)]}'
{"releasenotes/notes/new-secure-rbac-defaults-in-wallaby-13c0583afdfcfcc7.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5c446c5799e5852513d3c442e84c6bc33fbf71e8","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"prelude: \u003e"},{"line_number":3,"context_line":"    The default check strings of all manila API RBAC policies have been"},{"line_number":4,"context_line":"    updated to support default user personas from the OpenStack Identity"},{"line_number":5,"context_line":"    Service (Keystone). This includes support for project scoped member,"},{"line_number":6,"context_line":"    reader, administrator user roles as well as system scoped member,"},{"line_number":7,"context_line":"    reader and administrator roles. A manila \"admin\" persona is eventually"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"8cdaf661_df062f3c","line":4,"range":{"start_line":4,"start_character":23,"end_line":4,"end_character":45},"updated":"2021-03-26 12:41:58.000000000","message":"nit: default roles and system-scope from ...\n\nI like to be verbose in explaining that a persona is a role and scope combination, and that the secure RBAC work required adopting new scopes and applying roles consistently from keystone.","commit_id":"f1de32c53398c0163e5185abaf572e67f40b6ca4"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c1517e6b79b229897d72a02aa1a04ecf622834bc","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"prelude: \u003e"},{"line_number":3,"context_line":"    The default check strings of all manila API RBAC policies have been"},{"line_number":4,"context_line":"    updated to support default user personas from the OpenStack Identity"},{"line_number":5,"context_line":"    Service (Keystone). This includes support for project scoped member,"},{"line_number":6,"context_line":"    reader, administrator user roles as well as system scoped member,"},{"line_number":7,"context_line":"    reader and administrator roles. A manila \"admin\" persona is eventually"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"bb14413d_089db554","line":4,"range":{"start_line":4,"start_character":23,"end_line":4,"end_character":45},"in_reply_to":"8cdaf661_df062f3c","updated":"2021-03-26 14:16:54.000000000","message":"makes sense, Done","commit_id":"f1de32c53398c0163e5185abaf572e67f40b6ca4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5c446c5799e5852513d3c442e84c6bc33fbf71e8","unresolved":true,"context_lines":[{"line_number":2,"context_line":"prelude: \u003e"},{"line_number":3,"context_line":"    The default check strings of all manila API RBAC policies have been"},{"line_number":4,"context_line":"    updated to support default user personas from the OpenStack Identity"},{"line_number":5,"context_line":"    Service (Keystone). This includes support for project scoped member,"},{"line_number":6,"context_line":"    reader, administrator user roles as well as system scoped member,"},{"line_number":7,"context_line":"    reader and administrator roles. A manila \"admin\" persona is eventually"},{"line_number":8,"context_line":"    expected to transition to the system scoped \"admin\" persona and some"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"21857ba4_b94064c3","line":5,"range":{"start_line":5,"start_character":50,"end_line":5,"end_character":71},"updated":"2021-03-26 12:41:58.000000000","message":"nit:\n\nI recommend that we keep the term scope out of the persona itself since it\u0027s implied already (e.g., project member, system admin, project reader as opposed to project-scoped member, system-scoped admin, etc.)\n\nDefault roles and tokens provided by keystone are first-class constructs, but personas aren\u0027t. We\u0027re just using the term to classify a set of common use cases applied to role and scope permutations.","commit_id":"f1de32c53398c0163e5185abaf572e67f40b6ca4"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c1517e6b79b229897d72a02aa1a04ecf622834bc","unresolved":false,"context_lines":[{"line_number":2,"context_line":"prelude: \u003e"},{"line_number":3,"context_line":"    The default check strings of all manila API RBAC policies have been"},{"line_number":4,"context_line":"    updated to support default user personas from the OpenStack Identity"},{"line_number":5,"context_line":"    Service (Keystone). This includes support for project scoped member,"},{"line_number":6,"context_line":"    reader, administrator user roles as well as system scoped member,"},{"line_number":7,"context_line":"    reader and administrator roles. A manila \"admin\" persona is eventually"},{"line_number":8,"context_line":"    expected to transition to the system scoped \"admin\" persona and some"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"e99a02f8_ac1be2f4","line":5,"range":{"start_line":5,"start_character":50,"end_line":5,"end_character":71},"in_reply_to":"21857ba4_b94064c3","updated":"2021-03-26 14:16:54.000000000","message":"sounds better - Done","commit_id":"f1de32c53398c0163e5185abaf572e67f40b6ca4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5c446c5799e5852513d3c442e84c6bc33fbf71e8","unresolved":true,"context_lines":[{"line_number":9,"context_line":"    isolated project administrator privileges (like force-deleting a"},{"line_number":10,"context_line":"    resource, resyncing a share replica or resetting state of a resource) are"},{"line_number":11,"context_line":"    retained to an admin user operating within the scope of a project. Do"},{"line_number":12,"context_line":"    read further impact in the ``upgrade`` section of these notes."},{"line_number":13,"context_line":"upgrade:"},{"line_number":14,"context_line":"  - |"},{"line_number":15,"context_line":"    During the Wallaby release, API RBAC policies have new defaults, however,"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"228e0a6f_844d4305","line":12,"updated":"2021-03-26 12:41:58.000000000","message":"++\n\nThanks for putting this in the release note. Some might read this note (or even other notes for this work across OpenStack projects) as a lot of work and churn, but it\u0027s actually freeing up space to push more API functionality to end users safely. Calling that out in an example is excellent.","commit_id":"f1de32c53398c0163e5185abaf572e67f40b6ca4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"5c446c5799e5852513d3c442e84c6bc33fbf71e8","unresolved":true,"context_lines":[{"line_number":16,"context_line":"    all old behavior is preserved as is, and the new defaults are not enabled."