)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"5373b1576173871e6690600ad100776eeb4da600","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"00c09988_05ff55ca","updated":"2023-02-27 16:43:12.000000000","message":"recheck","commit_id":"9c85a4c59c555050cd5910ead49d2b3c3f7c5498"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"c6f989a3c510cd9353850f3ed80cbcf0f2f7ff46","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"cb11314e_442d463f","updated":"2023-02-27 06:33:53.000000000","message":"recheck","commit_id":"9c85a4c59c555050cd5910ead49d2b3c3f7c5498"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"b98fadeea669312e5bab921691cfdfa6021f3969","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"dc09ce1d_37324d5f","updated":"2023-02-28 14:41:42.000000000","message":"to not break `magnum-tempest-plugin-tests-api` for stable branches, we will make new rbac tests in magnum-tempest-plugin and enable scope in tempest there ","commit_id":"bfda105d267087e319a19a37e07ebd6a813140dc"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e180a8c8589940890f64c6a968ca98546e5d5503","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"89b4fed0_7676c481","updated":"2023-03-07 19:25:14.000000000","message":"Few comment inline to define the base rules but not blocking due to those. I have not done review of per API rule defaults as I have almost no knowledge of magnum interfaces.\n\nBut I am -1 because you are changing defaults and enabling them at the same release which will break users upgrade without giving a release time of deprecation.","commit_id":"68475d4221bc6c7b3cbbda7580b74f415c69f85c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"edc0b28887c9377c40bb708d440b42fe37b49f48","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"47869f66_9929bd31","updated":"2023-03-08 21:58:29.000000000","message":"Thanks Rico Almost good, few comments. I have not checked if domain_id|name removal impact anything which magnum team can check and comment here.","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d637ff753a64c9d6850f6699aa6a9eab74654770","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":18,"id":"698b1cff_ccd2a87f","updated":"2023-03-09 18:34:46.000000000","message":"thanks for updates. -1 for deprecated rule in base rule otherwise lgtm","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8278cb6d6eb3b86aa5b76537fdccc521b00413b9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":20,"id":"d0e72d3b_2a0f7404","updated":"2023-03-14 22:31:22.000000000","message":"Thanks Rico, nice work. This lgtm. Note: I have not checked the domain_id|name removal impact. but rest part is good.","commit_id":"28172e91965956b114c62d6642f4ae0436b30e81"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":21,"id":"390a11a2_fcff39bf","updated":"2023-05-23 14:13:33.000000000","message":"Thanks Rico for you review!\n\nFirst of all, apologies for this taking such a long time.\n\nIt is mostly good, I\u0027ve -1 for a few nits and polish, nothing major.\n\nI have a general question - this can be only turned on after implied roles are implemented(?), but I\u0027m struggling to find a paragraph that states this in [1](mainly for legacy clouds)\n\nI have other questions inline, hope you can help! Feel free to ping me in IRC to discuss if more convenient for you.\n\nOnce again, thanks!\n\n[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"026fd78a90d79fb81ab2b0a38506f65be2a63f59","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":21,"id":"3eb6890f_0d223ff1","updated":"2023-05-11 19:52:05.000000000","message":"lgtm, thanks for rebase Rico","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"0bf3ef1c9c87c1abdf7b7a897ad5886374765d13","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":21,"id":"c36d2db2_7d4a7059","updated":"2023-05-11 16:38:59.000000000","message":"recheck","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":21,"id":"813bef3f_47e4d680","in_reply_to":"390a11a2_fcff39bf","updated":"2023-05-31 18:16:46.000000000","message":"For the implied roles (project_reader and project_member), those are not actual function but just enforce policy to give specific roles more meaningful place.","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"721824a715ceb32c9c455588b8cf9ec44e175a32","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"584ee801_098fedb1","updated":"2023-06-19 12:45:18.000000000","message":"I can\u0027t create a cluster successfully with this. master node set up fails, seems like cluster user cannot do a GET on certificate (404).\n\nI have yet to find out why, more debugging is needed.","commit_id":"23efb30d398c2433f07152ff70855a71a70cf8c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"cd8554bc69d11799d7e08dfc9ca2349786850a49","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"84f67f9b_6f8f4493","updated":"2023-06-07 08:44:24.000000000","message":"LGTM. I am trying to test this before +2.","commit_id":"23efb30d398c2433f07152ff70855a71a70cf8c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"dc34dfd15946711a5e9020c1f9120a7b04f22388","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"5ae3e11a_f0186aeb","updated":"2023-06-06 13:36:41.000000000","message":"recheck","commit_id":"23efb30d398c2433f07152ff70855a71a70cf8c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"8b859fa819b794d6501a127fd0dfe018c2cf873a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"b51c186f_f00b09fe","in_reply_to":"584ee801_098fedb1","updated":"2023-06-29 09:57:30.000000000","message":"What happen to it is the token scope in driver still remain in domain scope\nAppears we need more work with domain_id removal for enforce scope, that means to change trustee domain scope token completely to project scope.\nI change the patch to only introduce new defaults as it\u0027s not related to the issue you got\nSo I think the patch now is ready for you to take another test.\nIt works on my side with coreos k8s driver with devstack now.","commit_id":"23efb30d398c2433f07152ff70855a71a70cf8c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"97a9d997d9f027839fd757e4e6e06a68d9c5f3c1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":22,"id":"3c211702_b7d8d351","in_reply_to":"b51c186f_f00b09fe","updated":"2023-06-29 10:14:12.000000000","message":"let me add enforce scope first so we can test them in once","commit_id":"23efb30d398c2433f07152ff70855a71a70cf8c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"e8c8431c36f2fa850184b588498be053ee3e4fd3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":23,"id":"a507d5a8_6734e2b7","updated":"2023-06-29 10:14:46.000000000","message":"Let\u0027s wait until we add enforce scope in","commit_id":"04198f23909245929d92698076461d728ffeb11d"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"67882aeec63a9c2d1c61c0928ee17f15ebd8761c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":26,"id":"74fe42d2_368f729f","updated":"2023-08-08 12:03:33.000000000","message":"have you rebased on the wrong PS? See the diff between PS 22..26. Some things that were fixed were added back.","commit_id":"ef1e85e82affbd6cc92302c7cf45e323bcdcbc74"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"862a9425adde3286cc90d2ac2f5cb70e6861738f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":26,"id":"ed741b45_298ce450","in_reply_to":"74fe42d2_368f729f","updated":"2023-08-08 23:32:22.000000000","message":"I have tested a rebase based on PS 22, it is good. That\u0027s the PS I\u0027ve +1 also.\n\nWill you be able to send that up, or would you like me to?","commit_id":"ef1e85e82affbd6cc92302c7cf45e323bcdcbc74"}],"devstack/lib/magnum":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d7eadc24402c786ba614eb18a30cea79b960df44","unresolved":true,"context_lines":[{"line_number":153,"context_line":""},{"line_number":154,"context_line":"    iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"    if [[ \"$MAGNUM_ENFORCE_SCOPE\" \u003d\u003d True ]] ; then"},{"line_number":157,"context_line":"        iniset $MAGNUM_CONF oslo_policy enforce_scope true"},{"line_number":158,"context_line":"        iniset $MAGNUM_CONF oslo_policy enforce_new_defaults true"},{"line_number":159,"context_line":"    else"}],"source_content_type":"application/x-shellscript","patch_set":21,"id":"55471131_4072d6b3","line":156,"range":{"start_line":156,"start_character":11,"end_line":156,"end_character":32},"updated":"2023-05-24 09:45:29.000000000","message":"do we need to define a job that sets this for testing?","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":153,"context_line":""},{"line_number":154,"context_line":"    iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"    if [[ \"$MAGNUM_ENFORCE_SCOPE\" \u003d\u003d True ]] ; then"},{"line_number":157,"context_line":"        iniset $MAGNUM_CONF oslo_policy enforce_scope true"},{"line_number":158,"context_line":"        iniset $MAGNUM_CONF oslo_policy enforce_new_defaults true"},{"line_number":159,"context_line":"    else"}],"source_content_type":"application/x-shellscript","patch_set":21,"id":"5e84d88f_744d8bb7","line":156,"range":{"start_line":156,"start_character":11,"end_line":156,"end_character":32},"in_reply_to":"4a09757c_1feacc6f","updated":"2023-05-31 18:16:46.000000000","message":"yes, we do have a job for that magnum-tempest-plugin-tests-api-rbac which I defined here https://review.opendev.org/c/openstack/magnum-tempest-plugin/+/875322/42/.zuul.yaml#36\n\nAnd added to magnum here https://review.opendev.org/c/openstack/magnum/+/876823\n\nIf we like to have put this job added before we enable it, I can understand. But it is not possible to put it in this patch. as tempest plugin will fail if I\u0027m not wrong. I will add new patch before https://review.opendev.org/c/openstack/magnum/+/876823 so the enablement and adding test can be separate discussion.","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7914c97dceb576313caae48fd54f3d76641a50cf","unresolved":true,"context_lines":[{"line_number":153,"context_line":""},{"line_number":154,"context_line":"    iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"    if [[ \"$MAGNUM_ENFORCE_SCOPE\" \u003d\u003d True ]] ; then"},{"line_number":157,"context_line":"        iniset $MAGNUM_CONF oslo_policy enforce_scope true"},{"line_number":158,"context_line":"        iniset $MAGNUM_CONF oslo_policy enforce_new_defaults true"},{"line_number":159,"context_line":"    else"}],"source_content_type":"application/x-shellscript","patch_set":21,"id":"4a09757c_1feacc6f","line":156,"range":{"start_line":156,"start_character":11,"end_line":156,"end_character":32},"in_reply_to":"55471131_4072d6b3","updated":"2023-05-25 00:37:06.000000000","message":"that\u0027s good point. We should have a intergration job enabling the MAGNUM_ENFORCE_SCOPE flag and see if any cross service failure. We have that for Nova, neutron, glance etc - https://github.com/openstack/tempest/blob/4b6336d63cf3f36cea993e0316168309d94c7298/zuul.d/integrated-gate.yaml#L378","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"}],"magnum/common/context.