c0396413f037af78f638f2f","unresolved":true,"context_lines":[{"line_number":41,"context_line":"    ),"},{"line_number":42,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":43,"context_line":"        name\u003dbase.IDENTITY % \u0027create_ip_allowlist_cidr\u0027,"},{"line_number":44,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":45,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":46,"context_line":"        description\u003d\u0027Create an IP allowlist CIDR entry for a user.\u0027,"},{"line_number":47,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":1,"id":"f8a6a294_6038a2e3","line":44,"range":{"start_line":44,"start_character":0,"end_line":44,"end_character":42},"in_reply_to":"62be22e2_a10209e6","updated":"2026-04-20 15:53:28.000000000","message":"From compliance perspective I think it makes sense to not by default allow everyone to change their own rules hence locking it to admin by default and allow operators to override it in policy if they wish to do so.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"5032f1a416503488440db952350200084d4dd631","unresolved":false,"context_lines":[{"line_number":41,"context_line":"    ),"},{"line_number":42,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":43,"context_line":"        name\u003dbase.IDENTITY % \u0027create_ip_allowlist_cidr\u0027,"},{"line_number":44,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":45,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":46,"context_line":"        description\u003d\u0027Create an IP allowlist CIDR entry for a user.\u0027,"},{"line_number":47,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":1,"id":"487837fc_241f664b","line":44,"range":{"start_line":44,"start_character":0,"end_line":44,"end_character":42},"in_reply_to":"b9d6523c_0cc4df55","updated":"2026-04-21 04:35:16.000000000","message":"Done","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"513d469f99188582ea5d99cc40901dd5e51744cd","unresolved":true,"context_lines":[{"line_number":41,"context_line":"    ),"},{"line_number":42,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":43,"context_line":"        name\u003dbase.IDENTITY % \u0027create_ip_allowlist_cidr\u0027,"},{"line_number":44,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":45,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":46,"context_line":"        description\u003d\u0027Create an IP allowlist CIDR entry for a user.\u0027,"},{"line_number":47,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":1,"id":"b9d6523c_0cc4df55","line":44,"range":{"start_line":44,"start_character":0,"end_line":44,"end_character":42},"in_reply_to":"f8a6a294_6038a2e3","updated":"2026-04-20 15:58:46.000000000","message":"Ok, I got the reasoning. But then I\u0027d still vote for Admin + Domain Manager tbh...","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3a5c89e2feedf53381c674cc43d31e46c50d2a83","unresolved":true,"context_lines":[{"line_number":53,"context_line":"    ),"},{"line_number":54,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":55,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_ip_allowlist_cidr\u0027,"},{"line_number":56,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":57,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":58,"context_line":"        description\u003d\u0027Delete an IP allowlist CIDR entry for a user.\u0027,"},{"line_number":59,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":1,"id":"61a5f278_2a4dd6a0","line":56,"range":{"start_line":56,"start_character":0,"end_line":56,"end_character":43},"updated":"2026-04-20 14:22:14.000000000","message":"same here?","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"513d469f99188582ea5d99cc40901dd5e51744cd","unresolved":false,"context_lines":[{"line_number":53,"context_line":"    ),"},{"line_number":54,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":55,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_ip_allowlist_cidr\u0027,"},{"line_number":56,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":57,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":58,"context_line":"        description\u003d\u0027Delete an IP allowlist CIDR entry for a user.\u0027,"},{"line_number":59,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":1,"id":"31422f96_de9323ea","line":56,"range":{"start_line":56,"start_character":0,"end_line":56,"end_character":43},"in_reply_to":"36b1f12a_a5af1936","updated":"2026-04-20 15:58:46.000000000","message":"Done","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"452440c747c845553c0396413f037af78f638f2f","unresolved":true,"context_lines":[{"line_number":53,"context_line":"    ),"},{"line_number":54,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":55,"context_line":"        name\u003dbase.IDENTITY % \u0027delete_ip_allowlist_cidr\u0027,"},{"line_number":56,"context_line":"        check_str\u003dbase.RULE_ADMIN_REQUIRED,"},{"line_number":57,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":58,"context_line":"        description\u003d\u0027Delete an IP allowlist CIDR entry for a user.