)]}'
{"neutron/conf/policies/base.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"24c93a2f5648bf91b8958142941b8b71cc774132","unresolved":true,"context_lines":[{"line_number":33,"context_line":"                                              RULE_ADVSVC)"},{"line_number":34,"context_line":"RULE_ADMIN_OR_PARENT_OWNER \u003d \u0027rule:admin_or_ext_parent_owner\u0027"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# New roles required by the Secure Default Policies"},{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":38,"context_line":"SYSTEM_MEMBER \u003d \u0027role:member and system_scope:all\u0027"},{"line_number":39,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"b008e661_6c822e62","line":36,"range":{"start_line":36,"start_character":6,"end_line":36,"end_character":11},"updated":"2020-11-30 18:56:00.000000000","message":"I\u0027ve typically been referring to these as common personas, where a persona is a combination of a scope and a default role.\n\nLines 37 - 42 are personas and lines 43 - 46 are composite check strings and make it easy to reuse multiple personas for a given set of APIs or resources.\n\nI sometimes try and accompany constants like with comments that describe the ideal use-case for each persona, but that\u0027s obviously up to the maintainers of each service [0].\n\n[0] https://review.opendev.org/c/openstack/cinder/+/763195/2/cinder/policies/base.py","commit_id":"f5241c947af81e2666e8a3a83d979f2fd65ab1d1"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"0fe154d38da51a41450de141568f64c9a9728970","unresolved":false,"context_lines":[{"line_number":33,"context_line":"                                              RULE_ADVSVC)"},{"line_number":34,"context_line":"RULE_ADMIN_OR_PARENT_OWNER \u003d \u0027rule:admin_or_ext_parent_owner\u0027"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# New roles required by the Secure Default Policies"},{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":38,"context_line":"SYSTEM_MEMBER \u003d \u0027role:member and system_scope:all\u0027"},{"line_number":39,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"bd15bad2_54385c63","line":36,"range":{"start_line":36,"start_character":6,"end_line":36,"end_character":11},"in_reply_to":"4a2ea046_309eec3f","updated":"2020-12-01 13:58:11.000000000","message":"Descriptions added in patch set 2 looks nice.","commit_id":"f5241c947af81e2666e8a3a83d979f2fd65ab1d1"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"1c92548d7ecf9f434c9af85ee7a2d276014d6f99","unresolved":true,"context_lines":[{"line_number":33,"context_line":"                                              RULE_ADVSVC)"},{"line_number":34,"context_line":"RULE_ADMIN_OR_PARENT_OWNER \u003d \u0027rule:admin_or_ext_parent_owner\u0027"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# New roles required by the Secure Default Policies"},{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":38,"context_line":"SYSTEM_MEMBER \u003d \u0027role:member and system_scope:all\u0027"},{"line_number":39,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"bdec55b2_0ea2729a","line":36,"range":{"start_line":36,"start_character":6,"end_line":36,"end_character":11},"in_reply_to":"b008e661_6c822e62","updated":"2020-12-01 13:04:06.000000000","message":"Not a bad idea","commit_id":"f5241c947af81e2666e8a3a83d979f2fd65ab1d1"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"e85ee51d2514f9a2fa2abaaab284fe916f859bd3","unresolved":false,"context_lines":[{"line_number":33,"context_line":"                                              RULE_ADVSVC)"},{"line_number":34,"context_line":"RULE_ADMIN_OR_PARENT_OWNER \u003d \u0027rule:admin_or_ext_parent_owner\u0027"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# New roles required by the Secure Default Policies"},{"line_number":37,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":38,"context_line":"SYSTEM_MEMBER \u003d \u0027role:member and system_scope:all\u0027"},{"line_number":39,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-python","patch_set":1,"id":"4a2ea046_309eec3f","line":36,"range":{"start_line":36,"start_character":6,"end_line":36,"end_character":11},"in_reply_to":"bdec55b2_0ea2729a","updated":"2020-12-01 13:11:15.000000000","message":"I added similar comments as in the linked cinder\u0027s patch as I think that\u0027s much more descriptive and better explaining things.","commit_id":"f5241c947af81e2666e8a3a83d979f2fd65ab1d1"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"503813064844f389accf79943d688e8dda39e274","unresolved":true,"context_lines":[{"line_number":40,"context_line":"PROJECT_ADMIN \u003d \u0027role:admin and project_id:%(project_id)s\u0027"},{"line_number":41,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":42,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":43,"context_line":"SYSTEM_ADMIN_OR_PROJECT_MEMBER \u003d ("},{"line_number":44,"context_line":"    \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or (\u0027 + PROJECT_MEMBER + \u0027)\u0027)"},{"line_number":45,"context_line":"SYSTEM_OR_PROJECT_READER \u003d ("},{"line_number":46,"context_line":"    \u0027(\u0027 + SYSTEM_READER + \u0027) or (\u0027 + PROJECT_READER + \u0027)\u0027)"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":1,"id":"4f12b866_fd751ec6","line":46,"range":{"start_line":43,"start_character":0,"end_line":46,"end_character":58},"updated":"2020-11-30 14:11:56.000000000","message":"Why do we need those those roles?","commit_id":"f5241c947af81e2666e8a3a83d979f2fd65ab1d1"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"2cf54d4b4c89647f135f31eae2378a34683c3d47","unresolved":true,"context_lines":[{"line_number":40,"context_line":"PROJECT_ADMIN \u003d \u0027role:admin and