)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2c4481ac520d3edaea81cb2a83fda7e2b86371f0","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"service-to-service communication should send the user"},{"line_number":10,"context_line":"token as well the service token. user token and service"},{"line_number":11,"context_line":"token should be wrapped in keystoneauth\u0027s ServiceTokenAuthWrapper."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As part of RBAC phase-2 (service role), for service-to-service"},{"line_number":14,"context_line":"communication, service should use the service token to check the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"23a24560_fd45c646","line":11,"updated":"2025-08-22 14:43:58.000000000","message":"this is not required\n\napi that require the service role require it on the user token.\n\nhaving the service role on the servie token does nto allow you to call a service only api.","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0dabdd9e4f678f10de5b7bcb28b5d174c43da8b8","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"service-to-service communication should send the user"},{"line_number":10,"context_line":"token as well the service token. user token and service"},{"line_number":11,"context_line":"token should be wrapped in keystoneauth\u0027s ServiceTokenAuthWrapper."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As part of RBAC phase-2 (service role), for service-to-service"},{"line_number":14,"context_line":"communication, service should use the service token to check the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"95a4fa70_c76d7e1c","line":11,"in_reply_to":"23a24560_fd45c646","updated":"2025-08-22 18:17:21.000000000","message":"is it? \n\nI think very long back when service-to-service communication was improved, the service calls were meant to send the service token along with the user token - https://specs.openstack.org/openstack/nova-specs/specs/ocata/implemented/use-service-tokens.html\n\nThough the main purpose of that BP was for the long-running task, and if the user token expires. At least that is what was tried to have consistent service communication(even though that was not implemented in all services, but it was done in most of them:\nNova to neutron: https://github.com/openstack/nova/blob/2e666e768a7130c4502ca808a180eacb7c2d03f2/nova/network/neutron.py#L235\nNove to cinder: https://github.com/openstack/nova/blob/2e666e768a7130c4502ca808a180eacb7c2d03f2/nova/volume/cinder.py#L100\nNova to glance: https://github.com/openstack/nova/blob/2e666e768a7130c4502ca808a180eacb7c2d03f2/nova/image/glance.py#L66\nCinder to nova: https://github.com/openstack/cinder/blob/39a2705719c715584dc810c13cf749735355c693/cinder/compute/nova.py#L113\ncinder to glance: https://github.com/openstack/cinder/blob/39a2705719c715584dc810c13cf749735355c693/cinder/image/glance.py#L134\n That is why I am using the same model for service API call checks also. To know if the call is from service or not, we need to check the embedded service token data and not if the user has a service role or not.\n\nThink of one use case where a user calls serviceA, having only a user token (no service role in that), and then ServiceA needs to call ServiceB by embedding the service token. In that case, checking the service token is the only way to know/use if the call is from the service. The same service token is used by Service B (via Keystone middleware) if the user token expires, and we can use it for service role RBAC enforcement. It\u0027s been a long time, but if you remember, that is what we discussed in the call (you, Dan and I) about service role checks. \n\nThis is how I am doing the service API default, which checks service_roles (this is the roles assigned to the service token and not the user token).\n\n    \"service_api\" \u003d \"service_roles:%(service_roles)s\"\n   \nIf we want to cover the case where the user token can also have a service role and should be considered as a service call, then we can modify the policy rule to cover both cases. But I would like to ask why we want to consider that case.\n\nBut for the long term, I would like to have service communication in a single consistent way by sending the service token along with the user token (user token can be external if API is called from outside or internally generated if call is internal, for example, neutron sending event to nova).\n\n    \"service_api\" \u003d \"service_roles:%(service_roles)s or roles:service\"","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"243d14b313d7d26b54dd1864857cde5a1e59f5e9","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"service-to-service communication should send the user"},{"line_number":10,"context_line":"token as well the service token. user token and service"},{"line_number":11,"context_line":"token should be wrapped in keystoneauth\u0027s ServiceTokenAuthWrapper."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As part of RBAC phase-2 (service role), for service-to-service"},{"line_number":14,"context_line":"communication, service should use the service token to check the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"a9492254_05a9116d","line":11,"in_reply_to":"4fcfd478_6607bfce","updated":"2025-08-23 19:55:32.000000000","message":"the service user and token has nothign to do with the SRBAC goal.