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"edc0b28887c9377c40bb708d440b42fe37b49f48","unresolved":true,"context_lines":[{"line_number":53,"context_line":"        self.user_id \u003d user_id"},{"line_number":54,"context_line":"        self.project_name \u003d project_name"},{"line_number":55,"context_line":"        self.project_id \u003d project_id"},{"line_number":56,"context_line":"        # (ricolin) Rmove domain_id because oslo_policy use this args to"},{"line_number":57,"context_line":"        # judge if this request is a domain scope or not. We might be consider"},{"line_number":58,"context_line":"        # bring this back only if that judge in oslo_policy is no longer affect"},{"line_number":59,"context_line":"        # project scope enforce."},{"line_number":60,"context_line":"        # self.domain_id \u003d domain_id"},{"line_number":61,"context_line":"        # self.domain_name \u003d domain_name"},{"line_number":62,"context_line":"        self.user_domain_id \u003d user_domain_id"},{"line_number":63,"context_line":"        self.user_domain_name \u003d user_domain_name"},{"line_number":64,"context_line":"        self.auth_url \u003d auth_url"}],"source_content_type":"text/x-python","patch_set":16,"id":"2866856f_2a947025","line":61,"range":{"start_line":56,"start_character":0,"end_line":61,"end_character":40},"updated":"2023-03-08 21:58:29.000000000","message":"yeah, oslo policy do check the domain_id to mark token as domain scope[1] but I am hoping magnum does not use the domain_id anywhere so that removing it from here will not impact things.\n\n[1] https://github.com/openstack/oslo.policy/blob/e7b9dd1f5ab10b447faba291ca0f89089aa46bcc/oslo_policy/policy.py#L1099","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"730a29ea81026c1ef8dc47dedb5da0905e209bd0","unresolved":false,"context_lines":[{"line_number":53,"context_line":"        self.user_id \u003d user_id"},{"line_number":54,"context_line":"        self.project_name \u003d project_name"},{"line_number":55,"context_line":"        self.project_id \u003d project_id"},{"line_number":56,"context_line":"        # (ricolin) Rmove domain_id because oslo_policy use this args to"},{"line_number":57,"context_line":"        # judge if this request is a domain scope or not. We might be consider"},{"line_number":58,"context_line":"        # bring this back only if that judge in oslo_policy is no longer affect"},{"line_number":59,"context_line":"        # project scope enforce."},{"line_number":60,"context_line":"        # self.domain_id \u003d domain_id"},{"line_number":61,"context_line":"        # self.domain_name \u003d domain_name"},{"line_number":62,"context_line":"        self.user_domain_id \u003d user_domain_id"},{"line_number":63,"context_line":"        self.user_domain_name \u003d user_domain_name"},{"line_number":64,"context_line":"        self.auth_url \u003d auth_url"}],"source_content_type":"text/x-python","patch_set":16,"id":"a2b0007c_eef8524c","line":61,"range":{"start_line":56,"start_character":0,"end_line":61,"end_character":40},"in_reply_to":"2866856f_2a947025","updated":"2023-03-09 09:01:19.000000000","message":"Ack","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"526100afced4ad95ef76fd307c9c53200e9607f2","unresolved":true,"context_lines":[{"line_number":53,"context_line":"        self.user_id \u003d user_id"},{"line_number":54,"context_line":"        self.project_name \u003d project_name"},{"line_number":55,"context_line":"        self.project_id \u003d project_id"},{"line_number":56,"context_line":"        # (ricolin) Rmove domain_id because oslo_policy use this args to"},{"line_number":57,"context_line":"        # judge if this request is a domain scope or not. We might be consider"},{"line_number":58,"context_line":"        # bring this back only if that judge in oslo_policy is no longer affect"},{"line_number":59,"context_line":"        # project scope enforce."},{"line_number":60,"context_line":"        # self.domain_id \u003d domain_id"},{"line_number":61,"context_line":"        # self.domain_name \u003d domain_name"},{"line_number":62,"context_line":"        self.user_domain_id \u003d user_domain_id"},{"line_number":63,"context_line":"        self.user_domain_name \u003d user_domain_name"},{"line_number":64,"context_line":"        self.auth_url \u003d auth_url"}],"source_content_type":"text/x-python","patch_set":29,"id":"55152b4d_860cfe31","line":61,"range":{"start_line":56,"start_character":0,"end_line":61,"end_character":40},"updated":"2023-08-29 12:24:39.000000000","message":"I\u0027m not a fan of commenting out code - should we move that to a separate patch in order to revert it if we need it and move the \u0027\u0027cause comment\u0027\u0027 to commit message?","commit_id":"429e90900038bd3ef71256347a17c212ee2dd2fa"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"3511e1c3807e61b8254a12be4b477289a24cb1b4","unresolved":false,"context_lines":[{"line_number":53,"context_line":"        self.user_id \u003d user_id"},{"line_number":54,"context_line":"        self.project_name \u003d project_name"},{"line_number":55,"context_line":"        self.project_id \u003d project_id"},{"line_number":56,"context_line":"        # (ricolin) Rmove domain_id because oslo_policy use this args to"},{"line_number":57,"context_line":"        # judge if this request is a domain scope or not. We might be consider"},{"line_number":58,"context_line":"        # bring this back only if that judge in oslo_policy is no longer affect"},{"line_number":59,"context_line":"        # project scope enforce."},{"line_number":60,"context_line":"        # self.domain_id \u003d domain_id"},{"line_number":61,"context_line":"        # self.domain_name \u003d domain_name"},{"line_number":62,"context_line":"        self.user_domain_id \u003d user_domain_id"},{"line_number":63,"context_line":"        self.user_domain_name \u003d user_domain_name"},{"line_number":64,"context_line":"        self.auth_url \u003d auth_url"}],"source_content_type":"text/x-python","patch_set":29,"id":"9051c21c_3ce9b934","line":61,"range":{"start_line":56,"start_character":0,"end_line":61,"end_character":40},"in_reply_to":"55152b4d_860cfe31","updated":"2023-08-29 16:36:42.000000000","message":"Done","commit_id":"429e90900038bd3ef71256347a17c212ee2dd2fa"}],"magnum/common/policies/base.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e180a8c8589940890f64c6a968ca98546e5d5503","unresolved":true,"context_lines":[{"line_number":26,"context_line":"RULE_CLUSTER_USER \u003d \u0027rule:cluster_user\u0027"},{"line_number":27,"context_line":"RULE_DENY_CLUSTER_USER \u003d \u0027rule:deny_cluster_user\u0027"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"ADMIN \u003d \"role:admin\""},{"line_number":30,"context_line":"USER \u003d \"user_id:%(user_id)s\""},{"line_number":31,"context_line":"CLUSTER_USER \u003d \"user_id:%(trustee_user_id)s\""},{"line_number":32,"context_line":"DENY_CLUSTER_USER \u003d \"not domain_id:%(trustee_domain_id)s\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Generic check string for checking if a user is authorized on a particular"},{"line_number":35,"context_line":"# project, specifically with the member role."},{"line_number":36,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":37,"context_line":"# Generic check string for checking if a user is authorized on a particular"},{"line_number":38,"context_line":"# project but with read-only access. For example, this persona would be able to"},{"line_number":39,"context_line":"# list private images owned by a project but cannot make any writeable changes"},{"line_number":40,"context_line":"# to those images."},{"line_number":41,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"ADMIN_OR_PROJECT_READER \u003d f\"({ADMIN}) or ({PROJECT_READER})\""},{"line_number":44,"context_line":"ADMIN_OR_PROJECT_MEMBER \u003d f\"({ADMIN}) or ({PROJECT_MEMBER})\""},{"line_number":45,"context_line":"ADMIN_OR_PROJECT_MEMBER_USER \u003d (f\"({ADMIN}) or ({PROJECT_MEMBER} and {USER})\")"},{"line_number":46,"context_line":"ADMIN_OR_PROJECT_MEMBER_CLUSTER_USER \u003d ("},{"line_number":47,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and {CLUSTER_USER})\""},{"line_number":48,"context_line":")"},{"line_number":49,"context_line":"ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER \u003d ("},{"line_number":50,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and ({USER} or {CLUSTER_USER}))\""},{"line_number":51,"context_line":")"},{"line_number":52,"context_line":"PROJECT_MEMBER_DENY_CLUSTER_USER \u003d ("},{"line_number":53,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and {DENY_CLUSTER_USER})\""},{"line_number":54,"context_line":")"},{"line_number":55,"context_line":"ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER \u003d ("},{"line_number":56,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and {DENY_CLUSTER_USER})\""},{"line_number":57,"context_line":")"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"PROJECT_READER_DENY_CLUSTER_USER \u003d ("},{"line_number":60,"context_line":"    f\"({ADMIN}) or ({PROJECT_READER} and {DENY_CLUSTER_USER})\""},{"line_number":61,"context_line":")"},{"line_number":62,"context_line":"ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER \u003d ("},{"line_number":63,"context_line":"    f\"({ADMIN}) or ({PROJECT_READER} and {DENY_CLUSTER_USER})\""},{"line_number":64,"context_line":")"},{"line_number":65,"context_line":"ADMIN_OR_PROJECT_READER_USER_OR_CLUSTER_USER \u003d ("},{"line_number":66,"context_line":"    f\"({ADMIN}) or ({PROJECT_READER} and ({USER} or {CLUSTER_USER}))\""},{"line_number":67,"context_line":")"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"rules \u003d ["},{"line_number":70,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":12,"id":"44d2a4ea_d60e0bfb","line":67,"range":{"start_line":29,"start_character":0,"end_line":67,"end_character":1},"updated":"2023-03-07 19:25:14.000000000","message":"I will suggest to define them as rule not just check_str. Like nova did https://github.com/openstack/nova/blob/c4fe563bdd21e8800e0e2964b51f2970363715fe/nova/policies/base.py#L92\n\nBenefits of that is to provide easy way to operators to override permission with these base rules only. For example, if they want to overide  PROJECT_READER permission for all the API default to PROJECT_MEMBER then they can just override the project_reader_api rule in policy.yaml and it take care all the API default to PROJECT_READER. This is small helping trick but I liked it and thanks to John to tell me about it :).