)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2f29ac55dd0294e7601358df181fe6d01953e4f2","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Slawek Kaplonski \u003cskaplons@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2021-12-20 16:52:08 +0100"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Update secure RBAC policies accrodingly to the new guidelines"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"According to discussions during the PTG and to the updated community"},{"line_number":10,"context_line":"goal which is in [1] we need to modify new default RBAC rules to reflect"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"7227d2c5_ee2b4ed2","line":7,"range":{"start_line":7,"start_character":28,"end_line":7,"end_character":39},"updated":"2022-01-05 18:53:24.000000000","message":"\"accordingly\"","commit_id":"a115ed25475d485c699132ed7afd3d34a56260b5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"322eb3a8d3d3b22070e29f12f37159199017c0e0","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Slawek Kaplonski \u003cskaplons@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2021-12-20 16:52:08 +0100"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Update secure RBAC policies accrodingly to the new guidelines"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"According to discussions during the PTG and to the updated community"},{"line_number":10,"context_line":"goal which is in [1] we need to modify new default RBAC rules to reflect"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"74deb97a_c7c50d70","line":7,"range":{"start_line":7,"start_character":28,"end_line":7,"end_character":39},"in_reply_to":"7227d2c5_ee2b4ed2","updated":"2022-01-10 15:15:44.000000000","message":"Done","commit_id":"a115ed25475d485c699132ed7afd3d34a56260b5"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"b60a34798ec52a8c597e5cd2f81ddaacd5f7702e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"fb2d901a_92c09324","updated":"2021-12-10 10:28:11.000000000","message":"-1 just for visibility","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"2f29ac55dd0294e7601358df181fe6d01953e4f2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"2b2ef304_65bdc1fa","updated":"2022-01-05 18:53:24.000000000","message":"nit :)","commit_id":"a115ed25475d485c699132ed7afd3d34a56260b5"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"d79ceea3cc9b465541fc6a93366feddb7130d262","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"03054d54_eaa0679b","updated":"2022-01-25 13:51:20.000000000","message":"Good patch, thanks a lot for working on this","commit_id":"2d099c43960407890182863b8f2c1ae397007c00"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"9484ea172f5dd28cde1fbffd564aa6c596727654","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"07fedc23_9b5446c8","updated":"2022-01-20 07:19:25.000000000","message":"recheck - network interface not found in snat namespace issue","commit_id":"2d099c43960407890182863b8f2c1ae397007c00"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d407ceeb8fed06b75411f8fd44f7307d73481dce","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"4b4ed1fc_c95e1b4f","updated":"2022-01-25 15:10:28.000000000","message":"sorry for joining late review, I have 1 comment on removing the \u0027system_scope:all\u0027\u0027 special string from SYSTEM_* roles whihch can be done in next patch or so (or discussion) but this change lgtm.","commit_id":"2d099c43960407890182863b8f2c1ae397007c00"}],"neutron/conf/policies/qos.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"b60a34798ec52a8c597e5cd2f81ddaacd5f7702e","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":98,"context_line":"        name\u003d\u0027get_rule_type\u0027,"},{"line_number":99,"context_line":"        check_str\u003dbase.SYSTEM_READER,"},{"line_number":100,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":101,"context_line":"        description\u003d\u0027Get available QoS rule types\u0027,"},{"line_number":102,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"03d67039_c223cc7c","line":99,"range":{"start_line":99,"start_character":23,"end_line":99,"end_character":36},"updated":"2021-12-10 10:28:11.000000000","message":"Why not project reader?","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"152976e1d66ecefd36f8f15424d35b10d77ad4de","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":98,"context_line":"        name\u003d\u0027get_rule_type\u0027,"},{"line_number":99,"context_line":"        check_str\u003dbase.SYSTEM_READER,"},{"line_number":100,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":101,"context_line":"        description\u003d\u0027Get available QoS rule types\u0027,"},{"line_number":102,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"03649476_8ad4f529","line":99,"range":{"start_line":99,"start_character":23,"end_line":99,"end_character":36},"in_reply_to":"03d67039_c223cc7c","updated":"2021-12-16 11:16:50.000000000","message":"I think it was agreed long time ago when that API was introduced that it should be \"ADMIN ONLY\" (then we didn\u0027t had scopes at all) because it is displaying things like backend drivers which are used in the cloud, so some infra related things.