)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"416b91bd19c49b033d1427290e4cd22f437e46c9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"40e4c7bd_9a9e5658","updated":"2022-03-25 09:49:58.000000000","message":"recheck","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"9897780cde0b9be138e0034ba418182181599c10","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"87505c66_27166f2c","updated":"2022-03-22 14:55:37.000000000","message":"recheck - grenade error, not related to the patch","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"b2aca8ff82c4fdd64e4e288691198f96293a5b34","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"7e4c4781_4ec314b9","updated":"2022-03-25 09:27:47.000000000","message":"recheck - network interface not found in namespace error in functional tests","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"384a63942a43517e560fae3cb06fccd3af652478","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"61642dc9_c13cfc2d","updated":"2022-03-24 22:02:39.000000000","message":"recheck - unrelated functional job failure (test inprogress)","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"ec3e8d8f3f129da29e673ac1c2d7e18d9a06e0cc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"6d5c7533_6132e71c","updated":"2022-04-11 11:42:13.000000000","message":"Looks ok","commit_id":"51d1899bacb1e5d625f201380035db634da2e27c"},{"author":{"_account_id":13861,"name":"yatin","email":"ykarel@redhat.com","username":"yatinkarel"},"change_message_id":"77ae2cd27be701533cff09e6da0f56fe149fa91a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"d067fc1c_29a06769","updated":"2022-04-18 05:00:34.000000000","message":"recheck","commit_id":"51d1899bacb1e5d625f201380035db634da2e27c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"7a9b73cdd83e63d50ddc66dac2714982290f8f01","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"d68cf647_d08bd358","updated":"2022-04-04 13:44:18.000000000","message":"recheck - failure switching router to \"primary\"","commit_id":"51d1899bacb1e5d625f201380035db634da2e27c"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"3c1ccad373a71cf46dc6a226dd3eba84cdcd92af","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"fc8f7d42_771a8aee","updated":"2022-04-13 05:58:31.000000000","message":"recheck - router not transitioned to \"primary\"","commit_id":"51d1899bacb1e5d625f201380035db634da2e27c"},{"author":{"_account_id":13861,"name":"yatin","email":"ykarel@redhat.com","username":"yatinkarel"},"change_message_id":"7e5423d7138191bd37f0338c776d95a34276c117","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"e958a994_273faf14","updated":"2022-04-19 03:32:23.000000000","message":"recheck bind(): Address already in use g-api","commit_id":"51d1899bacb1e5d625f201380035db634da2e27c"}],"neutron/pecan_wsgi/hooks/policy_enforcement.py":[{"author":{"_account_id":5948,"name":"Oleg Bondarev","email":"obondarev@mirantis.com","username":"obondarev"},"change_message_id":"b6ebf32e3e21a5a071ab56dc0cc4d7948058c35c","unresolved":true,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"def _project_have_access_to_item(context, action, item, collection):"},{"line_number":43,"context_line":"    try:"},{"line_number":44,"context_line":"        return not policy.check("},{"line_number":45,"context_line":"            context, action, item, pluralized\u003dcollection)"},{"line_number":46,"context_line":"    except oslo_policy.InvalidScope:"},{"line_number":47,"context_line":"        LOG.debug(\"Invalid scope for action: %s, item: %s\", action, item)"}],"source_content_type":"text/x-python","patch_set":1,"id":"d579e5e8_43534fb7","line":44,"range":{"start_line":44,"start_character":15,"end_line":44,"end_character":18},"updated":"2022-02-01 07:29:01.000000000","message":"doesn\u0027t \"not\" here means project has _no_ access to the item?\nOne more though: maybe we should add this handling to policy.check()?","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"232b25598814afc2c29562b9de217eef937f6f63","unresolved":false,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"def _project_have_access_to_item(context, action, item, collection):"},{"line_number":43,"context_line":"    try:"},{"line_number":44,"context_line":"        return not policy.check("},{"line_number":45,"context_line":"            context, action, item, pluralized\u003dcollection)"},{"line_number":46,"context_line":"    except oslo_policy.InvalidScope:"},{"line_number":47,"context_line":"        LOG.debug(\"Invalid scope for action: %s, item: %s\", action, item)"}],"source_content_type":"text/x-python","patch_set":1,"id":"9ca92fca_1f7658ec","line":44,"range":{"start_line":44,"start_character":15,"end_line":44,"end_character":18},"in_reply_to":"d579e5e8_43534fb7","updated":"2022-03-17 19:17:54.000000000","message":"this is now done differently and should be better.","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"},{"author":{"_account_id":5948,"name":"Oleg Bondarev","email":"obondarev@mirantis.com","username":"obondarev"},"change_message_id":"b6ebf32e3e21a5a071ab56dc0cc4d7948058c35c","unresolved":true,"context_lines":[{"line_number":150,"context_line":"                    # to avoid giving away information."