)]}'
{"specs/pike/approved/additional-default-policy-roles.rst":[{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"9c6b744719121a89f155c7a75dd79335a531ace2","unresolved":false,"context_lines":[{"line_number":150,"context_line":"* POST /servers"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"  * compute:write"},{"line_number":153,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"* GET /servers"},{"line_number":156,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fa31d9ce_cbf565ed","line":153,"range":{"start_line":153,"start_character":4,"end_line":153,"end_character":53},"updated":"2017-02-15 03:08:44.000000000","message":"\"server.project_id\" isn\u0027t a string, it is the uuid of server\u0027s project_id, right?\n\nIf yes, this means you will check the scope after servers created?","commit_id":"f86ee8281d1ad284ccf770ba188b22d48a5ffebe"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"fdddb6100683b31cd932cd0405ea1af71e4b492a","unresolved":false,"context_lines":[{"line_number":150,"context_line":"* POST /servers"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"  * compute:write"},{"line_number":153,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"* GET /servers"},{"line_number":156,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fa31d9ce_c511be53","line":153,"range":{"start_line":153,"start_character":4,"end_line":153,"end_character":53},"in_reply_to":"fa31d9ce_cbf565ed","updated":"2017-02-15 12:51:01.000000000","message":"yeah, I am being fast and loose here, I should fix that up.","commit_id":"f86ee8281d1ad284ccf770ba188b22d48a5ffebe"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"9c6b744719121a89f155c7a75dd79335a531ace2","unresolved":false,"context_lines":[{"line_number":155,"context_line":"* GET /servers"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"  * compute:read"},{"line_number":158,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"* GET /servers?all_tenants\u003dTrue"},{"line_number":161,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fa31d9ce_6b855958","line":158,"range":{"start_line":158,"start_character":4,"end_line":158,"end_character":53},"updated":"2017-02-15 03:08:44.000000000","message":"If I pass the rule \u0027compute:context_is_global\u0027, then I can see all the servers from this API without all_tenants\u003dTrue?","commit_id":"f86ee8281d1ad284ccf770ba188b22d48a5ffebe"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"60e31a8762354f5bb570d10e24bb4e98f00c1fc9","unresolved":false,"context_lines":[{"line_number":155,"context_line":"* GET /servers"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"  * compute:read"},{"line_number":158,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"* GET /servers?all_tenants\u003dTrue"},{"line_number":161,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fa31d9ce_8caa23d1","line":158,"range":{"start_line":158,"start_character":4,"end_line":158,"end_character":53},"in_reply_to":"fa31d9ce_05711644","updated":"2017-02-17 16:45:06.000000000","message":"yeah, which is the current default API behaviour.","commit_id":"f86ee8281d1ad284ccf770ba188b22d48a5ffebe"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"51a105727e203d9fa2c8c4c877b91765efe81386","unresolved":false,"context_lines":[{"line_number":155,"context_line":"* GET /servers"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"  * compute:read"},{"line_number":158,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"* GET /servers?all_tenants\u003dTrue"},{"line_number":161,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fa31d9ce_05711644","line":158,"range":{"start_line":158,"start_character":4,"end_line":158,"end_character":53},"in_reply_to":"fa31d9ce_457a2e89","updated":"2017-02-15 13:00:57.000000000","message":"ah, I see now, thanks. all_tenants\u003dFalse means I want my own servers even I have global token.","commit_id":"f86ee8281d1ad284ccf770ba188b22d48a5ffebe"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"fdddb6100683b31cd932cd0405ea1af71e4b492a","unresolved":false,"context_lines":[{"line_number":155,"context_line":"* GET /servers"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"  * compute:read"},{"line_number":158,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"* GET /servers?all_tenants\u003dTrue"},{"line_number":161,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"fa31d9ce_457a2e89","line":158,"range":{"start_line":158,"start_character":4,"end_line":158,"end_character":53},"in_reply_to":"fa31d9ce_6b855958","updated":"2017-02-15 12:51:01.000000000","message":"No.\n\nIf all_tenants\u003dFalse, you are explicitly listing only servers in your context.\n\nWhen you say all_tenants\u003dTrue, you are requesting to list all the servers you have access to. If you have a global token, that now means everyone. If you don\u0027t have a global token, you end up with the same list you started with.\n\nThere is no change to the REST API here, its just the exiting checks done in a slightly different way really.","commit_id":"f86ee8281d1ad284ccf770ba188b22d48a5ffebe"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d6e100258f33c2939c373bd7babc78a05a026a8c","unresolved":false,"context_lines":[{"line_number":108,"context_line":"optionally that access is global. For this spec we are not looking at creating"},{"line_number":109,"context_line":"a distinction between constructive vs destructive actions in the API"},{"line_number":110,"context_line":"(e.g. a user that is allowed to create but not delete)."},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"Proposed change"},{"line_number":113,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":114,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"fa31d9ce_073af098","line":111,"updated":"2017-02-15 16:50:16.000000000","message":"I need to put something about a limitation here.