\nI think that now it is safe to show it to system users but I don\u0027t think it should be available for project users - they shouldn\u0027t need it at all.","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"},{"author":{"_account_id":5948,"name":"Oleg Bondarev","email":"obondarev@mirantis.com","username":"obondarev"},"change_message_id":"8fda616660aa4f54ac667a5332e0b4a0876a1a7c","unresolved":true,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":98,"context_line":"        name\u003d\u0027get_rule_type\u0027,"},{"line_number":99,"context_line":"        check_str\u003dbase.SYSTEM_READER,"},{"line_number":100,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":101,"context_line":"        description\u003d\u0027Get available QoS rule types\u0027,"},{"line_number":102,"context_line":"        operations\u003d["},{"line_number":103,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":6,"id":"a7eb6f30_5a0645d6","line":100,"range":{"start_line":99,"start_character":8,"end_line":100,"end_character":31},"updated":"2022-01-12 08:13:26.000000000","message":"Should PROJECT_ADMIN be able to get this info as well? Seems a candidate for an exception (as mentioned in the commit message) - and actually I see it as an exception in the test","commit_id":"f7930f56178ff51a28e751a8304a4e32ad0818ca"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ca12e9ad534d727fcecafed6345eeeffb111c992","unresolved":false,"context_lines":[{"line_number":96,"context_line":""},{"line_number":97,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":98,"context_line":"        name\u003d\u0027get_rule_type\u0027,"},{"line_number":99,"context_line":"        check_str\u003dbase.SYSTEM_READER,"},{"line_number":100,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":101,"context_line":"        description\u003d\u0027Get available QoS rule types\u0027,"},{"line_number":102,"context_line":"        operations\u003d["},{"line_number":103,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":6,"id":"5a6ce658_60b96280","line":100,"range":{"start_line":99,"start_character":8,"end_line":100,"end_character":31},"in_reply_to":"a7eb6f30_5a0645d6","updated":"2022-01-19 08:05:45.000000000","message":"Done","commit_id":"f7930f56178ff51a28e751a8304a4e32ad0818ca"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d407ceeb8fed06b75411f8fd44f7307d73481dce","unresolved":true,"context_lines":[{"line_number":99,"context_line":"        # NOTE: we are using role:admin instead of PROJECT_ADMIN here because"},{"line_number":100,"context_line":"        # rule_type resource don\u0027t belongs to any project so using"},{"line_number":101,"context_line":"        # PROJECT_ADMIN as check string would cause enforcement error"},{"line_number":102,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":103,"context_line":"            \"role:admin\","},{"line_number":104,"context_line":"            base.SYSTEM_READER),"},{"line_number":105,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":106,"context_line":"        description\u003d\u0027Get available QoS rule types\u0027,"},{"line_number":107,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":8,"id":"f0077a2d_612185bf","line":104,"range":{"start_line":102,"start_character":0,"end_line":104,"end_character":32},"updated":"2022-01-25 15:10:28.000000000","message":"we can just make it role:admin and scope as both system and project. like doing in nova https://review.opendev.org/c/openstack/nova/+/819390/7/nova/policies/aggregates.py\n\nalso I think you should remove the \u0027system_scope:all\u0027 hardcoded string from SYSTEM_READER ?https://github.com/openstack/neutron/blob/master/neutron/conf/policies/base.py#L55\n\nThat was/is the things which made our policy with new defaults with enforce_scope\u003dFalse (default) not working on defaults vs scope.","commit_id":"2d099c43960407890182863b8f2c1ae397007c00"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"666f92b3158f7392c6fd0eb491fb21eeef857c11","unresolved":true,"context_lines":[{"line_number":99,"context_line":"        # NOTE: we are using role:admin instead of PROJECT_ADMIN here because"},{"line_number":100,"context_line":"        # rule_type resource don\u0027t belongs to any project so using"},{"line_number":101,"context_line":"        # PROJECT_ADMIN as check string would cause enforcement error"},{"line_number":102,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":103,"context_line":"            \"role:admin\","},{"line_number":104,"context_line":"            base.SYSTEM_READER),"},{"line_number":105,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":106,"context_line":"        description\u003d\u0027Get available QoS rule types\u0027,"},{"line_number":107,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":8,"id":"551249b7_1e08b074","line":104,"range":{"start_line":102,"start_character":0,"end_line":104,"end_character":32},"in_reply_to":"a37a8643_e684abb7","updated":"2022-01-26 17:08:18.000000000","message":"That is the goal here to remove the current hardcoded \u0027system_scope:all\u0027 string from check_str. I am in progress for doing it for nova (changing the usage first, and then I will update the base class ). The idea here is that when we enforce scope by default and users want more