\n\nit was intoduced to allow Service A to say to service B that when the user token was recvied by service A that it was still valid, so that if it expires during long runing operation like live migration if nova calls neutron with that token then neutron shoudl treat it as still valid.\n\nThe service token shoudl not be consdierd for any other usecase.\n\nwhat that means is that for the SRBAC goal when calling a service api the user_token created by the service from config should have the `service` role.\n\neffectivly for most project this just means for example the nova user should have both admin and service role and in the future we can remove the admin role once all service supprot using the service role for service to service comuntication.\n\ncalls with to service apis will not actully use a uesr token form an end user.\nit will constuct a new user token form the config using the \"admin clinet\" we have today all the diffence is that the policy checks on the target service will assert that the user token has the service role not the admin one.\n\nfor upgrade this means all that operator need to do is add the service  role to the exsitn neutron user in this case and nova will acppet it for the external events api.\n\nim not saying that its not a good idea to implemnt https://specs.openstack.org/openstack/nova-specs/specs/ocata/implemented/use-service-tokens.html in neutron for long running operations.\n\nit definitely should if they have not already\n\nbut that is not related to the rbac goal.\n\ni would consider it a policy violation fi the roles on the service token were used to deterim if a call to a service only api is allowed.","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42014115beaad44dbb6394fac352f42ce3c96ad9","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"service-to-service communication should send the user"},{"line_number":10,"context_line":"token as well the service token. user token and service"},{"line_number":11,"context_line":"token should be wrapped in keystoneauth\u0027s ServiceTokenAuthWrapper."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As part of RBAC phase-2 (service role), for service-to-service"},{"line_number":14,"context_line":"communication, service should use the service token to check the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"4fcfd478_6607bfce","line":11,"in_reply_to":"95a4fa70_c76d7e1c","updated":"2025-08-23 01:03:47.000000000","message":"seeing the failure in some of the jobs[1] where the new service_user are not configured in neutron.conf, i realized that it can break the existing deployment also who are not configured to the this new config option. I changed the implementation to continue return the user token in case no service_user is configured and that way it will not impact existing users.\n\n- https://review.opendev.org/c/openstack/neutron/+/958142/comment/77a6b544_774d7bfb/\n\nFor that I need to make nova default to below, so that both existing and new way both can work. I think that will solve the @smooney@redhat.com concern.\n\n    \"service_api\" \u003d \"service_roles:%(service_roles)s or roles:service\"\n\nBut end goal is to have service_user configured always so that we can have a consistent way for service-to-service communication.\n\n[1] https://zuul.opendev.org/t/openstack/build/fe60bc0729eb4fcf9b9798fc47f88fc9/log/controller/logs/screen-neutron-api.txt#745","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"217b4976ad87f0509a2c63b533645d909e0a21b4","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"service-to-service communication should send the user"},{"line_number":10,"context_line":"token as well the service token. user token and service"},{"line_number":11,"context_line":"token should be wrapped in keystoneauth\u0027s ServiceTokenAuthWrapper."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As part of RBAC phase-2 (service role), for service-to-service"},{"line_number":14,"context_line":"communication, service should use the service token to check the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"f3952a7b_715178b3","line":11,"in_reply_to":"a9492254_05a9116d","updated":"2025-08-25 00:10:46.000000000","message":"Thanks for correcting here, I got your point now (replied in nova change - https://review.opendev.org/c/openstack/nova/+/957578/comment/a097d558_fee01375/).\n\nWe do not need this change for the RBAC, I will abandon this and later if needed we can implement service token usage (for user token expiry case).","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2c4481ac520d3edaea81cb2a83fda7e2b86371f0","unresolved":true,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As part of RBAC phase-2 (service role), for service-to-service"},{"line_number":14,"context_line":"communication, service should use the service token to check the"},{"line_number":15,"context_line":"policy permission and user token for actual operation. This way,"},{"line_number":16,"context_line":"service will get to know if request is from other service."