)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2e5116c8ad28bb8f89a3af801286f222d5b3c3f7","unresolved":false,"context_lines":[{"line_number":9,"context_line":"Currently we default to keystone having tokens valid for one day, rather"},{"line_number":10,"context_line":"than the one hour keystone chooses."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"While it can help long running operations, like a snapshot of a very"},{"line_number":13,"context_line":"large VM succeed, it does mean to barer of the token has access to the"},{"line_number":14,"context_line":"cloud for a long time, even after their access has been removed in"},{"line_number":15,"context_line":"keystone."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"It might be better to default to one hour token expiry."},{"line_number":18,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"dfbec78f_4129f687","line":15,"range":{"start_line":12,"start_character":0,"end_line":15,"end_character":9},"updated":"2019-05-09 11:00:14.000000000","message":"Without service tokens in defaults this could break people with long running ops.","commit_id":"f0bb7db9ac78bbb7ee1a1aa3d08937080cb4eba2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"81fcf525e582cfb63e3d194089a78326baac1523","unresolved":false,"context_lines":[{"line_number":9,"context_line":"Currently we default to keystone having tokens valid for one day, rather"},{"line_number":10,"context_line":"than the one hour keystone chooses."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"While it can help long running operations, like a snapshot of a very"},{"line_number":13,"context_line":"large VM succeed, it does mean to barer of the token has access to the"},{"line_number":14,"context_line":"cloud for a long time, even after their access has been removed in"},{"line_number":15,"context_line":"keystone."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"It might be better to default to one hour token expiry."},{"line_number":18,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"dfbec78f_81504e5f","line":15,"range":{"start_line":12,"start_character":0,"end_line":15,"end_character":9},"in_reply_to":"dfbec78f_4129f687","updated":"2019-05-09 11:30:58.000000000","message":"Yes, but it is a much better default security posture.\n\nOperations that last more than an hour are really quite rare in most clouds. Its where you do live-migration or snapshots or migrates for massive servers. If that takes an hour, you are probably \u0027doing the wrong thing\u0027(TM) anyways.","commit_id":"f0bb7db9ac78bbb7ee1a1aa3d08937080cb4eba2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2e5116c8ad28bb8f89a3af801286f222d5b3c3f7","unresolved":false,"context_lines":[{"line_number":17,"context_line":"It might be better to default to one hour token expiry."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Having said that, the other use of fernet_token_expiry is really for the"},{"line_number":20,"context_line":"frenet_key_expiry."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"TODO: maybe it needs a rename?"},{"line_number":23,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"dfbec78f_0123fea9","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":6},"updated":"2019-05-09 11:00:14.000000000","message":"nit: fernet","commit_id":"f0bb7db9ac78bbb7ee1a1aa3d08937080cb4eba2"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2e5116c8ad28bb8f89a3af801286f222d5b3c3f7","unresolved":false,"context_lines":[{"line_number":19,"context_line":"Having said that, the other use of fernet_token_expiry is really for the"},{"line_number":20,"context_line":"frenet_key_expiry."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"TODO: maybe it needs a rename?"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Change-Id: I4c86a33ca177d25425e9ec69b97144c71d0975d1"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"dfbec78f_612c3a99","line":22,"range":{"start_line":22,"start_character":0,"end_line":22,"end_character":30},"updated":"2019-05-09 11:00:14.000000000","message":"Or splitting in two, with new defaulting to old.","commit_id":"f0bb7db9ac78bbb7ee1a1aa3d08937080cb4eba2"}]}