\n\nWith currnet implementation of defining PROJECT_READER as check_str will not allow them to do that.","commit_id":"68475d4221bc6c7b3cbbda7580b74f415c69f85c"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"f28304b053623d6b936e1f1942bc98958c2b06bb","unresolved":false,"context_lines":[{"line_number":26,"context_line":"RULE_CLUSTER_USER \u003d \u0027rule:cluster_user\u0027"},{"line_number":27,"context_line":"RULE_DENY_CLUSTER_USER \u003d \u0027rule:deny_cluster_user\u0027"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"ADMIN \u003d \"role:admin\""},{"line_number":30,"context_line":"USER \u003d \"user_id:%(user_id)s\""},{"line_number":31,"context_line":"CLUSTER_USER \u003d \"user_id:%(trustee_user_id)s\""},{"line_number":32,"context_line":"DENY_CLUSTER_USER \u003d \"not domain_id:%(trustee_domain_id)s\""},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"# Generic check string for checking if a user is authorized on a particular"},{"line_number":35,"context_line":"# project, specifically with the member role."},{"line_number":36,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":37,"context_line":"# Generic check string for checking if a user is authorized on a particular"},{"line_number":38,"context_line":"# project but with read-only access. For example, this persona would be able to"},{"line_number":39,"context_line":"# list private images owned by a project but cannot make any writeable changes"},{"line_number":40,"context_line":"# to those images."},{"line_number":41,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"ADMIN_OR_PROJECT_READER \u003d f\"({ADMIN}) or ({PROJECT_READER})\""},{"line_number":44,"context_line":"ADMIN_OR_PROJECT_MEMBER \u003d f\"({ADMIN}) or ({PROJECT_MEMBER})\""},{"line_number":45,"context_line":"ADMIN_OR_PROJECT_MEMBER_USER \u003d (f\"({ADMIN}) or ({PROJECT_MEMBER} and {USER})\")"},{"line_number":46,"context_line":"ADMIN_OR_PROJECT_MEMBER_CLUSTER_USER \u003d ("},{"line_number":47,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and {CLUSTER_USER})\""},{"line_number":48,"context_line":")"},{"line_number":49,"context_line":"ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER \u003d ("},{"line_number":50,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and ({USER} or {CLUSTER_USER}))\""},{"line_number":51,"context_line":")"},{"line_number":52,"context_line":"PROJECT_MEMBER_DENY_CLUSTER_USER \u003d ("},{"line_number":53,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and {DENY_CLUSTER_USER})\""},{"line_number":54,"context_line":")"},{"line_number":55,"context_line":"ADMIN_OR_PROJECT_MEMBER_DENY_CLUSTER_USER \u003d ("},{"line_number":56,"context_line":"    f\"({ADMIN}) or ({PROJECT_MEMBER} and {DENY_CLUSTER_USER})\""},{"line_number":57,"context_line":")"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"PROJECT_READER_DENY_CLUSTER_USER \u003d ("},{"line_number":60,"context_line":"    f\"({ADMIN}) or ({PROJECT_READER} and {DENY_CLUSTER_USER})\""},{"line_number":61,"context_line":")"},{"line_number":62,"context_line":"ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER \u003d ("},{"line_number":63,"context_line":"    f\"({ADMIN}) or ({PROJECT_READER} and {DENY_CLUSTER_USER})\""},{"line_number":64,"context_line":")"},{"line_number":65,"context_line":"ADMIN_OR_PROJECT_READER_USER_OR_CLUSTER_USER \u003d ("},{"line_number":66,"context_line":"    f\"({ADMIN}) or ({PROJECT_READER} and ({USER} or {CLUSTER_USER}))\""},{"line_number":67,"context_line":")"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"rules \u003d ["},{"line_number":70,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":12,"id":"04a122fa_ea38df5b","line":67,"range":{"start_line":29,"start_character":0,"end_line":67,"end_character":1},"in_reply_to":"44d2a4ea_d60e0bfb","updated":"2023-03-08 09:12:58.000000000","message":"Done","commit_id":"68475d4221bc6c7b3cbbda7580b74f415c69f85c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"edc0b28887c9377c40bb708d440b42fe37b49f48","unresolved":true,"context_lines":[{"line_number":143,"context_line":"        check_str\u003d("},{"line_number":144,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":145,"context_line":"        )"},{"line_number":146,"context_line":"    ),"},{"line_number":147,"context_line":"    policy.RuleDefault("},{"line_number":148,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":149,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":16,"id":"fb578cb9_97045fd9","line":146,"range":{"start_line":146,"start_character":0,"end_line":146,"end_character":5},"updated":"2023-03-08 21:58:29.000000000","message":"here we can add the old rule corresponding to it as deprecated rule here so that we do not need to add deprecated rule in each policy rule.\n    policy.RuleDefault(\n        name\u003d\u0027project_member_deny_cluster_user\u0027,\n        check_str\u003d(\n            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\"\n        ),\n        deprecated_rule\u003dpolicy.DeprecatedRule(\n            name\u003dBAY % \u0027create\u0027, check_str\u003dbase.RULE_DENY_CLUSTER_USER,\n            deprecated_reason\u003dbase.DEPRECATED_REASON,\n            deprecated_since\u003d\u0027OpenStack 2023.1(Magnum 16.0.0)\u0027\n        ) \n    ),\n    \n same for other rules also","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"730a29ea81026c1ef8dc47dedb5da0905e209bd0","unresolved":false,"context_lines":[{"line_number":143,"context_line":"        check_str\u003d("},{"line_number":144,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":145,"context_line":"        )"},{"line_number":146,"context_line":"    ),"},{"line_number":147,"context_line":"    policy.RuleDefault("},{"line_number":148,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":149,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":16,"id":"5f5e3f89_6d6cb213","line":146,"range":{"start_line":146,"start_character":0,"end_line":146,"end_character":5},"in_reply_to":"fb578cb9_97045fd9","updated":"2023-03-09 09:01:19.000000000","message":"Done","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d637ff753a64c9d6850f6699aa6a9eab74654770","unresolved":true,"context_lines":[{"line_number":138,"context_line":"        check_str\u003d("},{"line_number":139,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":140,"context_line":"        )"},{"line_number":141,"context_line":"    ),"},{"line_number":142,"context_line":"    policy.RuleDefault("},{"line_number":143,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":144,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":18,"id":"d8f780b3_93050534","line":141,"range":{"start_line":141,"start_character":3,"end_line":141,"end_character":5},"updated":"2023-03-09 18:34:46.000000000","message":"policy.RuleDefault(\n        name\u003d\u0027project_member_deny_cluster_user\u0027,\n        check_str\u003d(\n            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\"\n        ),\n        deprecated_rule\u003ddeny_cluster_user_deprecates[base.BAY % \u0027create\u0027]\n    ),\n    \n    \n    \n    same for other rules","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8278cb6d6eb3b86aa5b76537fdccc521b00413b9","unresolved":false,"context_lines":[{"line_number":138,"context_line":"        check_str\u003d("},{"line_number":139,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":140,"context_line":"        )"},{"line_number":141,"context_line":"    ),"},{"line_number":142,"context_line":"    policy.RuleDefault("},{"line_number":143,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":144,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":18,"id":"ca9b4ee0_5dfc1242","line":141,"range":{"start_line":141,"start_character":3,"end_line":141,"end_character":5},"in_reply_to":"16dc2538_7a8ae439","updated":"2023-03-14 22:31:22.000000000","message":"Done","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"ab8ecaa90b4c39cf5e65192e72c6675a35d4c855","unresolved":false,"context_lines":[{"line_number":138,"context_line":"        check_str\u003d("},{"line_number":139,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":140,"context_line":"        )"},{"line_number":141,"context_line":"    ),"},{"line_number":142,"context_line":"    policy.RuleDefault("},{"line_number":143,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":144,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":18,"id":"e6a1d78c_f4ff2fe6","line":141,"range":{"start_line":141,"start_character":3,"end_line":141,"end_character":5},"in_reply_to":"16dc2538_7a8ae439","updated":"2023-03-14 08:18:46.000000000","message":"Done","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"44c2e466253f64bba0db4dd40c835874a6e48c62","unresolved":true,"context_lines":[{"line_number":138,"context_line":"        check_str\u003d("},{"line_number":139,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":140,"context_line":"        )"},{"line_number":141,"context_line":"    ),"},{"line_number":142,"context_line":"    policy.RuleDefault("},{"line_number":143,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":144,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":18,"id":"16dc2538_7a8ae439","line":141,"range":{"start_line":141,"start_character":3,"end_line":141,"end_character":5},"in_reply_to":"aaa256bf_50563101","updated":"2023-03-10 22:41:18.000000000","message":"tanks and please ignore above reply:)","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"680c79ae4d272a29027214658ed01547b49fbc29","unresolved":true,"context_lines":[{"line_number":138,"context_line":"        check_str\u003d("},{"line_number":139,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":140,"context_line":"        )"},{"line_number":141,"context_line":"    ),"},{"line_number":142,"context_line":"    policy.RuleDefault("},{"line_number":143,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":144,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":18,"id":"aaa256bf_50563101","line":141,"range":{"start_line":141,"start_character":3,"end_line":141,"end_character":5},"in_reply_to":"d8f780b3_93050534","updated":"2023-03-10 22:39:11.000000000","message":"Hey what I\u0027m not sure is there are multiple rules deprecated with same condition like bay:create here\n\nfor example,\ndeprecated_rule\u003dbase.deny_cluster_user_deprecates[base.BAY % \u0027create\u0027]\ndeprecated_rule\u003dbase.deny_cluster_user_deprecates[base.BAY % \u0027delete\u0027]\nand \ndeprecated_rule\u003dbase.deny_cluster_user_deprecates[base.BAY % \u0027detail\u0027]\n\nWhat will the rule be defined here?