},{"line_number":151,"context_line":"                    controller \u003d utils.get_controller(state)"},{"line_number":152,"context_line":"                    s_action \u003d controller.plugin_handlers[controller.SHOW]"},{"line_number":153,"context_line":"                    if _project_have_access_to_item("},{"line_number":154,"context_line":"                            neutron_context, s_action, item, collection):"},{"line_number":155,"context_line":"                        ctxt.reraise \u003d False"},{"line_number":156,"context_line":"                msg \u003d _(\u0027The resource could not be found.\u0027)"}],"source_content_type":"text/x-python","patch_set":1,"id":"f817cef3_2bb5c148","line":153,"range":{"start_line":153,"start_character":20,"end_line":153,"end_character":52},"updated":"2022-02-01 07:29:01.000000000","message":"logically here should be: if project has _no_ access to the item - don\u0027t reraise, but raise 404 at #157","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"232b25598814afc2c29562b9de217eef937f6f63","unresolved":false,"context_lines":[{"line_number":150,"context_line":"                    # to avoid giving away information."},{"line_number":151,"context_line":"                    controller \u003d utils.get_controller(state)"},{"line_number":152,"context_line":"                    s_action \u003d controller.plugin_handlers[controller.SHOW]"},{"line_number":153,"context_line":"                    if _project_have_access_to_item("},{"line_number":154,"context_line":"                            neutron_context, s_action, item, collection):"},{"line_number":155,"context_line":"                        ctxt.reraise \u003d False"},{"line_number":156,"context_line":"                msg \u003d _(\u0027The resource could not be found.\u0027)"}],"source_content_type":"text/x-python","patch_set":1,"id":"41cc3f46_8d1fff23","line":153,"range":{"start_line":153,"start_character":20,"end_line":153,"end_character":52},"in_reply_to":"a70b68d7_84624da1","updated":"2022-03-17 19:17:54.000000000","message":"ditto","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"f699241335470702180387f67a292ad4ce473577","unresolved":true,"context_lines":[{"line_number":150,"context_line":"                    # to avoid giving away information."},{"line_number":151,"context_line":"                    controller \u003d utils.get_controller(state)"},{"line_number":152,"context_line":"                    s_action \u003d controller.plugin_handlers[controller.SHOW]"},{"line_number":153,"context_line":"                    if _project_have_access_to_item("},{"line_number":154,"context_line":"                            neutron_context, s_action, item, collection):"},{"line_number":155,"context_line":"                        ctxt.reraise \u003d False"},{"line_number":156,"context_line":"                msg \u003d _(\u0027The resource could not be found.\u0027)"}],"source_content_type":"text/x-python","patch_set":1,"id":"a70b68d7_84624da1","line":153,"range":{"start_line":153,"start_character":20,"end_line":153,"end_character":52},"in_reply_to":"f817cef3_2bb5c148","updated":"2022-02-01 12:57:54.000000000","message":"I think I see the logic here: if the policy check L44 returns False, that means the scope is valid but we don\u0027t have permissions. If L44 raises InvalidScope, then we should continue with the exception.\n\nBut I have another question here: policy.enforce can return InvalidScope, that is not catch by L146. I must be missing something here...","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"9b802ca752cc8a18301e14bacb6e5d63b9fc3d19","unresolved":true,"context_lines":[{"line_number":208,"context_line":"            # This exception must be explicitly caught as the exception"},{"line_number":209,"context_line":"            # translation hook won\u0027t be called if an error occurs in the"},{"line_number":210,"context_line":"            # \u0027after\u0027 handler."},{"line_number":211,"context_line":"            # If this is \"list\" request, lets return strictly message that it"},{"line_number":212,"context_line":"            # is forbidden in that scope, otherwise lets do it like for"},{"line_number":213,"context_line":"            # PolicyNotAuthorized exception so, instead of raising an"},{"line_number":214,"context_line":"            # HTTPNotFound exception, we have to set the status_code here to"}],"source_content_type":"text/x-python","patch_set":1,"id":"4964cc19_b052e6ef","line":211,"range":{"start_line":211,"start_character":53,"end_line":211,"end_character":61},"updated":"2022-01-31 13:01:43.000000000","message":"nit: strict","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"9b802ca752cc8a18301e14bacb6e5d63b9fc3d19","unresolved":true,"context_lines":[{"line_number":216,"context_line":"            