},{"line_number":17,"context_line":"    To be able to use systems scoped personas, you will need to enable the"},{"line_number":18,"context_line":"    ``enforce_scope`` configuration option in the ``[oslo_policy]`` section of"},{"line_number":19,"context_line":"    manila.conf. To enforce the new defaults, the configuration option"},{"line_number":20,"context_line":"    ``enforce_new_defaults`` must be enabled from the ``[oslo_policy]``"},{"line_number":21,"context_line":"    section of manila.conf. We do not advise enabling the new defaults in"},{"line_number":22,"context_line":"    production deployments yet. The manila developer community is actively"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"00f022ab_619af0f2","line":19,"updated":"2021-03-26 12:41:58.000000000","message":"I like to include in the upgrade section a snippet that tells operators how they can view the new defaults. This is especially important for deployments who are overriding the default policies today for a specific use case. They\u0027ll want to see if the new defaults allow them to remove the policies they\u0027ve been maintaining in their deployment.\n\nWe can add a section that says operators can use\n\n  oslopolicy-sample-generator --namespace manila\n\nto generate a sample of the new defaults and possibly compare with their current policies.\n\nAlso, we can link to keystone\u0027s default roles and persona documentation [0], keeping the common terminology in a single place.\n\nThis will serve as a primer for people who haven\u0027t heard of the system-scope concept, default roles, or what we\u0027re calling personas. It also gives them tips for finding out who is who in their deployment, which is useful for the necessary prerequisite auditing step of consuming this work.\n\n[0] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"f1de32c53398c0163e5185abaf572e67f40b6ca4"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"c1517e6b79b229897d72a02aa1a04ecf622834bc","unresolved":false,"context_lines":[{"line_number":16,"context_line":"    all old behavior is preserved as is, and the new defaults are not enabled."},{"line_number":17,"context_line":"    To be able to use systems scoped personas, you will need to enable the"},{"line_number":18,"context_line":"    ``enforce_scope`` configuration option in the ``[oslo_policy]`` section of"},{"line_number":19,"context_line":"    manila.conf. To enforce the new defaults, the configuration option"},{"line_number":20,"context_line":"    ``enforce_new_defaults`` must be enabled from the ``[oslo_policy]``"},{"line_number":21,"context_line":"    section of manila.conf. We do not advise enabling the new defaults in"},{"line_number":22,"context_line":"    production deployments yet. The manila developer community is actively"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"29d41294_11a5835f","line":19,"in_reply_to":"00f022ab_619af0f2","updated":"2021-03-26 14:16:54.000000000","message":"great points, incorporated these..","commit_id":"f1de32c53398c0163e5185abaf572e67f40b6ca4"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"98e258e0292b886f275ba6ee19cda06e1705b194","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"prelude: \u003e"},{"line_number":3,"context_line":"    The default check strings of all manila API RBAC policies have been"},{"line_number":4,"context_line":"    updated to support default roles and system-scope from from the OpenStack"},{"line_number":5,"context_line":"    Identity Service (Keystone). This includes support for project member,"},{"line_number":6,"context_line":"    project reader, project administrator user roles as well as system"},{"line_number":7,"context_line":"    member, system reader and system administrator roles. A manila \"admin\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1b28ac2d_8b70e3a1","line":4,"range":{"start_line":4,"start_character":54,"end_line":4,"end_character":58},"updated":"2021-03-26 15:19:26.000000000","message":"nit: extra from","commit_id":"07b10acc74534d19e4bd24e321717ab9aa2be2d9"},{"author":{"_account_id":9003,"name":"Tom Barron","email":"tpb@dyncloud.net","username":"tbarron"},"change_message_id":"a7a1bbde858ee28a72d1eccc9173306c1b5ce12b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"prelude: \u003e"},{"line_number":3,"context_line":"    The default check strings of all manila API RBAC policies have been"},{"line_number":4,"context_line":"    updated to support default roles and system-scope from from the OpenStack"},{"line_number":5,"context_line":"    Identity Service (Keystone). This includes support for project member,"},{"line_number":6,"context_line":"    project reader, project administrator user roles as well as system"},{"line_number":7,"context_line":"    member, system reader and system administrator roles. A manila \"admin\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"89129451_e6b03392","line":4,"range":{"start_line":4,"start_character":54,"end_line":4,"end_character":58},"in_reply_to":"130d9036_4fbe5a58","updated":"2021-03-26 15:26:46.000000000","message":"I didn\u0027t notice it, thanks.","commit_id":"07b10acc74534d19e4bd24e321717ab9aa2be2d9"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"6eb32f83cd89c6acca2ae5b9dc4229b1552184ec","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"prelude: \u003e"},{"line_number":3,"context_line":"    The default check strings of all manila API RBAC policies have been"},{"line_number":4,"context_line":"    updated to support default roles and system-scope from from the OpenStack"},{"line_number":5,"context_line":"    Identity Service (Keystone). This includes support for project member,"},{"line_number":6,"context_line":"    project reader, project administrator user roles as well as system"},{"line_number":7,"context_line":"    member, system reader and system administrator roles. A manila \"admin\""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"130d9036_4fbe5a58","line":4,"range":{"start_line":4,"start_character":54,"end_line":4,"end_character":58},"in_reply_to":"1b28ac2d_8b70e3a1","updated":"2021-03-26 15:22:47.000000000","message":"Done.\n\nThanks, this will bother me to not fix, given Zuul\u0027s really quick with turn around for release notes fixes","commit_id":"07b10acc74534d19e4bd24e321717ab9aa2be2d9"}]}