\nI can\u0027t find the place to have multiple deprecated_rule in one RuleDefault. did I miss something here?\n\nor you suggest something like this?\n\npolicy.RuleDefault(\n        name\u003d\u0027project_member_deny_cluster_user\u0027,\n        check_str\u003d(\n            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\"\n        ),\n        deprecated_rule\u003ddeny_cluster_user_deprecates[base.BAY % \u0027create\u0027]\n    ),\npolicy.RuleDefault(\n        name\u003d\u0027project_member_deny_cluster_user\u0027,\n        check_str\u003d(\n            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\"\n        ),\n        deprecated_rule\u003ddeny_cluster_user_deprecates[base.BAY % \u0027delete\u0027]\n    ),\npolicy.RuleDefault(\n        name\u003d\u0027project_member_deny_cluster_user\u0027,\n        check_str\u003d(\n            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\"\n        ),\n        deprecated_rule\u003ddeny_cluster_user_deprecates[base.BAY % \u0027detail\u0027]\n    ),","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"93328d76360849ed0edf7809146284284e171e57","unresolved":true,"context_lines":[{"line_number":138,"context_line":"        check_str\u003d("},{"line_number":139,"context_line":"            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\""},{"line_number":140,"context_line":"        )"},{"line_number":141,"context_line":"    ),"},{"line_number":142,"context_line":"    policy.RuleDefault("},{"line_number":143,"context_line":"        name\u003d\u0027admin_or_project_member_deny_cluster_user\u0027,"},{"line_number":144,"context_line":"        check_str\u003d("}],"source_content_type":"text/x-python","patch_set":18,"id":"c73b1e29_a90e605e","line":141,"range":{"start_line":141,"start_character":3,"end_line":141,"end_character":5},"in_reply_to":"d8f780b3_93050534","updated":"2023-03-10 18:13:21.000000000","message":"instead of adding just create rule we can add generric rule here as deprecated, like below:\n\nDEPRECATED_DENY_CLUSTER_USER \u003d policy.DeprecatedRule(\n    name\u003dRULE_DENY_CLUSTER_USER,\n    check_str\u003d\u0027not domain_id:%(trustee_domain_id)s\u0027,\n    deprecated_reason\u003dDEPRECATED_REASON,\n    deprecated_since\u003dDEPRECATED_SINCE \n)\n\nand base new rule can have\n\n    policy.RuleDefault(\n        name\u003d\u0027project_member_deny_cluster_user\u0027,\n        check_str\u003d(\n            f\"({RULE_PROJECT_MEMBER} and {RULE_DENY_CLUSTER_USER})\"\n        ),\n        deprecated_rule\u003dDEPRECATED_DENY_CLUSTER_USER\n    ),","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d637ff753a64c9d6850f6699aa6a9eab74654770","unresolved":true,"context_lines":[{"line_number":185,"context_line":"            deprecates[name % action] \u003d policy.DeprecatedRule("},{"line_number":186,"context_line":"                name\u003dname % action, check_str\u003drule,"},{"line_number":187,"context_line":"                deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":188,"context_line":"                deprecated_since\u003d\u0027OpenStack 2023.1(Magnum 16.0.0)\u0027"},{"line_number":189,"context_line":"            )"},{"line_number":190,"context_line":"    return deprecates"},{"line_number":191,"context_line":""}],"source_content_type":"text/x-python","patch_set":18,"id":"94ba9492_33e80c64","line":188,"range":{"start_line":188,"start_character":33,"end_line":188,"end_character":66},"updated":"2023-03-09 18:34:46.000000000","message":"I think you want to use DEPRECATED_SINCE  here but it just a nit","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8278cb6d6eb3b86aa5b76537fdccc521b00413b9","unresolved":false,"context_lines":[{"line_number":185,"context_line":"            deprecates[name % action] \u003d policy.DeprecatedRule("},{"line_number":186,"context_line":"                name\u003dname % action, check_str\u003drule,"},{"line_number":187,"context_line":"                deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":188,"context_line":"                deprecated_since\u003d\u0027OpenStack 2023.1(Magnum 16.0.0)\u0027"},{"line_number":189,"context_line":"            )"},{"line_number":190,"context_line":"    return deprecates"},{"line_number":191,"context_line":""}],"source_content_type":"text/x-python","patch_set":18,"id":"a2ba010f_c982d5ed","line":188,"range":{"start_line":188,"start_character":33,"end_line":188,"end_character":66},"in_reply_to":"94ba9492_33e80c64","updated":"2023-03-14 22:31:22.000000000","message":"Done","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"ab8ecaa90b4c39cf5e65192e72c6675a35d4c855","unresolved":false,"context_lines":[{"line_number":185,"context_line":"            deprecates[name % action] \u003d policy.DeprecatedRule("},{"line_number":186,"context_line":"                name\u003dname % action, check_str\u003drule,"},{"line_number":187,"context_line":"                deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":188,"context_line":"                deprecated_since\u003d\u0027OpenStack 2023.1(Magnum 16.0.0)\u0027"},{"line_number":189,"context_line":"            )"},{"line_number":190,"context_line":"    return deprecates"},{"line_number":191,"context_line":""}],"source_content_type":"text/x-python","patch_set":18,"id":"c88cbcbc_615b06ba","line":188,"range":{"start_line":188,"start_character":33,"end_line":188,"end_character":66},"in_reply_to":"94ba9492_33e80c64","updated":"2023-03-14 08:18:46.000000000","message":"Done","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":14,"context_line":"from oslo_policy import policy"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"ROLE_ADMIN \u003d \u0027rule:context_is_admin\u0027"},{"line_number":18,"context_line":"RULE_ADMIN_OR_OWNER \u003d \u0027rule:admin_or_owner\u0027"},{"line_number":19,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":20,"context_line":"RULE_ADMIN_OR_USER \u003d \u0027rule:admin_or_user\u0027"}],"source_content_type":"text/x-python","patch_set":20,"id":"7e53759a_5cda9e8f","line":17,"range":{"start_line":17,"start_character":0,"end_line":17,"end_character":10},"updated":"2023-05-23 14:13:33.000000000","message":"my reading of this is that it is not useful and adds complexity. do you think we can get rid of it instead? and just use the string further down.","commit_id":"28172e91965956b114c62d6642f4ae0436b30e81"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":14,"context_line":"from oslo_policy import policy"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"ROLE_ADMIN \u003d \u0027rule:context_is_admin\u0027"},{"line_number":18,"context_line":"RULE_ADMIN_OR_OWNER \u003d \u0027rule:admin_or_owner\u0027"},{"line_number":19,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":20,"context_line":"RULE_ADMIN_OR_USER \u003d \u0027rule:admin_or_user\u0027"}],"source_content_type":"text/x-python","patch_set":20,"id":"15ed0cc8_341e9273","line":17,"range":{"start_line":17,"start_character":0,"end_line":17,"end_character":10},"in_reply_to":"7e53759a_5cda9e8f","updated":"2023-05-31 18:16:46.000000000","message":"sure","commit_id":"28172e91965956b114c62d6642f4ae0436b30e81"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":100,"context_line":"    ),"},{"line_number":101,"context_line":"    policy.RuleDefault("},{"line_number":102,"context_line":"        name\u003d\u0027admin_api\u0027,"},{"line_number":103,"context_line":"        check_str\u003df\"{ROLE_ADMIN}\""},{"line_number":104,"context_line":"    ),"},{"line_number":105,"context_line":"    policy.RuleDefault("},{"line_number":106,"context_line":"        name\u003d\u0027admin_or_user\u0027,"}],"source_content_type":"text/x-python","patch_set":20,"id":"3e740be4_cc6ad2cc","line":103,"range":{"start_line":103,"start_character":18,"end_line":103,"end_character":33},"updated":"2023-05-23 14:13:33.000000000","message":"possible to directly use \"rule:context_is_admin\" here?","commit_id":"28172e91965956b114c62d6642f4ae0436b30e81"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":100,"context_line":"    ),"},{"line_number":101,"context_line":"    policy.RuleDefault("},{"line_number":102,"context_line":"        name\u003d\u0027admin_api\u0027,"},{"line_number":103,"context_line":"        check_str\u003df\"{ROLE_ADMIN}\""},{"line_number":104,"context_line":"    ),"},{"line_number":105,"context_line":"    policy.RuleDefault("},{"line_number":106,"context_line":"        name\u003d\u0027admin_or_user\u0027,"}],"source_content_type":"text/x-python","patch_set":20,"id":"c73f7781_0572f279","line":103,"range":{"start_line":103,"start_character":18,"end_line":103,"end_character":33},"in_reply_to":"3e740be4_cc6ad2cc","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"28172e91965956b114c62d6642f4ae0436b30e81"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":139,"context_line":"    policy.RuleDefault("},{"line_number":140,"context_line":"        name\u003d\u0027admin_or_project_member_user\u0027,"},{"line_number":141,"context_line":"        check_str\u003d("},{"line_number":142,"context_line":"            f\"({RULE_ADMIN_API}) or ({RULE_PROJECT_MEMBER} and \""},{"line_number":143,"context_line":"            f\"{RULE_USER})\""},{"line_number":144,"context_line":"        )"},{"line_number":145,"context_line":"    ),"},{"line_number":146,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":20,"id":"146b38cb_9ad6a105","line":143,"range":{"start_line":142,"start_character":36,"end_line":143,"end_character":26},"updated":"2023-05-23 14:13:33.000000000","message":"I think when we use fstrings like this, we should enclose each variable with ()?