if is_single:"},{"line_number":217,"context_line":"                state.response.status_code \u003d 404"},{"line_number":218,"context_line":"            else:"},{"line_number":219,"context_line":"                state.response.status_code \u003d 403"},{"line_number":220,"context_line":"            return"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"        if is_single:"}],"source_content_type":"text/x-python","patch_set":1,"id":"29c19688_37b672a5","line":219,"range":{"start_line":219,"start_character":45,"end_line":219,"end_character":48},"updated":"2022-01-31 13:01:43.000000000","message":"Is it a common Openstack API response, I mean to translate InvalidScope to http 403 in case of raised during listing?","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"bf78fc0f23c42547f60b77838d0feb1ce0907d1b","unresolved":true,"context_lines":[{"line_number":216,"context_line":"            if is_single:"},{"line_number":217,"context_line":"                state.response.status_code \u003d 404"},{"line_number":218,"context_line":"            else:"},{"line_number":219,"context_line":"                state.response.status_code \u003d 403"},{"line_number":220,"context_line":"            return"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"        if is_single:"}],"source_content_type":"text/x-python","patch_set":1,"id":"250a7b93_4878d684","line":219,"range":{"start_line":219,"start_character":45,"end_line":219,"end_character":48},"in_reply_to":"29c19688_37b672a5","updated":"2022-04-05 15:11:48.000000000","message":"I\u0027m not sure if it\u0027s common OpenStack API thing. Let\u0027s ask gmann what he thinks about it 😊","commit_id":"1a6e5c342b9aba78ed66ef638535da1091aed479"}],"neutron/policy.py":[{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"e9d3392c0f77f19691eb07afade603df49ef5a1d","unresolved":true,"context_lines":[{"line_number":525,"context_line":"    rule, target, context \u003d _prepare_check(context, action, target, pluralized)"},{"line_number":526,"context_line":"    try:"},{"line_number":527,"context_line":"        result \u003d _ENFORCER.enforce(rule, target, context, action\u003daction,"},{"line_number":528,"context_line":"                                   do_raise\u003dTrue)"},{"line_number":529,"context_line":"    except (policy.PolicyNotAuthorized, policy.InvalidScope):"},{"line_number":530,"context_line":"        with excutils.save_and_reraise_exception():"},{"line_number":531,"context_line":"            log_rule_list(rule)"}],"source_content_type":"text/x-python","patch_set":3,"id":"a236c861_073410f2","line":528,"range":{"start_line":528,"start_character":35,"end_line":528,"end_character":43},"updated":"2022-03-25 09:39:02.000000000","message":"According to the description and [1], this problem is only present when do_raise\u003dFalse. Why do we need this here?\n\n[1]https://bugs.launchpad.net/oslo.policy/+bug/1965315","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"baa0a5c1af369c3a7b6f8c02abac269aae59681f","unresolved":true,"context_lines":[{"line_number":525,"context_line":"    rule, target, context \u003d _prepare_check(context, action, target, pluralized)"},{"line_number":526,"context_line":"    try:"},{"line_number":527,"context_line":"        result \u003d _ENFORCER.enforce(rule, target, context, action\u003daction,"},{"line_number":528,"context_line":"                                   do_raise\u003dTrue)"},{"line_number":529,"context_line":"    except (policy.PolicyNotAuthorized, policy.InvalidScope):"},{"line_number":530,"context_line":"        with excutils.save_and_reraise_exception():"},{"line_number":531,"context_line":"            log_rule_list(rule)"}],"source_content_type":"text/x-python","patch_set":3,"id":"c6235a50_f6dddb24","line":528,"range":{"start_line":528,"start_character":35,"end_line":528,"end_character":43},"in_reply_to":"a236c861_073410f2","updated":"2022-03-25 09:45:00.000000000","message":"this is \"enforce\" function which we want to check policy and raise an exception if that\u0027s the case. Such exception is then logged and returned to the user in API response.\nAbove, in the \"check\" method which just want to check if user have or don\u0027t have access to something. And based on that result return some API response.