project_id:%(project_id)s\u0027"},{"line_number":41,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":42,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":43,"context_line":"SYSTEM_ADMIN_OR_PROJECT_MEMBER \u003d ("},{"line_number":44,"context_line":"    \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or (\u0027 + PROJECT_MEMBER + \u0027)\u0027)"},{"line_number":45,"context_line":"SYSTEM_OR_PROJECT_READER \u003d ("},{"line_number":46,"context_line":"    \u0027(\u0027 + SYSTEM_READER + \u0027) or (\u0027 + PROJECT_READER + \u0027)\u0027)"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":1,"id":"1e081d88_cdaf8969","line":46,"range":{"start_line":43,"start_character":0,"end_line":46,"end_character":58},"in_reply_to":"44ea6d15_315b5e8f","updated":"2020-11-30 14:48:08.000000000","message":"Right, the roles are admin, member and reader. Thanks for the example of where do we need that.\n\nMaybe Slawek can change L36 (roles-\u003erules).","commit_id":"f5241c947af81e2666e8a3a83d979f2fd65ab1d1"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"226b6754f70cafed64015c79995c32c268ef61ba","unresolved":true,"context_lines":[{"line_number":40,"context_line":"PROJECT_ADMIN \u003d \u0027role:admin and project_id:%(project_id)s\u0027"},{"line_number":41,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":42,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":43,"context_line":"SYSTEM_ADMIN_OR_PROJECT_MEMBER \u003d ("},{"line_number":44,"context_line":"    \u0027(\u0027 + SYSTEM_ADMIN + \u0027) or (\u0027 + PROJECT_MEMBER + \u0027)\u0027)"},{"line_number":45,"context_line":"SYSTEM_OR_PROJECT_READER \u003d ("},{"line_number":46,"context_line":"    \u0027(\u0027 + SYSTEM_READER + \u0027) or (\u0027 + PROJECT_READER + \u0027)\u0027)"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":1,"id":"44ea6d15_315b5e8f","line":46,"range":{"start_line":43,"start_character":0,"end_line":46,"end_character":58},"in_reply_to":"4f12b866_fd751ec6","updated":"2020-11-30 14:38:34.000000000","message":"These are not \"roles\". They are \"rules\" used by other rules.\n\nFor example, SYSTEM_ADMIN_OR_PROJECT_MEMBER is used to allow resource owner and system admin to update or delete a resource owned by a project, for example. I think it is reasonable to define these rules.","commit_id":"f5241c947af81e2666e8a3a83d979f2fd65ab1d1"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"32b307f5cbaee44c635e9c2f11c4229bff3b599d","unresolved":true,"context_lines":[{"line_number":32,"context_line":"RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC \u003d policy_or(RULE_ADMIN_OR_NET_OWNER,"},{"line_number":33,"context_line":"                                              RULE_ADVSVC)"},{"line_number":34,"context_line":"RULE_ADMIN_OR_PARENT_OWNER \u003d \u0027rule:admin_or_ext_parent_owner\u0027"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# Generic policy check string for system administrators. These are the people"},{"line_number":37,"context_line":"# who need the highest level of authorization to operate the deployment."},{"line_number":38,"context_line":"# They\u0027re allowed to create, read, update, or delete any system-specific"}],"source_content_type":"text/x-python","patch_set":2,"id":"150acfe9_b22274c8","line":35,"updated":"2020-12-02 13:18:07.000000000","message":"very good summary of these roles.\nI suppose these should be documented somewhere (i.e. : https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/base.py )","commit_id":"17b46e8525533ca453bb32c31e158aa6a485c4e6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3a8fc8a52d7369b71dc5628872499183b0a2c23f","unresolved":true,"context_lines":[{"line_number":32,"context_line":"RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC \u003d policy_or(RULE_ADMIN_OR_NET_OWNER,"},{"line_number":33,"context_line":"                                              RULE_ADVSVC)"},{"line_number":34,"context_line":"RULE_ADMIN_OR_PARENT_OWNER \u003d \u0027rule:admin_or_ext_parent_owner\u0027"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"# Generic policy check string for system administrators. These are the people"},{"line_number":37,"context_line":"# who need the highest level of authorization to operate the deployment."},{"line_number":38,"context_line":"# They\u0027re allowed to create, read, update, or delete any system-specific"}],"source_content_type":"text/x-python","patch_set":2,"id":"7e7a967d_01b1313f","line":35,"in_reply_to":"150acfe9_b22274c8","updated":"2020-12-03 19:04:44.000000000","message":"We do provide a primer and descriptions in keystone\u0027s documentation.\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"17b46e8525533ca453bb32c31e158aa6a485c4e6"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"32b307f5cbaee44c635e9c2f11c4229bff3b599d","unresolved":true,"context_lines":[{"line_number":42,"context_line":""},{"line_number":43,"context_line":"# Generic policy check string for system users who don\u0027t require all the"},{"line_number":44,"context_line":"# authorization that system administrators typically have. This persona, or"},{"line_number":45,"context_line":"# check string, typically isn\u0027t used by default, but it\u0027s existence it useful"},{"line_number":46,"context_line":"# in the event a deployment wants to offload some administrative action from"},{"line_number":47,"context_line":"# system administrator to system members"},{"line_number":48,"context_line":"SYSTEM_MEMBER \u003d \u0027role:member and system_scope:all\u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"82f58e5c_90196dc3","line":45,"range":{"start_line":45,"start_character":68,"end_line":45,"end_character":70},"updated":"2020-12-02 13:18:07.000000000","message":"nit: is","commit_id":"17b46e8525533ca453bb32c31e158aa6a485c4e6"}]}