\n\nThis prevents unintended leakage if a change was made in the referred rule. e.g. changing from\n\n`RULE_PROJECT_MEMBER \u003d \u0027rule:project_member\u0027`\n\nto\n\n`RULE_PROJECT_MEMBER \u003d \u0027rule:project_member or rule:new_rule\u0027`\n \nwill result in this being evaluated from\n\n`\u0027rule:project_member and rule:is_user\u0027`\n\nto\n\n`\u0027rule:project_member or rule:new_rule and rule:is_user\u0027`\n\nwhich, as `and` takes precedence, will be different from intended\n \n`\u0027(rule:project_member or rule:new_rule) and rule:is_user\u0027`\n\nI see that you have done it for some, but not all, I wonder why?","commit_id":"28172e91965956b114c62d6642f4ae0436b30e81"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":139,"context_line":"    policy.RuleDefault("},{"line_number":140,"context_line":"        name\u003d\u0027admin_or_project_member_user\u0027,"},{"line_number":141,"context_line":"        check_str\u003d("},{"line_number":142,"context_line":"            f\"({RULE_ADMIN_API}) or ({RULE_PROJECT_MEMBER} and \""},{"line_number":143,"context_line":"            f\"{RULE_USER})\""},{"line_number":144,"context_line":"        )"},{"line_number":145,"context_line":"    ),"},{"line_number":146,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":20,"id":"21e3f4e2_d3128e0c","line":143,"range":{"start_line":142,"start_character":36,"end_line":143,"end_character":26},"in_reply_to":"146b38cb_9ad6a105","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"28172e91965956b114c62d6642f4ae0436b30e81"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"RULE_USER_OR_CLUSTER_USER \u003d ("},{"line_number":34,"context_line":"    \u0027rule:user_or_cluster_user\u0027)"},{"line_number":35,"context_line":"RULE_ADMIN_OR_USER_OR_CLUSTER_USER \u003d ("},{"line_number":36,"context_line":"    \u0027rule:admin_or_user_or_cluster_user\u0027)"},{"line_number":37,"context_line":"RULE_ADMIN_OR_PROJECT_READER \u003d ("},{"line_number":38,"context_line":"    \u0027rule:admin_or_project_reader\u0027)"},{"line_number":39,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER \u003d ("}],"source_content_type":"text/x-python","patch_set":21,"id":"81de5d57_0a5347cc","line":36,"range":{"start_line":35,"start_character":0,"end_line":36,"end_character":41},"updated":"2023-05-23 14:13:33.000000000","message":"if this is only used in `DEPRECATED_RULE_ADMIN_OR_USER_OR_CLUSTER_USER` we should move it down to that section.\n\nalternatively keep here if this is going to be used in other files (see comment in cluster.py)","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"RULE_USER_OR_CLUSTER_USER \u003d ("},{"line_number":34,"context_line":"    \u0027rule:user_or_cluster_user\u0027)"},{"line_number":35,"context_line":"RULE_ADMIN_OR_USER_OR_CLUSTER_USER \u003d ("},{"line_number":36,"context_line":"    \u0027rule:admin_or_user_or_cluster_user\u0027)"},{"line_number":37,"context_line":"RULE_ADMIN_OR_PROJECT_READER \u003d ("},{"line_number":38,"context_line":"    \u0027rule:admin_or_project_reader\u0027)"},{"line_number":39,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER \u003d ("}],"source_content_type":"text/x-python","patch_set":21,"id":"06101c1a_b8a03fdd","line":36,"range":{"start_line":35,"start_character":0,"end_line":36,"end_character":41},"in_reply_to":"81de5d57_0a5347cc","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":40,"context_line":"    \u0027rule:admin_or_project_member\u0027)"},{"line_number":41,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER_USER \u003d ("},{"line_number":42,"context_line":"    \u0027rule:admin_or_project_member_user\u0027)"},{"line_number":43,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER_CLUSTER_USER \u003d ("},{"line_number":44,"context_line":"    \u0027rule:admin_or_project_member_cluster_user\u0027)"},{"line_number":45,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER \u003d ("},{"line_number":46,"context_line":"    \u0027rule:admin_or_project_member_user_or_cluster_user\u0027)"},{"line_number":47,"context_line":"RULE_PROJECT_MEMBER_DENY_CLUSTER_USER \u003d ("}],"source_content_type":"text/x-python","patch_set":21,"id":"885daf18_5bd728a9","line":44,"range":{"start_line":43,"start_character":0,"end_line":44,"end_character":48},"updated":"2023-05-23 14:13:33.000000000","message":"is this used anywhere?","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":40,"context_line":"    \u0027rule:admin_or_project_member\u0027)"},{"line_number":41,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER_USER \u003d ("},{"line_number":42,"context_line":"    \u0027rule:admin_or_project_member_user\u0027)"},{"line_number":43,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER_CLUSTER_USER \u003d ("},{"line_number":44,"context_line":"    \u0027rule:admin_or_project_member_cluster_user\u0027)"},{"line_number":45,"context_line":"RULE_ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER \u003d ("},{"line_number":46,"context_line":"    \u0027rule:admin_or_project_member_user_or_cluster_user\u0027)"},{"line_number":47,"context_line":"RULE_PROJECT_MEMBER_DENY_CLUSTER_USER \u003d ("}],"source_content_type":"text/x-python","patch_set":21,"id":"e3c1f770_de44af4e","line":44,"range":{"start_line":43,"start_character":0,"end_line":44,"end_character":48},"in_reply_to":"885daf18_5bd728a9","updated":"2023-05-31 18:16:46.000000000","message":"probably removed as bay was dropped.","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":60,"context_line":"# The following cycle."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":63,"context_line":"The Magnum service now enables policies (RBAC) new defaults and scope by"},{"line_number":64,"context_line":"default. And seperate project reader APIs and project member APIs."},{"line_number":65,"context_line":"\"\"\""},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"DEPRECATED_SINCE \u003d \u0027OpenStack 2023.1(Magnum 16.0.0)\u0027"}],"source_content_type":"text/x-python","patch_set":21,"id":"9dc1e81c_dc9e083e","line":64,"range":{"start_line":63,"start_character":0,"end_line":64,"end_character":66},"updated":"2023-05-23 14:13:33.000000000","message":"Looking at how oslo.policy logs warnings from this string [1], I think we should make this shorter for operators\u0027 sanity. I recommend:\n\n \"The Magnum API now enforces scoped tokens and default reader and member roles.\"\n\n[1] https://opendev.org/openstack/oslo.policy/src/branch/master/oslo_policy/policy.py#L746-L759","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":60,"context_line":"# The following cycle."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":63,"context_line":"The Magnum service now enables policies (RBAC) new defaults and scope by"},{"line_number":64,"context_line":"default. And seperate project reader APIs and project member APIs."},{"line_number":65,"context_line":"\"\"\""},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"DEPRECATED_SINCE \u003d \u0027OpenStack 2023.1(Magnum 16.0.0)\u0027"}],"source_content_type":"text/x-python","patch_set":21,"id":"2215e6d5_45b44de8","line":64,"range":{"start_line":63,"start_character":0,"end_line":64,"end_character":66},"in_reply_to":"9dc1e81c_dc9e083e","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":63,"context_line":"The Magnum service now enables policies (RBAC) new defaults and scope by"},{"line_number":64,"context_line":"default. And seperate project reader APIs and project member APIs."},{"line_number":65,"context_line":"\"\"\""},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"DEPRECATED_SINCE \u003d \u0027OpenStack 2023.1(Magnum 16.0.0)\u0027"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"DEPRECATED_DENY_CLUSTER_USER \u003d policy.DeprecatedRule("}],"source_content_type":"text/x-python","patch_set":21,"id":"b1adf78f_f721fd07","line":67,"range":{"start_line":66,"start_character":0,"end_line":67,"end_character":52},"updated":"2023-05-23 14:13:33.000000000","message":"sorry, will need an update","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":63,"context_line":"The Magnum service now enables policies (RBAC) new defaults and scope by"},{"line_number":64,"context_line":"default. And seperate project reader APIs and project member APIs."},{"line_number":65,"context_line":"\"\"\""},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"DEPRECATED_SINCE \u003d \u0027OpenStack 2023.1(Magnum 16.0.0)\u0027"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"DEPRECATED_DENY_CLUSTER_USER \u003d policy.DeprecatedRule("}],"source_content_type":"text/x-python","patch_set":21,"id":"4bef191b_64533d96","line":67,"range":{"start_line":66,"start_character":0,"end_line":67,"end_character":52},"in_reply_to":"b1adf78f_f721fd07","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":158,"context_line":"    policy.RuleDefault("},{"line_number":159,"context_line":"        name\u003d\u0027admin_or_project_member_cluster_user\u0027,"},{"line_number":160,"context_line":"        check_str\u003d("},{"line_number":161,"context_line":"            f\"({RULE_ADMIN_API}) or ({RULE_PROJECT_MEMBER} \""},{"line_number":162,"context_line":"            f\"and {RULE_CLUSTER_USER})\""},{"line_number":163,"context_line":"        )"},{"line_number":164,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":21,"id":"e72a853b_69c755f7","line":161,"range":{"start_line":161,"start_character":14,"end_line":161,"end_character":32},"updated":"2023-05-23 14:13:33.000000000","message":"I\u0027m also not certain what is the best practice around ()?\n\n- if we say RULE_XYZ will always be only 1 rule, we don\u0027t need to enclose with ()? e.g.\n RULE_XYZ\u003d\u0027rule:xyz\u0027\n\n- if that is not a thing then all RULE_XYZ fstrings should ideally be enclosed with ()?\n\nMaybe you can advise? I do not understand why some have brackets and some don\u0027t.","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":158,"context_line":"    policy.RuleDefault("},{"line_number":159,"context_line":"        name\u003d\u0027admin_or_project_member_cluster_user\u0027,"},{"line_number":160,"context_line":"        check_str\u003d("},{"line_number":161,"context_line":"            f\"({RULE_ADMIN_API}) or ({RULE_PROJECT_MEMBER} \""},{"line_number":162,"context_line":"            f\"and {RULE_CLUSTER_USER})\""},{"line_number":163,"context_line":"        )"},{"line_number":164,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":21,"id":"66d91f25_545bfb06","line":161,"range":{"start_line":161,"start_character":14,"end_line":161,"end_character":32},"in_reply_to":"e72a853b_69c755f7","updated":"2023-05-31 18:16:46.000000000","message":"let\u0027s enclose them all with ().","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"}],"magnum/common/policies/bay.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e180a8c8589940890f64c6a968ca98546e5d5503","unresolved":true,"context_lines":[{"line_number":21,"context_line":"rules \u003d ["},{"line_number":22,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":23,"context_line":"        name\u003dBAY % \u0027create\u0027,"},{"line_number":24,"context_line":"        check_str\u003dbase.PROJECT_MEMBER_DENY_CLUSTER_USER,"},{"line_number":25,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":26,"context_line":"        description\u003d\u0027Create a new bay.