\u0027,"},{"line_number":59,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":1,"id":"36b1f12a_a5af1936","line":56,"range":{"start_line":56,"start_character":0,"end_line":56,"end_character":43},"in_reply_to":"61a5f278_2a4dd6a0","updated":"2026-04-20 15:53:28.000000000","message":"See comment https://review.opendev.org/c/openstack/keystone/+/985406/1/keystone/common/policies/ip_allowlist.py#44","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"}],"keystone/common/sql/migrations/versions/2026.1/expand/a1b2c3d4e5f6_add_ip_allowlist_entry_table.py":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"a725c0263d863b5c0eec6761865b90fa1a969353","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"bbb81adc_a261f49c","line":50,"updated":"2026-04-20 14:27:45.000000000","message":"Should we maybe have a \"bootstrap\" record in migration to allow all users from 0.0.0.0/0 by default?\n\nI am not sure if we should add it to migration or not, but it would make kinda sense, as migration is run only once in lifetime.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"7cc682a92c7673afa8e3864b5a18583f1eaf2ce1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"4d5ac516_97dfad33","line":50,"in_reply_to":"bbb81adc_a261f49c","updated":"2026-04-20 16:04:46.000000000","message":"Ok, no, it should not be in migrations. It should be in a bootstrap script:\n\nhttps://opendev.org/openstack/keystone/src/branch/master/keystone/cmd/bootstrap.py","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"}],"keystone/ip_allowlist/core.py":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3a5c89e2feedf53381c674cc43d31e46c50d2a83","unresolved":true,"context_lines":[{"line_number":66,"context_line":"            )"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"        for entry in entries:"},{"line_number":69,"context_line":"            try:"},{"line_number":70,"context_line":"                network \u003d ipaddress.ip_network(entry[\u0027cidr\u0027], strict\u003dFalse)"},{"line_number":71,"context_line":"            except ValueError:"},{"line_number":72,"context_line":"                LOG.warning("},{"line_number":73,"context_line":"                    \u0027Invalid CIDR %(cidr)s in allowlist for user %(user)s\u0027,"},{"line_number":74,"context_line":"                    {\u0027cidr\u0027: entry[\u0027cidr\u0027], \u0027user\u0027: user_id},"},{"line_number":75,"context_line":"                )"},{"line_number":76,"context_line":"                continue"},{"line_number":77,"context_line":"            if addr in network:"},{"line_number":78,"context_line":"                return"},{"line_number":79,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"858f02b9_9747af0a","line":76,"range":{"start_line":69,"start_character":0,"end_line":76,"end_character":24},"updated":"2026-04-20 14:22:14.000000000","message":"this should be checked on CIDR creation, not on each check.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"5032f1a416503488440db952350200084d4dd631","unresolved":false,"context_lines":[{"line_number":66,"context_line":"            )"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"        for entry in entries:"},{"line_number":69,"context_line":"            try:"},{"line_number":70,"context_line":"                network \u003d ipaddress.ip_network(entry[\u0027cidr\u0027], strict\u003dFalse)"},{"line_number":71,"context_line":"            except ValueError:"},{"line_number":72,"context_line":"                LOG.warning("},{"line_number":73,"context_line":"                    \u0027Invalid CIDR %(cidr)s in allowlist for user %(user)s\u0027,"},{"line_number":74,"context_line":"                    {\u0027cidr\u0027: entry[\u0027cidr\u0027], \u0027user\u0027: user_id},"},{"line_number":75,"context_line":"                )"},{"line_number":76,"context_line":"                continue"},{"line_number":77,"context_line":"            if addr in network:"},{"line_number":78,"context_line":"                return"},{"line_number":79,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"2b529aa4_479d2d26","line":76,"range":{"start_line":69,"start_character":0,"end_line":76,"end_character":24},"in_reply_to":"5d96f622_50820460","updated":"2026-04-21 04:35:16.000000000","message":"Done","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"452440c747c845553c0396413f037af78f638f2f","unresolved":true,"context_lines":[{"line_number":66,"context_line":"            )"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"        for entry in entries:"},{"line_number":69,"context_line":"            try:"},{"line_number":70,"context_line":"                network \u003d ipaddress.ip_network(entry[\u0027cidr\u0027], strict\u003dFalse)"},{"line_number":71,"context_line":"            except ValueError:"},{"line_number":72,"context_line":"                LOG.warning("},{"line_number":73,"context_line":"                    \u0027Invalid CIDR %(cidr)s in allowlist for user %(user)s\u0027,"},{"line_number":74,"context_line":"                    {\u0027cidr\u0027: entry[\u0027cidr\u0027], \u0027user\u0027: user_id},"},{"line_number":75,"context_line":"                )"},{"line_number":76,"context_line":"                continue"},{"line_number":77,"context_line":"            if addr in network:"},{"line_number":78,"context_line":"                return"},{"line_number":79,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"5d96f622_50820460","line":76,"range":{"start_line":69,"start_character":0,"end_line":76,"end_character":24},"in_reply_to":"858f02b9_9747af0a","updated":"2026-04-20 15:53:28.000000000","message":"Good point, I will update.