)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"69edda04ac376f8ef77701c0daad389c2844d54d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"98645902_d02d55ef","updated":"2022-11-22 09:05:17.000000000","message":"I added some ideas. Thanks for the patch!","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"d2ee48bcf5c99c83c94945a6ed42d4b9eaa6a0e9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"4d288b88_37163111","updated":"2022-11-22 09:29:29.000000000","message":"Looks OK, just one simple nit","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c341afe349ee8daed52af66b555fff31d1b43ada","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5e8fdf7c_9915357f","updated":"2022-11-22 04:25:27.000000000","message":"Thanks, tempest test are passing on https://review.opendev.org/c/openstack/tempest/+/614484\n\n","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"60e38002322cc59b7f418ad95fc9fd5f0b829f37","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1c44d6dc_b42864f4","updated":"2022-11-23 08:06:30.000000000","message":"recheck\nwith https://review.opendev.org/c/openstack/neutron/+/865295 the trunk migration test is skipped temporary","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"11064a2fe21357af565fc0c58f72453cdc9c24cd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"0de3f377_8af89413","updated":"2022-11-22 09:12:12.000000000","message":"recheck failed unrelated tempest test: test_live_migration_with_trunk. I think this is the Launchpad related https://bugs.launchpad.net/neutron/+bug/1940425","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04368f04e0bc1ad547156c8ce624f3b4a6d09b0e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b3beba8a_1d58f679","updated":"2022-11-22 04:25:52.000000000","message":"recheck live migration unrelated failure","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"d2ee48bcf5c99c83c94945a6ed42d4b9eaa6a0e9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6289c8fe_1a5958b6","in_reply_to":"b3beba8a_1d58f679","updated":"2022-11-22 09:29:29.000000000","message":"This is being addressed now. Please do not recheck because of this issue.","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":13861,"name":"yatin","email":"ykarel@redhat.com","username":"yatinkarel"},"change_message_id":"88f2ef97039f0b04cc9559e7a6a9431f29e06804","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"29417527_fc77bcb4","updated":"2022-11-24 08:54:44.000000000","message":"just 1 cleanup inline","commit_id":"e6f88698624dc9354d3ca89658918bf2f98b84bb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8f7256f46f69bd908892c7bfbc9a844de744e32e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"5911877e_361f2fb7","updated":"2022-11-23 16:55:41.000000000","message":"lgtm,\nit seems trunk live migration tests are failing in neutron-ovs-tempest-dvr-ha-multinode-full job too, should we skip those in that job too?","commit_id":"e6f88698624dc9354d3ca89658918bf2f98b84bb"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"0ff7189409e72c5ff9414ea21f493e0c9204456d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"34e67b52_8dc0965b","updated":"2022-11-24 08:14:24.000000000","message":"recheck - coredumpctl: command not found during node provisioning","commit_id":"e6f88698624dc9354d3ca89658918bf2f98b84bb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a49c705e99d8cb5e4f31bb1fd1c5ece4525881e4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d1b0ecdd_3725c40f","updated":"2022-11-23 20:04:29.000000000","message":"recheck trunk live migration tests are skipped in dvr job also","commit_id":"e6f88698624dc9354d3ca89658918bf2f98b84bb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3dcd67051ac23b8639d0da0fed64ae82981447cd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"8f87640d_5dfd6fdd","in_reply_to":"5911877e_361f2fb7","updated":"2022-11-23 17:00:29.000000000","message":"slawek already have patch up https://review.opendev.org/c/openstack/neutron/+/865424","commit_id":"e6f88698624dc9354d3ca89658918bf2f98b84bb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dad72abaed6f0d85a5bc90ede9b524c0762f3f1b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"7312e0cd_847a3587","updated":"2023-02-16 21:56:23.000000000","message":"@Slawek, we need to backport this to applicable stable branches ","commit_id":"6d8ada0ac93beed05b45adb9582c3ef23bef49d2"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"62110365326cefc5eae97a1f7008d9a75983aea4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"484a12bb_0ed66a36","updated":"2022-11-24 16:08:40.000000000","message":"recheck - unrelated fullstack DSCP test failure","commit_id":"6d8ada0ac93beed05b45adb9582c3ef23bef49d2"}],"neutron/conf/policies/address_group.py":[{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"69edda04ac376f8ef77701c0daad389c2844d54d","unresolved":true,"context_lines":[{"line_number":32,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":33,"context_line":"        name\u003d\u0027get_address_group\u0027,"},{"line_number":34,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":35,"context_line":"            base.ADMIN,"},{"line_number":36,"context_line":"            base.PROJECT_READER,"},{"line_number":37,"context_line":"            \u0027rule:shared_address_groups\u0027),"},{"line_number":38,"context_line":"        description\u003d\u0027Get an address group\u0027,"},{"line_number":39,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"044807b8_d71af143","line":36,"range":{"start_line":35,"start_character":0,"end_line":36,"end_character":32},"updated":"2022-11-22 09:05:17.000000000","message":"Not very needed, but we could still use base.ADMIN_OR_PROJECT_READER here, right?","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"7b700d41b97721d5e0094e13d55f4a1ac1e809af","unresolved":true,"context_lines":[{"line_number":32,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":33,"context_line":"        name\u003d\u0027get_address_group\u0027,"},{"line_number":34,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":35,"context_line":"            base.ADMIN,"},{"line_number":36,"context_line":"            base.PROJECT_READER,"},{"line_number":37,"context_line":"            \u0027rule:shared_address_groups\u0027),"},{"line_number":38,"context_line":"        description\u003d\u0027Get an address group\u0027,"},{"line_number":39,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"6b83f6da_cd7d0302","line":36,"range":{"start_line":35,"start_character":0,"end_line":36,"end_character":32},"in_reply_to":"044807b8_d71af143","updated":"2022-11-22 09:16:32.000000000","message":"yeah as I see ADMIN_OR_PROJECT_MEMBER should be used here alse","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"62d6907a6c44fb3907bec75c94f722890e53f3a1","unresolved":false,"context_lines":[{"line_number":32,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":33,"context_line":"        name\u003d\u0027get_address_group\u0027,"},{"line_number":34,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":35,"context_line":"            base.ADMIN,"},{"line_number":36,"context_line":"            base.PROJECT_READER,"},{"line_number":37,"context_line":"            \u0027rule:shared_address_groups\u0027),"},{"line_number":38,"context_line":"        description\u003d\u0027Get an address group\u0027,"},{"line_number":39,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"d66ebde4_46a55cae","line":36,"range":{"start_line":35,"start_character":0,"end_line":36,"end_character":32},"in_reply_to":"2608fc13_9fc1f5aa","updated":"2022-11-23 08:24:53.000000000","message":"Done","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":16688,"name":"Rodolfo Alonso","email":"ralonsoh@redhat.com","username":"rodolfo-alonso-hernandez"},"change_message_id":"d2ee48bcf5c99c83c94945a6ed42d4b9eaa6a0e9","unresolved":true,"context_lines":[{"line_number":32,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":33,"context_line":"        name\u003d\u0027get_address_group\u0027,"},{"line_number":34,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":35,"context_line":"            base.ADMIN,"},{"line_number":36,"context_line":"            base.PROJECT_READER,"},{"line_number":37,"context_line":"            \u0027rule:shared_address_groups\u0027),"},{"line_number":38,"context_line":"        description\u003d\u0027Get an address group\u0027,"},{"line_number":39,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"2608fc13_9fc1f5aa","line":36,"range":{"start_line":35,"start_character":0,"end_line":36,"end_character":32},"in_reply_to":"6b83f6da_cd7d0302","updated":"2022-11-22 09:29:29.000000000","message":"+1","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"69edda04ac376f8ef77701c0daad389c2844d54d","unresolved":true,"context_lines":[{"line_number":34,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":35,"context_line":"            base.ADMIN,"},{"line_number":36,"context_line":"            base.PROJECT_READER,"},{"line_number":37,"context_line":"            \u0027rule:shared_address_groups\u0027),"},{"line_number":38,"context_line":"        description\u003d\u0027Get an address group\u0027,"},{"line_number":39,"context_line":"        