\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"},{"line_number":29,"context_line":"                \u0027path\u0027: \u0027/v1/bays\u0027,"},{"line_number":30,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":31,"context_line":"            }"},{"line_number":32,"context_line":"        ],"},{"line_number":33,"context_line":"        deprecated_rule\u003dpolicy.DeprecatedRule("},{"line_number":34,"context_line":"            name\u003dBAY % \u0027create\u0027, check_str\u003dbase.RULE_DENY_CLUSTER_USER,"},{"line_number":35,"context_line":"            deprecated_reason\u003dbase.DEPRECATED_REASON,"},{"line_number":36,"context_line":"            deprecated_since\u003dversionutils.deprecated.ZED"},{"line_number":37,"context_line":"        )"},{"line_number":38,"context_line":"    ),"},{"line_number":39,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":40,"context_line":"        name\u003dBAY % \u0027delete\u0027,"}],"source_content_type":"text/x-python","patch_set":12,"id":"30785b2a_5825103e","line":37,"range":{"start_line":24,"start_character":0,"end_line":37,"end_character":9},"updated":"2023-03-07 19:25:14.000000000","message":"another benefit of defining PROJECT_MEMBER_DENY_CLUSTER_USER as a rule (I commented in base file change). we can add deprecated rule in base PROJECT_MEMBER_DENY_CLUSTER_USER rule only and we do not need to add that in every policy rule here in this file.\n\nsame for other files/rules too.","commit_id":"68475d4221bc6c7b3cbbda7580b74f415c69f85c"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"f28304b053623d6b936e1f1942bc98958c2b06bb","unresolved":false,"context_lines":[{"line_number":21,"context_line":"rules \u003d ["},{"line_number":22,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":23,"context_line":"        name\u003dBAY % \u0027create\u0027,"},{"line_number":24,"context_line":"        check_str\u003dbase.PROJECT_MEMBER_DENY_CLUSTER_USER,"},{"line_number":25,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":26,"context_line":"        description\u003d\u0027Create a new bay.\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"},{"line_number":29,"context_line":"                \u0027path\u0027: \u0027/v1/bays\u0027,"},{"line_number":30,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":31,"context_line":"            }"},{"line_number":32,"context_line":"        ],"},{"line_number":33,"context_line":"        deprecated_rule\u003dpolicy.DeprecatedRule("},{"line_number":34,"context_line":"            name\u003dBAY % \u0027create\u0027, check_str\u003dbase.RULE_DENY_CLUSTER_USER,"},{"line_number":35,"context_line":"            deprecated_reason\u003dbase.DEPRECATED_REASON,"},{"line_number":36,"context_line":"            deprecated_since\u003dversionutils.deprecated.ZED"},{"line_number":37,"context_line":"        )"},{"line_number":38,"context_line":"    ),"},{"line_number":39,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":40,"context_line":"        name\u003dBAY % \u0027delete\u0027,"}],"source_content_type":"text/x-python","patch_set":12,"id":"fa39c7c8_d1c04b1e","line":37,"range":{"start_line":24,"start_character":0,"end_line":37,"end_character":9},"in_reply_to":"30785b2a_5825103e","updated":"2023-03-08 09:12:58.000000000","message":"Done","commit_id":"68475d4221bc6c7b3cbbda7580b74f415c69f85c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"edc0b28887c9377c40bb708d440b42fe37b49f48","unresolved":true,"context_lines":[{"line_number":33,"context_line":"        deprecated_rule\u003dpolicy.DeprecatedRule("},{"line_number":34,"context_line":"            name\u003dBAY % \u0027create\u0027, check_str\u003dbase.RULE_DENY_CLUSTER_USER,"},{"line_number":35,"context_line":"            deprecated_reason\u003dbase.DEPRECATED_REASON,"},{"line_number":36,"context_line":"            deprecated_since\u003dversionutils.deprecated.ZED"},{"line_number":37,"context_line":"        )"},{"line_number":38,"context_line":"    ),"},{"line_number":39,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":16,"id":"f3dd17a6_b9c4b360","line":36,"range":{"start_line":36,"start_character":29,"end_line":36,"end_character":56},"updated":"2023-03-08 21:58:29.000000000","message":"As zed is already released, we can mark here \u0027OpenStack 2023.1 (Magnum 16.0.0)\u0027","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"730a29ea81026c1ef8dc47dedb5da0905e209bd0","unresolved":false,"context_lines":[{"line_number":33,"context_line":"        deprecated_rule\u003dpolicy.DeprecatedRule("},{"line_number":34,"context_line":"            name\u003dBAY % \u0027create\u0027, check_str\u003dbase.RULE_DENY_CLUSTER_USER,"},{"line_number":35,"context_line":"            deprecated_reason\u003dbase.DEPRECATED_REASON,"},{"line_number":36,"context_line":"            deprecated_since\u003dversionutils.deprecated.ZED"},{"line_number":37,"context_line":"        )"},{"line_number":38,"context_line":"    ),"},{"line_number":39,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":16,"id":"f1b407e7_cc0875c5","line":36,"range":{"start_line":36,"start_character":29,"end_line":36,"end_character":56},"in_reply_to":"f3dd17a6_b9c4b360","updated":"2023-03-09 09:01:19.000000000","message":"Done","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"edc0b28887c9377c40bb708d440b42fe37b49f48","unresolved":true,"context_lines":[{"line_number":30,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":31,"context_line":"            }"},{"line_number":32,"context_line":"        ],"},{"line_number":33,"context_line":"        deprecated_rule\u003dpolicy.DeprecatedRule("},{"line_number":34,"context_line":"            name\u003dBAY % \u0027create\u0027, check_str\u003dbase.RULE_DENY_CLUSTER_USER,"},{"line_number":35,"context_line":"            deprecated_reason\u003dbase.DEPRECATED_REASON,"},{"line_number":36,"context_line":"            deprecated_since\u003dversionutils.deprecated.ZED"},{"line_number":37,"context_line":"        )"},{"line_number":38,"context_line":"    ),"},{"line_number":39,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":40,"context_line":"        name\u003dBAY % \u0027delete\u0027,"}],"source_content_type":"text/x-python","patch_set":16,"id":"cdd4d530_04633cf1","line":37,"range":{"start_line":33,"start_character":0,"end_line":37,"end_character":9},"updated":"2023-03-08 21:58:29.000000000","message":"We can add this deprecated rule in base rule RULE_PROJECT_MEMBER_DENY_CLUSTER_USER itself so that you do not need to add this deprecated rule repeatedly for all rule.","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"730a29ea81026c1ef8dc47dedb5da0905e209bd0","unresolved":false,"context_lines":[{"line_number":30,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":31,"context_line":"            }"},{"line_number":32,"context_line":"        ],"},{"line_number":33,"context_line":"        deprecated_rule\u003dpolicy.DeprecatedRule("},{"line_number":34,"context_line":"            name\u003dBAY % \u0027create\u0027, check_str\u003dbase.RULE_DENY_CLUSTER_USER,"},{"line_number":35,"context_line":"            deprecated_reason\u003dbase.DEPRECATED_REASON,"},{"line_number":36,"context_line":"            deprecated_since\u003dversionutils.deprecated.ZED"},{"line_number":37,"context_line":"        )"},{"line_number":38,"context_line":"    ),"},{"line_number":39,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":40,"context_line":"        name\u003dBAY % \u0027delete\u0027,"}],"source_content_type":"text/x-python","patch_set":16,"id":"74620765_dfc2df17","line":37,"range":{"start_line":33,"start_character":0,"end_line":37,"end_character":9},"in_reply_to":"cdd4d530_04633cf1","updated":"2023-03-09 09:01:19.000000000","message":"Done","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d637ff753a64c9d6850f6699aa6a9eab74654770","unresolved":true,"context_lines":[{"line_number":16,"context_line":"from magnum.common.policies import base"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":20,"context_line":"        name\u003dbase.BAY % \u0027create\u0027,"},{"line_number":21,"context_line":"        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,"},{"line_number":22,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":23,"context_line":"        description\u003d\u0027Create a new bay.\u0027,"},{"line_number":24,"context_line":"        operations\u003d["},{"line_number":25,"context_line":"            {"},{"line_number":26,"context_line":"                \u0027path\u0027: \u0027/v1/bays\u0027,"},{"line_number":27,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":28,"context_line":"            }"},{"line_number":29,"context_line":"        ],"},{"line_number":30,"context_line":"        deprecated_rule\u003dbase.deny_cluster_user_deprecates[base.BAY % \u0027create\u0027]"},{"line_number":31,"context_line":"    ),"},{"line_number":32,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":33,"context_line":"        name\u003dbase.BAY % \u0027delete\u0027,"},{"line_number":34,"context_line":"        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,"}],"source_content_type":"text/x-python","patch_set":18,"id":"a6eb9ac2_e3e7aff9","line":31,"range":{"start_line":19,"start_character":0,"end_line":31,"end_character":6},"updated":"2023-03-09 18:34:46.000000000","message":"Sorry If my earlier comment was not clear. I mean to say to add the deprecated rule in base rule itself and not here. From base rule it will be applicable to all the specific rule here.\n\nbase rule example comment in https://review.opendev.org/c/openstack/magnum/+/874945/16..18/magnum/common/policies/base.py#141\n\nin this file we can change only check_str:\n\n    policy.DocumentedRuleDefault(\n        name\u003dbase.BAY % \u0027create\u0027,\n        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,\n        scope_types\u003d[\"project\"],\n        description\u003d\u0027Create a new bay.\u0027,\n        operations\u003d[\n            {\n                \u0027path\u0027: \u0027/v1/bays\u0027,\n                \u0027method\u0027: \u0027POST\u0027\n            }\n        ]\n    ),\n    \n    same for other rule also. This will help to remvoe the deprecated rules from single place in futrure.","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"ab8ecaa90b4c39cf5e65192e72c6675a35d4c855","unresolved":false,"context_lines":[{"line_number":16,"context_line":"from magnum.common.policies import base"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":20,"context_line":"        name\u003dbase.BAY % \u0027create\u0027,"},{"line_number":21,"context_line":"        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,"},{"line_number":22,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":23,"context_line":"        description\u003d\u0027Create a new bay.