time to switch to new policy/scope, they can disable the scope and their admin token (project one) can keep working. If we have \u0027system_scope:all\u0027 string in system check_str then it will not be possible (this is the problem we are solving in new direction.). In this approach, there was a disadvantage for making SYSTEM_READER that way (remove \u0027system_scope:all\u0027 from SYSTEM_READER rule), if we do that then if scope is disabled then project reader can also access those system level APIs. To solve that we agreed not to use the SYSTEM_READER or SYSTEM_MEMBER in this phase1 and do it in phase3[1]. We need to convert all the SYSTEM_READER to SYSTEM_ADMIN(with no \u0027system_scope:all\u0027 string in check_str) so that we do not allow project reader to able to access the system level API.\n\n[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-3","commit_id":"2d099c43960407890182863b8f2c1ae397007c00"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"19d373209910cef8650e129f638e175e7d505637","unresolved":true,"context_lines":[{"line_number":99,"context_line":"        # NOTE: we are using role:admin instead of PROJECT_ADMIN here because"},{"line_number":100,"context_line":"        # rule_type resource don\u0027t belongs to any project so using"},{"line_number":101,"context_line":"        # PROJECT_ADMIN as check string would cause enforcement error"},{"line_number":102,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":103,"context_line":"            \"role:admin\","},{"line_number":104,"context_line":"            base.SYSTEM_READER),"},{"line_number":105,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027],"},{"line_number":106,"context_line":"        description\u003d\u0027Get available QoS rule types\u0027,"},{"line_number":107,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":8,"id":"a37a8643_e684abb7","line":104,"range":{"start_line":102,"start_character":0,"end_line":104,"end_character":32},"in_reply_to":"f0077a2d_612185bf","updated":"2022-01-26 14:13:22.000000000","message":"I\u0027m not sure I understand first part of Your comment. Why we should make it\"role:admin\" only? It should be available for admin users and SYSTEM_READER/MEMBER too.\nAlso it has already scope_types both project and system.\n\nRegarding second part of comment I can change it but it seems that it should be changed across all projects as everywhere it is defined in same way. Is that correct?","commit_id":"2d099c43960407890182863b8f2c1ae397007c00"}],"neutron/conf/policies/service_type.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"b60a34798ec52a8c597e5cd2f81ddaacd5f7702e","unresolved":true,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003d\u0027get_service_provider\u0027,"},{"line_number":25,"context_line":"        check_str\u003d\u0027role:reader\u0027,"},{"line_number":26,"context_line":"        description\u003d\u0027Get service providers\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"93e31997_08998769","line":25,"range":{"start_line":25,"start_character":24,"end_line":25,"end_character":30},"updated":"2021-12-10 10:28:11.000000000","message":"Is this correct?","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"64e5a4b4e66f94c9ef114c089683b9e7f53b8120","unresolved":false,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003d\u0027get_service_provider\u0027,"},{"line_number":25,"context_line":"        check_str\u003d\u0027role:reader\u0027,"},{"line_number":26,"context_line":"        description\u003d\u0027Get service providers\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"493b9c32_28754833","line":25,"range":{"start_line":25,"start_character":24,"end_line":25,"end_character":30},"in_reply_to":"07a5f455_d443cca3","updated":"2021-12-20 16:43:35.000000000","message":"Ok, now I know why it\u0027s like that.\nSYSTEM_OR_PROJECT_READER check string also checks project_id of the resource and service_provider don\u0027t have it. That\u0027s why we can\u0027t use that constant here and need to use custom check string to check only role.","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"152976e1d66ecefd36f8f15424d35b10d77ad4de","unresolved":false,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003d\u0027get_service_provider\u0027,"},{"line_number":25,"context_line":"        check_str\u003d\u0027role:reader\u0027,"},{"line_number":26,"context_line":"        description\u003d\u0027Get service providers\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"07a5f455_d443cca3","line":25,"range":{"start_line":25,"start_character":24,"end_line":25,"end_character":30},"in_reply_to":"93e31997_08998769","updated":"2021-12-16 11:16:50.000000000","message":"Changed","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"},{"author":{"_account_id":5948,"name":"Oleg Bondarev","email":"obondarev@mirantis.com","username":"obondarev"},"change_message_id":"8fda616660aa4f54ac667a5332e0b4a0876a1a7c","unresolved":true,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003d\u0027get_service_provider\u0027,"},{"line_number":25,"context_line":"        check_str\u003d\"role:reader\","},{"line_number":26,"context_line":"        description\u003d\u0027Get service