operations\u003d["},{"line_number":40,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"5a6d8cf0_6ff16d14","line":37,"range":{"start_line":37,"start_character":0,"end_line":37,"end_character":7},"updated":"2022-11-22 09:05:17.000000000","message":"This might be a good commit to change this rule to a constant in base.py for consistency (although I\u0027m conscious it\u0027s not directly affected by the patch).","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"62d6907a6c44fb3907bec75c94f722890e53f3a1","unresolved":false,"context_lines":[{"line_number":34,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":35,"context_line":"            base.ADMIN,"},{"line_number":36,"context_line":"            base.PROJECT_READER,"},{"line_number":37,"context_line":"            \u0027rule:shared_address_groups\u0027),"},{"line_number":38,"context_line":"        description\u003d\u0027Get an address group\u0027,"},{"line_number":39,"context_line":"        operations\u003d["},{"line_number":40,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"aaac8777_ac5c5164","line":37,"range":{"start_line":37,"start_character":0,"end_line":37,"end_character":7},"in_reply_to":"5a6d8cf0_6ff16d14","updated":"2022-11-23 08:24:53.000000000","message":"I\u0027m not sure we need to do that. Please look at other files also, rules which are only used for one resource are created in the related file.","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"}],"neutron/conf/policies/base.py":[{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"a985dd4c78dfa1bae742ec88a2fd295f29dc47b6","unresolved":true,"context_lines":[{"line_number":49,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"# The following are common composite check strings that are useful for"},{"line_number":52,"context_line":"# protecting APIs designed to operate with multiple scopes (e.g.,"},{"line_number":53,"context_line":"# an administrator should be able to delete any router in the deployment, a"},{"line_number":54,"context_line":"# project member should only be able to delete routers in their project)."},{"line_number":55,"context_line":"ADMIN_OR_PROJECT_MEMBER \u003d ("},{"line_number":56,"context_line":"    \u0027(\u0027 + ADMIN + \u0027) or (\u0027 + PROJECT_MEMBER + \u0027)\u0027)"}],"source_content_type":"text/x-python","patch_set":4,"id":"ecfe00c8_6b0e721a","line":53,"range":{"start_line":52,"start_character":0,"end_line":53,"end_character":75},"updated":"2022-11-24 10:02:10.000000000","message":"+1, thanks for updating the doc also","commit_id":"6d8ada0ac93beed05b45adb9582c3ef23bef49d2"}],"neutron/conf/policies/floatingip_port_forwarding.py":[{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"69edda04ac376f8ef77701c0daad389c2844d54d","unresolved":true,"context_lines":[{"line_number":30,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":31,"context_line":"        name\u003d\u0027create_floatingip_port_forwarding\u0027,"},{"line_number":32,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":33,"context_line":"            base.ADMIN,"},{"line_number":34,"context_line":"            base.PROJECT_MEMBER,"},{"line_number":35,"context_line":"            base.RULE_PARENT_OWNER),"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Create a floating IP port forwarding\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"b2054c5b_31a43111","line":34,"range":{"start_line":33,"start_character":11,"end_line":34,"end_character":32},"updated":"2022-11-22 09:05:17.000000000","message":"You could use base.ADMIN_OR_PROJECT_MEMBER here too (Although I know you need policy_or anyway to add the rule, but since you already have it defined why not use it)","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"62d6907a6c44fb3907bec75c94f722890e53f3a1","unresolved":false,"context_lines":[{"line_number":30,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":31,"context_line":"        name\u003d\u0027create_floatingip_port_forwarding\u0027,"},{"line_number":32,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":33,"context_line":"            base.ADMIN,"},{"line_number":34,"context_line":"            base.PROJECT_MEMBER,"},{"line_number":35,"context_line":"            base.RULE_PARENT_OWNER),"},{"line_number":36,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":37,"context_line":"        description\u003d\u0027Create a floating IP port forwarding\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"856b6a2f_d882a6dc","line":34,"range":{"start_line":33,"start_character":11,"end_line":34,"end_character":32},"in_reply_to":"b2054c5b_31a43111","updated":"2022-11-23 