\u0027,"},{"line_number":24,"context_line":"        operations\u003d["},{"line_number":25,"context_line":"            {"},{"line_number":26,"context_line":"                \u0027path\u0027: \u0027/v1/bays\u0027,"},{"line_number":27,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":28,"context_line":"            }"},{"line_number":29,"context_line":"        ],"},{"line_number":30,"context_line":"        deprecated_rule\u003dbase.deny_cluster_user_deprecates[base.BAY % \u0027create\u0027]"},{"line_number":31,"context_line":"    ),"},{"line_number":32,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":33,"context_line":"        name\u003dbase.BAY % \u0027delete\u0027,"},{"line_number":34,"context_line":"        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,"}],"source_content_type":"text/x-python","patch_set":18,"id":"0120bf4f_872cd10e","line":31,"range":{"start_line":19,"start_character":0,"end_line":31,"end_character":6},"in_reply_to":"a6eb9ac2_e3e7aff9","updated":"2023-03-14 08:18:46.000000000","message":"Done","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8278cb6d6eb3b86aa5b76537fdccc521b00413b9","unresolved":false,"context_lines":[{"line_number":16,"context_line":"from magnum.common.policies import base"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":20,"context_line":"        name\u003dbase.BAY % \u0027create\u0027,"},{"line_number":21,"context_line":"        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,"},{"line_number":22,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":23,"context_line":"        description\u003d\u0027Create a new bay.\u0027,"},{"line_number":24,"context_line":"        operations\u003d["},{"line_number":25,"context_line":"            {"},{"line_number":26,"context_line":"                \u0027path\u0027: \u0027/v1/bays\u0027,"},{"line_number":27,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":28,"context_line":"            }"},{"line_number":29,"context_line":"        ],"},{"line_number":30,"context_line":"        deprecated_rule\u003dbase.deny_cluster_user_deprecates[base.BAY % \u0027create\u0027]"},{"line_number":31,"context_line":"    ),"},{"line_number":32,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":33,"context_line":"        name\u003dbase.BAY % \u0027delete\u0027,"},{"line_number":34,"context_line":"        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,"}],"source_content_type":"text/x-python","patch_set":18,"id":"924f9b83_f462227a","line":31,"range":{"start_line":19,"start_character":0,"end_line":31,"end_character":6},"in_reply_to":"a6eb9ac2_e3e7aff9","updated":"2023-03-14 22:31:22.000000000","message":"done","commit_id":"05a32415124deda2fc2392f845ea3df0c968b936"}],"magnum/common/policies/certificate.py":[{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":44,"context_line":"    ),"},{"line_number":45,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":46,"context_line":"        name\u003dCERTIFICATE % \u0027rotate_ca\u0027,"},{"line_number":47,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER,"},{"line_number":48,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":49,"context_line":"        description\u003d\u0027Rotate the CA certificate on the given cluster.\u0027,"},{"line_number":50,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":21,"id":"42086b98_aeaa1a4f","line":47,"range":{"start_line":47,"start_character":23,"end_line":47,"end_character":51},"updated":"2023-05-23 14:13:33.000000000","message":"This is weird, compared to the rest of the rules - a project member can rotate the ca, which is a more privileged method, but not get the certificate?\n\nI traced this to Change Ief28bef3a79f212acf4166e443a96e5419fbb757 but I\u0027m still not sure why this was implemented this way.\n\nAnyway, I don\u0027t think this is a problem with this review, but maybe something to flag for Magnum Core to take a look. Nothing needs to change here.","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"526100afced4ad95ef76fd307c9c53200e9607f2","unresolved":true,"context_lines":[{"line_number":44,"context_line":"    ),"},{"line_number":45,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":46,"context_line":"        name\u003dCERTIFICATE % \u0027rotate_ca\u0027,"},{"line_number":47,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER,"},{"line_number":48,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":49,"context_line":"        description\u003d\u0027Rotate the CA certificate on the given cluster.\u0027,"},{"line_number":50,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":21,"id":"0efc2634_64127b1c","line":47,"range":{"start_line":47,"start_character":23,"end_line":47,"end_character":51},"in_reply_to":"42086b98_aeaa1a4f","updated":"2023-08-29 12:24:39.000000000","message":"should we raise a bug in LP?","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"}],"magnum/common/policies/cluster.py":[{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":20,"context_line":"rules \u003d ["},{"line_number":21,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":22,"context_line":"        name\u003dCLUSTER % \u0027create\u0027,"},{"line_number":23,"context_line":"        check_str\u003dbase.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER,"},{"line_number":24,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":25,"context_line":"        description\u003d\u0027Create a new cluster.\u0027,"},{"line_number":26,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":21,"id":"a4b69752_e20a1a7c","line":23,"range":{"start_line":23,"start_character":0,"end_line":23,"end_character":61},"updated":"2023-05-23 14:13:33.000000000","message":"NOTE TO SELF: We may have to revisit this to see if the deny is still necessary","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":137,"context_line":"    ),"},{"line_number":138,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":139,"context_line":"        name\u003dCLUSTER % \u0027update_health_status\u0027,"},{"line_number":140,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER,"},{"line_number":141,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":142,"context_line":"        description\u003d\u0027Update the health status of an existing cluster.\u0027,"},{"line_number":143,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":21,"id":"9d4ec096_4f77d9d2","line":140,"range":{"start_line":140,"start_character":23,"end_line":140,"end_character":72},"updated":"2023-05-23 14:13:33.000000000","message":"should this be `RULE_ADMIN_OR_USER_OR_CLUSTER_USER`?","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":137,"context_line":"    ),"},{"line_number":138,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":139,"context_line":"        name\u003dCLUSTER % \u0027update_health_status\u0027,"},{"line_number":140,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER,"},{"line_number":141,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":142,"context_line":"        description\u003d\u0027Update the health status of an existing cluster.\u0027,"},{"line_number":143,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":21,"id":"7612aa79_64ccd7c1","line":140,"range":{"start_line":140,"start_character":23,"end_line":140,"end_character":72},"in_reply_to":"9d4ec096_4f77d9d2","updated":"2023-05-31 18:16:46.000000000","message":"I propose adding enforce project member rule for both user or cluster user","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"}],"magnum/common/policy.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e180a8c8589940890f64c6a968ca98546e5d5503","unresolved":true,"context_lines":[{"line_number":34,"context_line":"# \u0027policy_file\u0027, \u0027enforce_scope\u0027, and \u0027enforce_new_defaults\u0027 once"},{"line_number":35,"context_line":"# oslo_policy change their default value to what is overridden here."},{"line_number":36,"context_line":"DEFAULT_POLICY_FILE \u003d \u0027policy.yaml\u0027"},{"line_number":37,"context_line":"opts.set_defaults("},{"line_number":38,"context_line":"    CONF,"},{"line_number":39,"context_line":"    DEFAULT_POLICY_FILE,"},{"line_number":40,"context_line":"    enforce_scope\u003dTrue,"},{"line_number":41,"context_line":"    enforce_new_defaults\u003dTrue"},{"line_number":42,"context_line":")"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"# we can get a policy enforcer by this init."},{"line_number":46,"context_line":"# oslo policy support change policy rule dynamically."}],"source_content_type":"text/x-python","patch_set":12,"id":"b27c1161_dbc40355","line":43,"range":{"start_line":37,"start_character":0,"end_line":43,"end_character":0},"updated":"2023-03-07 19:25:14.000000000","message":"I think I have objection to enable the new default at the same time they are added. This will not give operator time to start adopting the new defaults instead will break them right away.\n\nMagnum is changing the defaults in this cycle (this change basically) and enabling them in the same cycle (this change).\n\nMigration path we have done in nova/neutron/glance etc and defined in TC goal also,\n- at release N project implement the new defaults they will be disabled by default \n- at release N+1, projects can enable new default by default BUT keep old deprecated rules also so that operators need time can enable old default.\n- at relese N+2, project can remove the old deprecated rules.\n\nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#release-timeline","commit_id":"68475d4221bc6c7b3cbbda7580b74f415c69f85c"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"f28304b053623d6b936e1f1942bc98958c2b06bb","unresolved":false,"context_lines":[{"line_number":34,"context_line":"# \u0027policy_file\u0027, \u0027enforce_scope\u0027, and \u0027enforce_new_defaults\u0027 once"},{"line_number":35,"context_line":"# oslo_policy change their default value to what is overridden here."},{"line_number":36,"context_line":"DEFAULT_POLICY_FILE \u003d \u0027policy.yaml\u0027"},{"line_number":37,"context_line":"opts.set_defaults("},{"line_number":38,"context_line":"    CONF,"},{"line_number":39,"context_line":"    DEFAULT_POLICY_FILE,"},{"line_number":40,"context_line":"    enforce_scope\u003dTrue,"},{"line_number":41,"context_line":"    enforce_new_defaults\u003dTrue"},{"line_number":42,"context_line":")"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"# we can get a policy enforcer by this init."