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Nova is now implementing the phase-2 and defaulting the"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"52e4d14c_ae25bf5e","line":15,"updated":"2025-08-22 14:43:58.000000000","message":"this is not correct.","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"1bdc374baf70c4d08820cfa1cda44708577d5c88","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"c180a752_66f68340","updated":"2025-08-21 12:03:55.000000000","message":"Hi gmann, I have a WIP patch for Nova to change from neutronclient to SDK:\nhttps://review.opendev.org/c/openstack/nova/+/928022\nDo you think I have to test that with this one and your nova patch for service role?","commit_id":"64f8c643b012e91090991cc7f99ec71ced2a8f51"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"46ae893c950593d6d6291a7968af48e853f09cd2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"129e0f58_7ef4d747","updated":"2025-08-21 06:16:38.000000000","message":"WIP until I finish the service-to-service interaction testing.","commit_id":"64f8c643b012e91090991cc7f99ec71ced2a8f51"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d3ae73b9ebdbf8c3ef854bcccea37592b19a7924","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"c9529214_1b7304c2","in_reply_to":"c180a752_66f68340","updated":"2025-08-21 19:27:53.000000000","message":"Hi lajos, nova to neutron communication is all ok and changing from neutronclient to sdk should not require anything else.\n\nThis is for neutron-\u003enova when neutron send the server-external event to nova. Nova is changing the server-external-event API default from admin to service role so this change is needed for that.\n\nThere are other changhes needed in neutron for service APIs and their policy default but that is also separate things from neutronclient-\u003esdk migration.","commit_id":"64f8c643b012e91090991cc7f99ec71ced2a8f51"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"d9bc84a4e4745d60a514485bb298467514ddf07e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0c1c62a7_56887c5a","in_reply_to":"c9529214_1b7304c2","updated":"2025-08-22 07:29:31.000000000","message":"ack, thanks for checking","commit_id":"64f8c643b012e91090991cc7f99ec71ced2a8f51"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d763eeb38422d72ddd1c45de9c5c75e423f0f910","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"42aea95d_ab932f2f","updated":"2025-08-22 07:28:46.000000000","message":"I need to add some test and release notes for new config but first testing in https://review.opendev.org/c/openstack/nova/+/957578/","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"}],"neutron/common/config.py":[{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"f17d0b1ee8a8b6a4d5e8ef32b62b06b9c906d010","unresolved":true,"context_lines":[{"line_number":61,"context_line":"    # Ensure that the control exchange is set correctly"},{"line_number":62,"context_line":"    oslo_messaging.set_transport_defaults(control_exchange\u003d\u0027neutron\u0027)"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"    # Register the servie user related config options"},{"line_number":65,"context_line":"    ks_loading.register_auth_conf_options("},{"line_number":66,"context_line":"        cfg.CONF, common_config.SERVICE_USER_GROUP)"},{"line_number":67,"context_line":"    ks_loading.register_session_conf_options("}],"source_content_type":"text/x-python","patch_set":2,"id":"206d017b_7d51437d","line":64,"range":{"start_line":64,"start_character":19,"end_line":64,"end_character":25},"updated":"2025-08-22 14:34:31.000000000","message":"nit: service","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0dabdd9e4f678f10de5b7bcb28b5d174c43da8b8","unresolved":false,"context_lines":[{"line_number":61,"context_line":"    # Ensure that the control exchange is set correctly"},{"line_number":62,"context_line":"    oslo_messaging.set_transport_defaults(control_exchange\u003d\u0027neutron\u0027)"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"    # Register the servie user related config options"},{"line_number":65,"context_line":"    ks_loading.register_auth_conf_options("},{"line_number":66,"context_line":"        cfg.CONF, common_config.SERVICE_USER_GROUP)"},{"line_number":67,"context_line":"    ks_loading.register_session_conf_options("}],"source_content_type":"text/x-python","patch_set":2,"id":"38cf0c01_2f19ebba","line":64,"range":{"start_line":64,"start_character":19,"end_line":64,"end_character":25},"in_reply_to":"206d017b_7d51437d","updated":"2025-08-22 18:17:21.000000000","message":"Done","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"}],"neutron/common/service_auth.