08:24:53.000000000","message":"Done","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":32586,"name":"Elvira García Ruiz","display_name":"Elvira","email":"egarciar@redhat.com","username":"elvira"},"change_message_id":"69edda04ac376f8ef77701c0daad389c2844d54d","unresolved":true,"context_lines":[{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        name\u003d\u0027get_floatingip_port_forwarding\u0027,"},{"line_number":52,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":53,"context_line":"            base.ADMIN,"},{"line_number":54,"context_line":"            base.PROJECT_READER,"},{"line_number":55,"context_line":"            base.RULE_PARENT_OWNER),"},{"line_number":56,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":57,"context_line":"        description\u003d\u0027Get a floating IP port forwarding\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"7d1dd819_430d3fac","line":54,"range":{"start_line":53,"start_character":12,"end_line":54,"end_character":32},"updated":"2022-11-22 09:05:17.000000000","message":"Same here with base.ADMIN_OR_PROJECT_READER. Also applicable in other parts of this and other files (Not going to comment in each one of them so as to not spam too much and because it won\u0027t change the final outcome)","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"62d6907a6c44fb3907bec75c94f722890e53f3a1","unresolved":false,"context_lines":[{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        name\u003d\u0027get_floatingip_port_forwarding\u0027,"},{"line_number":52,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":53,"context_line":"            base.ADMIN,"},{"line_number":54,"context_line":"            base.PROJECT_READER,"},{"line_number":55,"context_line":"            base.RULE_PARENT_OWNER),"},{"line_number":56,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":57,"context_line":"        description\u003d\u0027Get a floating IP port forwarding\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"3aa0c378_ec663787","line":54,"range":{"start_line":53,"start_character":12,"end_line":54,"end_character":32},"in_reply_to":"7d1dd819_430d3fac","updated":"2022-11-23 08:24:53.000000000","message":"Done","commit_id":"67135be082b45120bd729dee7a0ede7ad32fe648"},{"author":{"_account_id":13861,"name":"yatin","email":"ykarel@redhat.com","username":"yatinkarel"},"change_message_id":"88f2ef97039f0b04cc9559e7a6a9431f29e06804","unresolved":true,"context_lines":[{"line_number":73,"context_line":"        name\u003d\u0027update_floatingip_port_forwarding\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":75,"context_line":"            base.ADMIN_OR_PROJECT_MEMBER,"},{"line_number":76,"context_line":"            base.PROJECT_MEMBER,"},{"line_number":77,"context_line":"            base.RULE_PARENT_OWNER),"},{"line_number":78,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":79,"context_line":"        description\u003d\u0027Update a floating IP port forwarding\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"65efce8b_0e8e5377","line":76,"range":{"start_line":76,"start_character":12,"end_line":76,"end_character":32},"updated":"2022-11-24 08:54:44.000000000","message":"base.PROJECT_MEMBER duplicate now?","commit_id":"e6f88698624dc9354d3ca89658918bf2f98b84bb"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"5521b64236ea4965f3b09b4f1367a8b90f3ddc78","unresolved":false,"context_lines":[{"line_number":73,"context_line":"        name\u003d\u0027update_floatingip_port_forwarding\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.policy_or("},{"line_number":75,"context_line":"            base.ADMIN_OR_PROJECT_MEMBER,"},{"line_number":76,"context_line":"            base.PROJECT_MEMBER,"},{"line_number":77,"context_line":"            base.RULE_PARENT_OWNER),"},{"line_number":78,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":79,"context_line":"        description\u003d\u0027Update a floating IP port forwarding\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"c9b7e404_89c691de","line":76,"range":{"start_line":76,"start_character":12,"end_line":76,"end_character":32},"in_reply_to":"65efce8b_0e8e5377","updated":"2022-11-24 09:17:32.000000000","message":"Done","commit_id":"e6f88698624dc9354d3ca89658918bf2f98b84bb"}],"neutron/policy.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b560a3d29bf09a52d1084e88adb27f4683dd4257","unresolved":true,"context_lines":[{"line_number":470,"context_line":""},{"line_number":471,"context_line":"    :return: Returns True if access is permitted else False."