},{"line_number":46,"context_line":"# oslo policy support change policy rule dynamically."}],"source_content_type":"text/x-python","patch_set":12,"id":"c3e47527_0e619a0d","line":43,"range":{"start_line":37,"start_character":0,"end_line":43,"end_character":0},"in_reply_to":"b27c1161_dbc40355","updated":"2023-03-08 09:12:58.000000000","message":"Done","commit_id":"68475d4221bc6c7b3cbbda7580b74f415c69f85c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"edc0b28887c9377c40bb708d440b42fe37b49f48","unresolved":true,"context_lines":[{"line_number":39,"context_line":"opts.set_defaults("},{"line_number":40,"context_line":"    CONF,"},{"line_number":41,"context_line":"    DEFAULT_POLICY_FILE,"},{"line_number":42,"context_line":"    enforce_scope\u003dFalse,"},{"line_number":43,"context_line":"    enforce_new_defaults\u003dFalse"},{"line_number":44,"context_line":")"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":""}],"source_content_type":"text/x-python","patch_set":16,"id":"814a059a_38da1504","line":43,"range":{"start_line":42,"start_character":0,"end_line":43,"end_character":30},"updated":"2023-03-08 21:58:29.000000000","message":"these are default to false by default in oslo_policy so you do not need to mark them here false. We can only override the default value if we want to change that from what it is by default in oslo policy","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"730a29ea81026c1ef8dc47dedb5da0905e209bd0","unresolved":false,"context_lines":[{"line_number":39,"context_line":"opts.set_defaults("},{"line_number":40,"context_line":"    CONF,"},{"line_number":41,"context_line":"    DEFAULT_POLICY_FILE,"},{"line_number":42,"context_line":"    enforce_scope\u003dFalse,"},{"line_number":43,"context_line":"    enforce_new_defaults\u003dFalse"},{"line_number":44,"context_line":")"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":""}],"source_content_type":"text/x-python","patch_set":16,"id":"32563ec8_498e60e6","line":43,"range":{"start_line":42,"start_character":0,"end_line":43,"end_character":30},"in_reply_to":"814a059a_38da1504","updated":"2023-03-09 09:01:19.000000000","message":"Done","commit_id":"0e296843c5998cab17ea15f5d8e28cb882c9bcee"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"526100afced4ad95ef76fd307c9c53200e9607f2","unresolved":true,"context_lines":[{"line_number":112,"context_line":"        result \u003d enforcer.enforce(rule, target, credentials,"},{"line_number":113,"context_line":"                                  do_raise\u003ddo_raise, exc\u003dexc, *args, **kwargs)"},{"line_number":114,"context_line":"    except policy.InvalidScope as ex:"},{"line_number":115,"context_line":"        LOG.debug(f\"Invalide scope while enforce policy :{str(ex)}\")"},{"line_number":116,"context_line":"        raise exc(action\u003drule)"},{"line_number":117,"context_line":"    return result"},{"line_number":118,"context_line":""}],"source_content_type":"text/x-python","patch_set":29,"id":"bb6175af_57c92cae","line":115,"range":{"start_line":115,"start_character":20,"end_line":115,"end_character":28},"updated":"2023-08-29 12:24:39.000000000","message":"nit: Invalid?","commit_id":"429e90900038bd3ef71256347a17c212ee2dd2fa"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"3511e1c3807e61b8254a12be4b477289a24cb1b4","unresolved":false,"context_lines":[{"line_number":112,"context_line":"        result \u003d enforcer.enforce(rule, target, credentials,"},{"line_number":113,"context_line":"                                  do_raise\u003ddo_raise, exc\u003dexc, *args, **kwargs)"},{"line_number":114,"context_line":"    except policy.InvalidScope as ex:"},{"line_number":115,"context_line":"        LOG.debug(f\"Invalide scope while enforce policy :{str(ex)}\")"},{"line_number":116,"context_line":"        raise exc(action\u003drule)"},{"line_number":117,"context_line":"    return result"},{"line_number":118,"context_line":""}],"source_content_type":"text/x-python","patch_set":29,"id":"c4bf293b_dee34613","line":115,"range":{"start_line":115,"start_character":20,"end_line":115,"end_character":28},"in_reply_to":"bb6175af_57c92cae","updated":"2023-08-29 16:36:42.000000000","message":"Done","commit_id":"429e90900038bd3ef71256347a17c212ee2dd2fa"}],"releasenotes/notes/enable-enforce-scope-and-new-defaults-7e6e503f74283071.yaml":[{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."}],"source_content_type":"text/x-yaml","patch_set":21,"id":"f3c77f64_591b367f","line":4,"range":{"start_line":4,"start_character":23,"end_line":4,"end_character":52},"updated":"2023-05-23 14:13:33.000000000","message":"now allows","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."}],"source_content_type":"text/x-yaml","patch_set":21,"id":"fc3a3889_f7074c1b","line":4,"range":{"start_line":4,"start_character":70,"end_line":4,"end_character":75},"updated":"2023-05-23 14:13:33.000000000","message":"scope checks","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."}],"source_content_type":"text/x-yaml","patch_set":21,"id":"bd357b5a_1ecafaa8","line":4,"range":{"start_line":4,"start_character":23,"end_line":4,"end_character":52},"in_reply_to":"f3c77f64_591b367f","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."}],"source_content_type":"text/x-yaml","patch_set":21,"id":"dede2b96_318a14f9","line":4,"range":{"start_line":4,"start_character":70,"end_line":4,"end_character":75},"in_reply_to":"fc3a3889_f7074c1b","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."},{"line_number":8,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":21,"id":"4d454f0d_25366ee8","line":5,"range":{"start_line":5,"start_character":8,"end_line":5,"end_character":15},"updated":"2023-05-23 14:13:33.000000000","message":"NIT: default\n\nalso NIT: I would prefer you lead with the table you have at the end; it is so much clearer. Maybe something like\n\nThese are controlled by the following (default) config options\n\n  [oslo_policy]\n  enforce_new_defaults\u003dFalse\n  enforce_scope\u003dFalse\n\nWe will change the default to ``True`` in the following cycle.\n\nIf you want to enable them then modify the values to ``True``","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."},{"line_number":8,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":21,"id":"ed9bcbef_7e2707d5","line":5,"range":{"start_line":5,"start_character":8,"end_line":5,"end_character":15},"in_reply_to":"4d454f0d_25366ee8","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"    If you want to enable them then modify the below config options value in"}],"source_content_type":"text/x-yaml","patch_set":21,"id":"b41309ac_b7ab10bc","line":6,"range":{"start_line":6,"start_character":24,"end_line":6,"end_character":36},"updated":"2023-05-23 14:13:33.000000000","message":"redundant","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Magnum service allow enables policies (RBAC) new defaults and scope."},{"line_number":5,"context_line":"    The Default value of config options ``[oslo_policy] enforce_scope``"},{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"    If you want to enable them then modify the below config options value in"}],"source_content_type":"text/x-yaml","patch_set":21,"id":"0e5d15e3_279208df","line":6,"range":{"start_line":6,"start_character":24,"end_line":6,"end_character":36},"in_reply_to":"b41309ac_b7ab10bc","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":8064,"name":"Jake Yip","email":"jake.yip@ardc.edu.au","username":"jake"},"change_message_id":"3545179abe837f086e52f7a87fee7a7debf6fc28","unresolved":true,"context_lines":[{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"    If you want to enable them then modify the below config options value in"},{"line_number":10,"context_line":"    ``magnum.conf`` file::"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"      [oslo_policy]"}],"source_content_type":"text/x-yaml","patch_set":21,"id":"ae74b128_86e23200","line":9,"range":{"start_line":9,"start_character":68,"end_line":9,"end_character":73},"updated":"2023-05-23 14:13:33.000000000","message":"NIT: redundant","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"56226e444d16ad4cc8fb4567fcea583882f256a6","unresolved":false,"context_lines":[{"line_number":6,"context_line":"    and ``[oslo_policy] oslo_policy.enforce_new_defaults`` are both ``False``."},{"line_number":7,"context_line":"    We will change the default to ``True`` in the following cycle."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"    If you want to enable them then modify the below config options value in"},{"line_number":10,"context_line":"    ``magnum.conf`` file::"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"      [oslo_policy]"}],"source_content_type":"text/x-yaml","patch_set":21,"id":"8f4852e6_27c46b05","line":9,"range":{"start_line":9,"start_character":68,"end_line":9,"end_character":73},"in_reply_to":"ae74b128_86e23200","updated":"2023-05-31 18:16:46.000000000","message":"Done","commit_id":"4bae8265d8d62142de6b52e8a156f6ab3700e9c8"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"526100afced4ad95ef76fd307c9c53200e9607f2","unresolved":true,"context_lines":[{"line_number":9,"context_line":"      enforce_new_defaults\u003dFalse"},{"line_number":10,"context_line":"      enforce_scope\u003dFalse"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"    We will change the default to True in the following cycle."},{"line_number":13,"context_line":"    If you want to enable them then modify both values to True."}],"source_content_type":"text/x-yaml","patch_set":29,"id":"0ece4665_356fe585","line":12,"range":{"start_line":12,"start_character":46,"end_line":12,"end_character":55},"updated":"2023-08-29 12:24:39.000000000","message":"2024.1 (Caracal) cycle?","commit_id":"429e90900038bd3ef71256347a17c212ee2dd2fa"},{"author":{"_account_id":12404,"name":"Rico Lin","email":"ricolin@ricolky.com","username":"rico.lin"},"change_message_id":"3511e1c3807e61b8254a12be4b477289a24cb1b4","unresolved":false,"context_lines":[{"line_number":9,"context_line":"      enforce_new_defaults\u003dFalse"},{"line_number":10,"context_line":"      enforce_scope\u003dFalse"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"    We will change the default to True in the following cycle."},{"line_number":13,"context_line":"    If you want to enable them then modify both values to True."}],"source_content_type":"text/x-yaml","patch_set":29,"id":"e1eaafab_65f81705","line":12,"range":{"start_line":12,"start_character":46,"end_line":12,"end_character":55},"in_reply_to":"0ece4665_356fe585","updated":"2023-08-29 16:36:42.000000000","message":"Done","commit_id":"429e90900038bd3ef71256347a17c212ee2dd2fa"}]}