providers\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":6,"id":"347d64e6_0d4174b2","line":25,"range":{"start_line":25,"start_character":18,"end_line":25,"end_character":31},"updated":"2022-01-12 08:13:26.000000000","message":"why?","commit_id":"f7930f56178ff51a28e751a8304a4e32ad0818ca"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"ca12e9ad534d727fcecafed6345eeeffb111c992","unresolved":true,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003d\u0027get_service_provider\u0027,"},{"line_number":25,"context_line":"        check_str\u003d\"role:reader\","},{"line_number":26,"context_line":"        description\u003d\u0027Get service providers\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":6,"id":"f7ed3c33_e85907d6","line":25,"range":{"start_line":25,"start_character":18,"end_line":25,"end_character":31},"in_reply_to":"347d64e6_0d4174b2","updated":"2022-01-19 08:05:45.000000000","message":"IIUC the question is about \"why not PROJECT_READER or SYSTEM_READER?\", right?\nIf that\u0027s the question, the answer is, because PROJECT reader has got \"project_id:%(project_id)s\" in the check string and service_provider resource don\u0027t have project attribute. That would cause error while enforcing this policy so because of that there is only \"role:reader\" in the check string here.","commit_id":"f7930f56178ff51a28e751a8304a4e32ad0818ca"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"76666219f9b14e0eb5ce27f602c0fc72bc84bf00","unresolved":true,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003d\u0027get_service_provider\u0027,"},{"line_number":25,"context_line":"        check_str\u003d\"role:reader\","},{"line_number":26,"context_line":"        description\u003d\u0027Get service providers\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":6,"id":"2dcc43c3_a96e70e8","line":25,"range":{"start_line":25,"start_character":18,"end_line":25,"end_character":31},"in_reply_to":"61391e20_4afb619a","updated":"2022-01-19 12:02:17.000000000","message":"Haha, ok, sorry for that. It was probably by mistake as in one of the previous patches I was trying to use some constant from the base module, it failed for reasons which I described above so I changed it back by using double quotes. It\u0027s changed back now.","commit_id":"f7930f56178ff51a28e751a8304a4e32ad0818ca"},{"author":{"_account_id":5948,"name":"Oleg Bondarev","email":"obondarev@mirantis.com","username":"obondarev"},"change_message_id":"388eaae2c52eea32aed0ed2a49a36c6833a5736a","unresolved":true,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003d\u0027get_service_provider\u0027,"},{"line_number":25,"context_line":"        check_str\u003d\"role:reader\","},{"line_number":26,"context_line":"        description\u003d\u0027Get service providers\u0027,"},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":6,"id":"61391e20_4afb619a","line":25,"range":{"start_line":25,"start_character":18,"end_line":25,"end_character":31},"in_reply_to":"f7ed3c33_e85907d6","updated":"2022-01-19 11:32:52.000000000","message":"Actually I didn\u0027t get why singe quotes were changed to double :) - if I see it correctly that was the only change in this file in PS6","commit_id":"f7930f56178ff51a28e751a8304a4e32ad0818ca"}],"neutron/tests/unit/conf/policies/test_auto_allocated_topology.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"b60a34798ec52a8c597e5cd2f81ddaacd5f7702e","unresolved":true,"context_lines":[{"line_number":37,"context_line":"        self.context \u003d self.system_admin_ctx"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"    def test_get_topology(self):"},{"line_number":40,"context_line":"        self.assertRaises("},{"line_number":41,"context_line":"            base_policy.PolicyNotAuthorized,"},{"line_number":42,"context_line":"            policy.enforce,"},{"line_number":43,"context_line":"            self.context, GET_POLICY, self.target"}],"source_content_type":"text/x-python","patch_set":2,"id":"ba7ea994_5031c860","line":40,"range":{"start_line":40,"start_character":13,"end_line":40,"end_character":25},"updated":"2021-12-10 10:28:11.000000000","message":"Ok, is this change related to [1][2]?\n\n[1]https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html\n[2]https://paste.opendev.org/show/811598/","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"152976e1d66ecefd36f8f15424d35b10d77ad4de","unresolved":true,"context_lines":[{"line_number":37,"context_line":"        self.context \u003d self.system_admin_ctx"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"    def test_get_topology(self):"},{"line_number":40,"context_line":"        self.assertRaises("},{"line_number":41,"context_line":"            base_policy.PolicyNotAuthorized,"},{"line_number":42,"context_line":"            policy.enforce,"},{"line_number":43,"context_line":"            self.context, GET_POLICY, self.target"}],"source_content_type":"text/x-python","patch_set":2,"id":"542fae3f_ab1961ea","line":40,"range":{"start_line":40,"start_character":13,"end_line":40,"end_character":25},"in_reply_to":"ba7ea994_5031c860","updated":"2021-12-16 11:16:50.000000000","message":"generally yes - according to that document, system scope tokens shouldn\u0027t be able to get use project related API.","commit_id":"6fc0398970849b89856199073d0b07bc260020ad"}]}