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e4bf77b5076592d19eb09696bd9170b94255dfea","unresolved":true,"context_lines":[{"line_number":45,"context_line":"                                CONF,"},{"line_number":46,"context_line":"                                group\u003d"},{"line_number":47,"context_line":"                                common.SERVICE_USER_GROUP)"},{"line_number":48,"context_line":"            if _SERVICE_AUTH is None:"},{"line_number":49,"context_line":"                raise ServiceUserTokenNoAuth()"},{"line_number":50,"context_line":"        return service_token.ServiceTokenAuthWrapper("},{"line_number":51,"context_line":"                   user_auth\u003dauth,"},{"line_number":52,"context_line":"                   service_auth\u003d_SERVICE_AUTH)"}],"source_content_type":"text/x-python","patch_set":2,"id":"77a6b544_774d7bfb","line":49,"range":{"start_line":48,"start_character":0,"end_line":49,"end_character":46},"updated":"2025-08-22 19:40:58.000000000","message":"I think I should not raise the exception here as it will be upgrade impact. Deployment not configured the service_user on neutron.conf will fail here. That is why some of the jobs failing as they do not have service_user configured \n\n- https://zuul.opendev.org/t/openstack/build/fe60bc0729eb4fcf9b9798fc47f88fc9/log/controller/logs/screen-neutron-api.txt#745\n\nI am doing it in devstack setup but that needs to be done everywhere to make it work which is upgrade impact\n- https://review.opendev.org/c/openstack/devstack/+/958143\n\nHere I shuld return user token only and log a warning to configure the service_user.","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42014115beaad44dbb6394fac352f42ce3c96ad9","unresolved":false,"context_lines":[{"line_number":45,"context_line":"                                CONF,"},{"line_number":46,"context_line":"                                group\u003d"},{"line_number":47,"context_line":"                                common.SERVICE_USER_GROUP)"},{"line_number":48,"context_line":"            if _SERVICE_AUTH is None:"},{"line_number":49,"context_line":"                raise ServiceUserTokenNoAuth()"},{"line_number":50,"context_line":"        return service_token.ServiceTokenAuthWrapper("},{"line_number":51,"context_line":"                   user_auth\u003dauth,"},{"line_number":52,"context_line":"                   service_auth\u003d_SERVICE_AUTH)"}],"source_content_type":"text/x-python","patch_set":2,"id":"5c437d83_91738eae","line":49,"range":{"start_line":48,"start_character":0,"end_line":49,"end_character":46},"in_reply_to":"77a6b544_774d7bfb","updated":"2025-08-23 01:03:47.000000000","message":"Done","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42014115beaad44dbb6394fac352f42ce3c96ad9","unresolved":false,"context_lines":[{"line_number":45,"context_line":"                                CONF,"},{"line_number":46,"context_line":"                                group\u003d"},{"line_number":47,"context_line":"                                common.SERVICE_USER_GROUP)"},{"line_number":48,"context_line":"            if _SERVICE_AUTH is None:"},{"line_number":49,"context_line":"                raise ServiceUserTokenNoAuth()"},{"line_number":50,"context_line":"        return service_token.ServiceTokenAuthWrapper("},{"line_number":51,"context_line":"                   user_auth\u003dauth,"},{"line_number":52,"context_line":"                   service_auth\u003d_SERVICE_AUTH)"}],"source_content_type":"text/x-python","patch_set":2,"id":"f200f975_6aae51d9","line":49,"range":{"start_line":48,"start_character":0,"end_line":49,"end_character":46},"in_reply_to":"77a6b544_774d7bfb","updated":"2025-08-23 01:03:47.000000000","message":"Done","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"}],"neutron/conf/common.py":[{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"f17d0b1ee8a8b6a4d5e8ef32b62b06b9c906d010","unresolved":true,"context_lines":[{"line_number":211,"context_line":"Configuration options for service to service authentication using a service"},{"line_number":212,"context_line":"token. These options allow to send a service token along with the"},{"line_number":213,"context_line":"user\u0027s token when contacting external REST APIs."},{"line_number":214,"context_line":"\"\"\""},{"line_number":215,"context_line":")"},{"line_number":216,"context_line":"service_user_opts \u003d ["},{"line_number":217,"context_line":"    cfg.BoolOpt(\u0027send_service_user_token\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"ede3cfc3_7da79b2e","line":214,"updated":"2025-08-22 14:34:31.000000000","message":"Shouldn\u0027t this be in _() like the others so i18n happens?","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0dabdd9e4f678f10de5b7bcb28b5d174c43da8b8","unresolved":false,"context_lines":[{"line_number":211,"context_line":"Configuration options for service to service authentication using a service"},{"line_number":212,"context_line":"token. These options allow to send a service token along with the"},{"line_number":213,"context_line":"user\u0027s token when contacting external REST APIs."},{"line_number":214,"context_line":"\"\"\""},{"line_number":215,"context_line":")"},{"line_number":216,"context_line":"service_user_opts \u003d ["},{"line_number":217,"context_line":"    cfg.BoolOpt(\u0027send_service_user_token\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"7a62c38c_e1ef8978","line":214,"in_reply_to":"ede3cfc3_7da79b2e","updated":"2025-08-22 18:17:21.000000000","message":"yeah, done","commit_id":"8b7f36bc29253883a5233bbc3e2247395831f2df"}]}