},{"line_number":472,"context_line":"    \"\"\""},{"line_number":473,"context_line":"    # If we already know the context has admin rights do not perform an"},{"line_number":474,"context_line":"    # additional check and authorize the operation"},{"line_number":475,"context_line":"    if context.is_admin:"},{"line_number":476,"context_line":"        return True"},{"line_number":477,"context_line":"    if might_not_exist and not (_ENFORCER.rules and action in _ENFORCER.rules):"},{"line_number":478,"context_line":"        return True"}],"source_content_type":"text/x-python","patch_set":1,"id":"7ab2481b_2497723f","line":475,"range":{"start_line":473,"start_character":0,"end_line":475,"end_character":24},"updated":"2022-11-19 20:50:06.000000000","message":"if I understand correctly, this means you are allowing every policy to admin irrespective of their actual policy rule (either default is only project member or operator has overridden policy rule to be only project member)?\n\nIf so then this does not seem good, we should always check policy rule permission and return accordingly. If we need to make admin or say legacy admin to be same as before then we should add ADMIN_OR_* in policy rule default. That is how nova did\n- https://github.com/openstack/nova/blob/596772d5224e8329f558435205f942c9c776f08b/nova/policies/base.py#L43-L44\n\nI think you did for some rule in this - https://review.opendev.org/c/openstack/neutron/+/853799\n\nBut not in all the rules where admin (legacy admin) was allowed, for example:\nget_security_group should be PROJECT_READER_OR_ADMIN \n\nhttps://github.com/openstack/neutron/blob/a76b20dbc7f9b3d8701501f4d11adc287db8ec9f/neutron/conf/policies/security_group.py#L66","commit_id":"87adbc9d64ebce533a8d16164ddf92d468f5f0e4"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4b026a1cd929ea1251f79bade3a0b21be1e21f96","unresolved":true,"context_lines":[{"line_number":470,"context_line":""},{"line_number":471,"context_line":"    :return: Returns True if access is permitted else False."},{"line_number":472,"context_line":"    \"\"\""},{"line_number":473,"context_line":"    # If we already know the context has admin rights do not perform an"},{"line_number":474,"context_line":"    # additional check and authorize the operation"},{"line_number":475,"context_line":"    if context.is_admin:"},{"line_number":476,"context_line":"        return True"},{"line_number":477,"context_line":"    if might_not_exist and not (_ENFORCER.rules and action in _ENFORCER.rules):"},{"line_number":478,"context_line":"        return True"}],"source_content_type":"text/x-python","patch_set":1,"id":"b613ad89_a6db50a8","line":475,"range":{"start_line":473,"start_character":0,"end_line":475,"end_character":24},"in_reply_to":"7ab2481b_2497723f","updated":"2022-11-19 20:59:33.000000000","message":"IMO, we should add ADMIN_* in policy rule default and remove this check so that if operator overriding policy rule to be not allowing to admin then they should be able to do that.\n\nBut just a question (same to the first comment), before the new RBAC (say before wallaby) due to context.is_admin check operators were not able to dis-allow admin for policy in any way so non complained about it? (may be no one care about admin allowed for everything?) - https://github.com/openstack/neutron/blob/stable/victoria/neutron/policy.py#L436","commit_id":"87adbc9d64ebce533a8d16164ddf92d468f5f0e4"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"3f0aa51c835e7ec097c0bb18c716100d3034a36e","unresolved":false,"context_lines":[{"line_number":470,"context_line":""},{"line_number":471,"context_line":"    :return: Returns True if access is permitted else False."},{"line_number":472,"context_line":"    \"\"\""},{"line_number":473,"context_line":"    # If we already know the context has admin rights do not perform an"},{"line_number":474,"context_line":"    # additional check and authorize the operation"},{"line_number":475,"context_line":"    if context.is_admin:"},{"line_number":476,"context_line":"        return True"},{"line_number":477,"context_line":"    if might_not_exist and not (_ENFORCER.rules and action in _ENFORCER.rules):"},{"line_number":478,"context_line":"        return True"}],"source_content_type":"text/x-python","patch_set":1,"id":"c8b8bb59_a041e7fb","line":475,"range":{"start_line":473,"start_character":0,"end_line":475,"end_character":24},"in_reply_to":"b613ad89_a6db50a8","updated":"2022-11-21 14:44:57.000000000","message":"Yeah, that\u0027s what I really thought and I just did it :)","commit_id":"87adbc9d64ebce533a8d16164ddf92d468f5f0e4"}]}