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"}],"keystone/token/provider.py":[{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"3a5c89e2feedf53381c674cc43d31e46c50d2a83","unresolved":true,"context_lines":[{"line_number":355,"context_line":"        if CONF.ip_allowlist.enabled:"},{"line_number":356,"context_line":"            PROVIDERS.ip_allowlist_api.check_ip_allowed("},{"line_number":357,"context_line":"                token.user_id,"},{"line_number":358,"context_line":"                flask.request.remote_addr,"},{"line_number":359,"context_line":"            )"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"        token_id, issued_at \u003d self.driver.generate_id_and_issued_at(token)"}],"source_content_type":"text/x-python","patch_set":1,"id":"ab744990_d3b6c96f","line":358,"updated":"2026-04-20 14:22:14.000000000","message":"I am not really sure if the `remote_addr` is appropriate thing to have. As in most of the production deployments, that would be just a load balancer IP.\n\nI think this one should be configurable, and we provide mulitple options to choose from.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"513d469f99188582ea5d99cc40901dd5e51744cd","unresolved":true,"context_lines":[{"line_number":355,"context_line":"        if CONF.ip_allowlist.enabled:"},{"line_number":356,"context_line":"            PROVIDERS.ip_allowlist_api.check_ip_allowed("},{"line_number":357,"context_line":"                token.user_id,"},{"line_number":358,"context_line":"                flask.request.remote_addr,"},{"line_number":359,"context_line":"            )"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"        token_id, issued_at \u003d self.driver.generate_id_and_issued_at(token)"}],"source_content_type":"text/x-python","patch_set":1,"id":"98115162_0fa57dd9","line":358,"in_reply_to":"46704be1_2d1e5adc","updated":"2026-04-20 15:58:46.000000000","message":"I don\u0027t think you can do that on load balancer.\n\nYou can do that on web server running the WSGI application. But then this mandates on how to run WSGI and makes it from hard to impossible to use.\n\nSo this feature would mandate how to run WSGI, which is not great at all.\n\nAnd logging format for queries is actually part of wsgi server usually, so it is not in Keystone code.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"5032f1a416503488440db952350200084d4dd631","unresolved":true,"context_lines":[{"line_number":355,"context_line":"        if CONF.ip_allowlist.enabled:"},{"line_number":356,"context_line":"            PROVIDERS.ip_allowlist_api.check_ip_allowed("},{"line_number":357,"context_line":"                token.user_id,"},{"line_number":358,"context_line":"                flask.request.remote_addr,"},{"line_number":359,"context_line":"            )"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"        token_id, issued_at \u003d self.driver.generate_id_and_issued_at(token)"}],"source_content_type":"text/x-python","patch_set":1,"id":"cb7792b9_206efc21","line":358,"in_reply_to":"98115162_0fa57dd9","updated":"2026-04-21 04:35:16.000000000","message":"So what are you suggesting here?\nRead random value from headers configurable via CONF and defaulting to remote_addr?","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"452440c747c845553c0396413f037af78f638f2f","unresolved":true,"context_lines":[{"line_number":355,"context_line":"        if CONF.ip_allowlist.enabled:"},{"line_number":356,"context_line":"            PROVIDERS.ip_allowlist_api.check_ip_allowed("},{"line_number":357,"context_line":"                token.user_id,"},{"line_number":358,"context_line":"                flask.request.remote_addr,"},{"line_number":359,"context_line":"            )"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"        token_id, issued_at \u003d self.driver.generate_id_and_issued_at(token)"}],"source_content_type":"text/x-python","patch_set":1,"id":"46704be1_2d1e5adc","line":358,"in_reply_to":"ab744990_d3b6c96f","updated":"2026-04-20 15:53:28.000000000","message":"In such cases I\u0027d say it\u0027s up to the load balancer to make sure the client IP is exposed to the service.\nYes, it could be configurable (to check for custom headers, etc.), but then we should have the same thing for logging, etc. as well.\nThe cleanest solution IMO would be to leave it up to the load balancer to what IP it exposes to the underlying service.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"},{"author":{"_account_id":26892,"name":"Marcus Murwall","email":"marcus.murwall@cleura.com","username":"muran"},"change_message_id":"c08bd315376dc15d4dc4504b00aac9b52f80df0c","unresolved":true,"context_lines":[{"line_number":355,"context_line":"        if CONF.ip_allowlist.enabled:"},{"line_number":356,"context_line":"            PROVIDERS.ip_allowlist_api.check_ip_allowed("},{"line_number":357,"context_line":"                token.user_id,"},{"line_number":358,"context_line":"                flask.request.remote_addr,"},{"line_number":359,"context_line":"            )"},{"line_number":360,"context_line":""},{"line_number":361,"context_line":"        token_id, issued_at \u003d self.driver.generate_id_and_issued_at(token)"}],"source_content_type":"text/x-python","patch_set":1,"id":"01df15af_fc371b49","line":358,"in_reply_to":"cb7792b9_206efc21","updated":"2026-04-21 06:06:41.000000000","message":"Updated spec to reflect possibility of overriding which header to use for client IP tracking. I will update code to reflect it as soon as I have time, probably today/tonight.","commit_id":"1ec7dd390038faafcb850a48779da2735c09cb9b"}]}