\nBoth methods are used e.g. in https://github.com/openstack/neutron/blob/1473adca5d9fb5832c29694a3a93c5b5e9262b0b/neutron/api/v2/base.py#L584 so it may give You better idea how it works and what\u0027s the difference between them","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"416b91bd19c49b033d1427290e4cd22f437e46c9","unresolved":true,"context_lines":[{"line_number":525,"context_line":"    rule, target, context \u003d _prepare_check(context, action, target, pluralized)"},{"line_number":526,"context_line":"    try:"},{"line_number":527,"context_line":"        result \u003d _ENFORCER.enforce(rule, target, context, action\u003daction,"},{"line_number":528,"context_line":"                                   do_raise\u003dTrue)"},{"line_number":529,"context_line":"    except (policy.PolicyNotAuthorized, policy.InvalidScope):"},{"line_number":530,"context_line":"        with excutils.save_and_reraise_exception():"},{"line_number":531,"context_line":"            log_rule_list(rule)"}],"source_content_type":"text/x-python","patch_set":3,"id":"7303496a_c8111448","line":528,"range":{"start_line":528,"start_character":35,"end_line":528,"end_character":43},"in_reply_to":"c6235a50_f6dddb24","updated":"2022-03-25 09:49:58.000000000","message":"Gotcha. This is related to LP#1959333, not the oslo.policy bug. Sorry for mixing both errors.","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"755c4b1fa5c846ffa4aa74bdf382295546b208e6","unresolved":true,"context_lines":[{"line_number":527,"context_line":"        result \u003d _ENFORCER.enforce(rule, target, context, action\u003daction,"},{"line_number":528,"context_line":"                                   do_raise\u003dTrue)"},{"line_number":529,"context_line":"    except (policy.PolicyNotAuthorized, policy.InvalidScope):"},{"line_number":530,"context_line":"        with excutils.save_and_reraise_exception():"},{"line_number":531,"context_line":"            log_rule_list(rule)"},{"line_number":532,"context_line":"            LOG.debug(\"Failed policy enforce for \u0027%s\u0027\", action)"},{"line_number":533,"context_line":"    return result"}],"source_content_type":"text/x-python","patch_set":3,"id":"ba24c8b6_59e66d7a","line":530,"range":{"start_line":530,"start_character":13,"end_line":530,"end_character":48},"updated":"2022-03-25 09:59:02.000000000","message":"This means that InvalidScope exception is raised to the API layer, but the API layer handles only PolicyNotAuthorized (for example, [1] and [2]).\nI think we need to handle InvalidScope. (or we can raise PolicyNotAuthorized even when InvalidScope is caught here. I am not sure which is better right now though.)\n\n[1] https://github.com/openstack/neutron/blob/1473adca5d9fb5832c29694a3a93c5b5e9262b0b/neutron/api/v2/base.py#L588\n[2] https://github.com/openstack/neutron/blob/1473adca5d9fb5832c29694a3a93c5b5e9262b0b/neutron/pecan_wsgi/hooks/policy_enforcement.py#L137","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"cea21c8761ecf97ee8f56cd3b2aa40b631da1bcc","unresolved":false,"context_lines":[{"line_number":527,"context_line":"        result \u003d _ENFORCER.enforce(rule, target, context, action\u003daction,"},{"line_number":528,"context_line":"                                   do_raise\u003dTrue)"},{"line_number":529,"context_line":"    except (policy.PolicyNotAuthorized, policy.InvalidScope):"},{"line_number":530,"context_line":"        with excutils.save_and_reraise_exception():"},{"line_number":531,"context_line":"            log_rule_list(rule)"},{"line_number":532,"context_line":"            LOG.debug(\"Failed policy enforce for \u0027%s\u0027\", action)"},{"line_number":533,"context_line":"    return result"}],"source_content_type":"text/x-python","patch_set":3,"id":"460945fa_978bcb79","line":530,"range":{"start_line":530,"start_character":13,"end_line":530,"end_character":48},"in_reply_to":"73fc5ef2_6ac23f9d","updated":"2022-03-25 13:53:41.000000000","message":"You\u0027re right. I just updated this patch and proposed https://review.opendev.org/c/openstack/neutron-lib/+/835234","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"a89ea3ee2140500696bd595364edfecca3e0bb1b","unresolved":true,"context_lines":[{"line_number":527,"context_line":"        result \u003d _ENFORCER.enforce(rule, target, context, action\u003daction,"},{"line_number":528,"context_line":"                                   do_raise\u003dTrue)"},{"line_number":529,"context_line":"    except (policy.PolicyNotAuthorized, policy.InvalidScope):"},{"line_number":530,"context_line":"        with excutils.save_and_reraise_exception():"},{"line_number":531,"context_line":"            log_rule_list(rule)"},{"line_number":532,"context_line":"            LOG.debug(\"Failed policy enforce for \u0027%s\u0027\", action)"},{"line_number":533,"context_line":"    return result"}],"source_content_type":"text/x-python","patch_set":3,"id":"73fc5ef2_6ac23f9d","line":530,"range":{"start_line":530,"start_character":13,"end_line":530,"end_character":48},"in_reply_to":"ba24c8b6_59e66d7a","updated":"2022-03-25 10:14:32.000000000","message":"In addition, PolicyNotAuthorized is sometimes not caught explicitly in the API layer (neutron/api/v2 and pecan_wsgi). For such cases, PolicyNotAuthorized is coverted into a general HTTP exception by neutron.api.api_common.convert_exception_to_http_exc(). PolicyNotAuthorized is registered in [1]. If we raise InvalidScope from enforce(), perhaps we need to add an entry to [1].\n\n[1] https://github.com/openstack/neutron-lib/blob/74d3765407de58fcf871f7de48aaed544feedabf/neutron_lib/api/faults.py#L27","commit_id":"7d6f1e142a1989e830d1dee4246c0188ed501c91"}]}