)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"660ef3f8e1110356f1ff0c61470b98edc78867ee","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"8166c0f5_2c6f67ac","updated":"2025-08-21 09:04:48.000000000","message":"Do we have any tests in tempest-plugin for credential API?","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"},{"author":{"_account_id":38227,"name":"Matthew Northcott","display_name":"Matthew Northcott","email":"matthewnorthcott@catalystcloud.nz","username":"northcottmt"},"change_message_id":"e14b1b9b9d9cba7f8594f8890bcdd113aff9bd94","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"90f2aa5b_75e543d9","in_reply_to":"8166c0f5_2c6f67ac","updated":"2025-08-28 01:37:53.000000000","message":"Not yet, but looking into it.","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"}],"magnum/api/controllers/v1/credential.py":[{"author":{"_account_id":14394,"name":"Dale Smith","email":"dale@catalystcloud.nz","username":"dalees"},"change_message_id":"b505f180ba424b717144a6f115716805f1799d71","unresolved":true,"context_lines":[{"line_number":58,"context_line":"                       action\u003d\u0027credential:rotate\u0027)"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"        cluster \u003d api_utils.get_resource(\u0027Cluster\u0027, cluster_ident)"},{"line_number":61,"context_line":"        # Perform rotate operation synchronously as there aren\u0027t any slow Helm"},{"line_number":62,"context_line":"        # apply/upgrade operations to do"},{"line_number":63,"context_line":"        pecan.request.rpcapi.credential_rotate(cluster)"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"c8fd4dd5_16949816","line":61,"updated":"2025-08-27 05:06:00.000000000","message":"add \"Note(mnorthcott):\" prefix to the comment.\n\nAlso, remove \"Helm\" reference as this is Magnum Core, not a driver. Perhaps \"this is expected to be implemented as a lightweight secret update operation\".","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"},{"author":{"_account_id":38227,"name":"Matthew Northcott","display_name":"Matthew Northcott","email":"matthewnorthcott@catalystcloud.nz","username":"northcottmt"},"change_message_id":"e14b1b9b9d9cba7f8594f8890bcdd113aff9bd94","unresolved":false,"context_lines":[{"line_number":58,"context_line":"                       action\u003d\u0027credential:rotate\u0027)"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"        cluster \u003d api_utils.get_resource(\u0027Cluster\u0027, cluster_ident)"},{"line_number":61,"context_line":"        # Perform rotate operation synchronously as there aren\u0027t any slow Helm"},{"line_number":62,"context_line":"        # apply/upgrade operations to do"},{"line_number":63,"context_line":"        pecan.request.rpcapi.credential_rotate(cluster)"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"51690169_0f48fe08","line":61,"in_reply_to":"157e987a_00f711b7","updated":"2025-08-28 01:37:53.000000000","message":"Done","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"bda0047ac35b058784f05f6954861664adf2a631","unresolved":true,"context_lines":[{"line_number":58,"context_line":"                       action\u003d\u0027credential:rotate\u0027)"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"        cluster \u003d api_utils.get_resource(\u0027Cluster\u0027, cluster_ident)"},{"line_number":61,"context_line":"        # Perform rotate operation synchronously as there aren\u0027t any slow Helm"},{"line_number":62,"context_line":"        # apply/upgrade operations to do"},{"line_number":63,"context_line":"        pecan.request.rpcapi.credential_rotate(cluster)"},{"line_number":64,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"157e987a_00f711b7","line":61,"in_reply_to":"c8fd4dd5_16949816","updated":"2025-08-27 05:14:26.000000000","message":"uppercase NOTE please e.g. \"# NOTE(mnorthcott): [content]\"","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"}],"magnum/common/policies/credential.py":[{"author":{"_account_id":14394,"name":"Dale Smith","email":"dale@catalystcloud.nz","username":"dalees"},"change_message_id":"2ad5861e581eb7412aaac0ae4e24ea2559a8babd","unresolved":true,"context_lines":[{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":20,"context_line":"        name\u003d\u0027credential:rotate\u0027,"},{"line_number":21,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER,"},{"line_number":22,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":23,"context_line":"        description\u003d\u0027Rotate the credential of a cluster.\u0027,"},{"line_number":24,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"cecff209_3958f8df","line":21,"updated":"2025-08-27 04:17:39.000000000","message":"What are the implications of `admin` being allowed to perform this action for a cluster in a project they aren\u0027t a member of?","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"},{"author":{"_account_id":38227,"name":"Matthew Northcott","display_name":"Matthew Northcott","email":"matthewnorthcott@catalystcloud.nz","username":"northcottmt"},"change_message_id":"e14b1b9b9d9cba7f8594f8890bcdd113aff9bd94","unresolved":false,"context_lines":[{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":20,"context_line":"        name\u003d\u0027credential:rotate\u0027,"},{"line_number":21,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER,"},{"line_number":22,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":23,"context_line":"        description\u003d\u0027Rotate the credential of a cluster.\u0027,"},{"line_number":24,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"41aa3fe1_dc3a694c","line":21,"in_reply_to":"945e0e8c_5d14bc09","updated":"2025-08-28 01:37:53.000000000","message":"Thanks, glad someone caught this oversight. I agree with the restriction and reasoning.","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"},{"author":{"_account_id":14394,"name":"Dale Smith","email":"dale@catalystcloud.nz","username":"dalees"},"change_message_id":"c5bf6bc40097bf4936d7a663824349cab3978fe1","unresolved":true,"context_lines":[{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":20,"context_line":"        name\u003d\u0027credential:rotate\u0027,"},{"line_number":21,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER,"},{"line_number":22,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":23,"context_line":"        description\u003d\u0027Rotate the credential of a cluster.\u0027,"},{"line_number":24,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"945e0e8c_5d14bc09","line":21,"in_reply_to":"cc3122b9_0e30395a","updated":"2025-08-28 00:39:02.000000000","message":"Trying with an `admin` role auth\u0027d to another project I got a 404 as the cluster was not found[1].\n\nTrying with an `admin` role on the same project is permitted, but even setting this policy to a more restricted rule such as `base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER` the `admin` role ends up implying `member` and the policy check passes.\n\nDespite that, I think it would be acceptable if this was changed to  `base.RULE_PROJECT_MEMBER_DENY_CLUSTER_USER` and we accept that an admin user can call this endpoint if they really tried (which is the same as cluster create).\n\nThe implementation driver may restrict the roles used to create the Application Credential, thus removing the `admin` role.\n\n\n[1] Some admin actions such as `list` and `show` cross project boundaries, but many add the project limitation to the db query even with admin. Magnum should make this more consistent but this is well outside the scope of this feature.","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"22f1a830bb925d0f08388f0f9f656d9a1e665d9a","unresolved":true,"context_lines":[{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":20,"context_line":"        name\u003d\u0027credential:rotate\u0027,"},{"line_number":21,"context_line":"        check_str\u003dbase.RULE_ADMIN_OR_PROJECT_MEMBER,"},{"line_number":22,"context_line":"        scope_types\u003d[\"project\"],"},{"line_number":23,"context_line":"        description\u003d\u0027Rotate the credential of a cluster.\u0027,"},{"line_number":24,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"cc3122b9_0e30395a","line":21,"in_reply_to":"cecff209_3958f8df","updated":"2025-08-27 04:50:04.000000000","message":"Will the credentials be admin owned? If yes - that\u0027s probably not a good idea.","commit_id":"2a997272cf750189208ddacffff60c09b25757ba"}]}