\n\nIf you can\u0027t be both SO and PA, because of how this is implemented, you only get one of the roles in each project. But you just re-authenticate into the appropriate project to get the appropriate access.","commit_id":"887812e5e3592ff67a382f887d497ea55c61b0fa"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"875fdd742177eb1f70fb5f3302e14abeaf4cc44a","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"* defaults are now in code"},{"line_number":27,"context_line":"* less rules after policy moved (almost exclusively) into v2.1 API code base"},{"line_number":28,"context_line":"* all rules are well documented (see pike spec)"},{"line_number":29,"context_line":"* ``is_global_token`` to allow access across all tenants (see pike spec)"},{"line_number":30,"context_line":"* improved functional testing of all policy and scope checks (see above spec)"},{"line_number":31,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_88538638","line":28,"range":{"start_line":28,"start_character":33,"end_line":28,"end_character":46},"updated":"2017-02-23 19:24:27.000000000","message":"provide a link","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"875fdd742177eb1f70fb5f3302e14abeaf4cc44a","unresolved":false,"context_lines":[{"line_number":112,"context_line":"Proposed change"},{"line_number":113,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"We first discuss some oslo.polcy changes that are need as we evolve the"},{"line_number":116,"context_line":"default policy rules."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"We then talk about how we can slowly evolve the existing rules into the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_a3006d02","line":115,"range":{"start_line":115,"start_character":50,"end_line":115,"end_character":54},"updated":"2017-02-23 19:24:27.000000000","message":"needed","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"875fdd742177eb1f70fb5f3302e14abeaf4cc44a","unresolved":false,"context_lines":[{"line_number":126,"context_line":"* token scope: global or not"},{"line_number":127,"context_line":"* user_role: admin, member or observer"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"So we will probably need the following policy rules:::"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"    # NOTE role:admin is here only to allow a smooth upgrade"},{"line_number":132,"context_line":"    # (oslo.polcy will deal with this and log warnings if needed)"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_c32c819b","line":129,"range":{"start_line":129,"start_character":51,"end_line":129,"end_character":54},"updated":"2017-02-23 19:24:27.000000000","message":"::","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"875fdd742177eb1f70fb5f3302e14abeaf4cc44a","unresolved":false,"context_lines":[{"line_number":172,"context_line":""},{"line_number":173,"context_line":"* POST /servers"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"  * rule:compute:write"},{"line_number":176,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"* GET /servers"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_233c7dc7","line":175,"range":{"start_line":175,"start_character":17,"end_line":175,"end_character":22},"updated":"2017-02-23 19:24:27.000000000","message":"This is redundant with POST.","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"875fdd742177eb1f70fb5f3302e14abeaf4cc44a","unresolved":false,"context_lines":[{"line_number":177,"context_line":""},{"line_number":178,"context_line":"* GET /servers"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"  * rule:compute:read"},{"line_number":181,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"* GET /servers?all_tenants\u003dTrue"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_433971d6","line":180,"range":{"start_line":180,"start_character":17,"end_line":180,"end_character":21},"updated":"2017-02-23 19:24:27.000000000","message":"This is redundant with GET.","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"875fdd742177eb1f70fb5f3302e14abeaf4cc44a","unresolved":false,"context_lines":[{"line_number":187,"context_line":""},{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"  * rule:compute:write"},{"line_number":191,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"* DELETE /servers/\u003cid\u003e"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_c353a115","line":190,"range":{"start_line":190,"start_character":17,"end_line":190,"end_character":22},"updated":"2017-02-23 19:24:27.000000000","message":"redundant with PUT, etc etc","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"875fdd742177eb1f70fb5f3302e14abeaf4cc44a","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"* POST /os-server-external-events"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"  * rule:compute:admin or rule:compute:neutron"},{"line_number":221,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"We will need to improve the policy functional tests to cover all the extra"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_c37ac187","line":220,"range":{"start_line":220,"start_character":39,"end_line":220,"end_character":46},"updated":"2017-02-23 19:24:27.000000000","message":"What does this mean? The service user? Will it be called \u0027neutron\u0027?\n\nSo like we could have one for cinder to do os-assisted-volume-snapshots?","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ea71672c21cf81b8b0ca519b9cd4ed6307b03ea4","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"* POST /os-server-external-events"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"  * rule:compute:admin or rule:compute:neutron"},{"line_number":221,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"We will need to improve the policy functional tests to cover all the extra"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_dd499032","line":220,"range":{"start_line":220,"start_character":39,"end_line":220,"end_character":46},"in_reply_to":"da36d5c6_c37ac187","updated":"2017-02-25 03:26:14.000000000","message":"Yes, see ln152 and ln153","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"aefbc282b78ab5a02ec4b2642aa1ad5fcb7469d6","unresolved":false,"context_lines":[{"line_number":288,"context_line":"Having a better understanding of policy rules can only help better audit the"},{"line_number":289,"context_line":"correctness of Nova\u0027s RBAC controls for each particular deployment scenario."},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"The only slight risk that is introduced is that all authenticated users can"},{"line_number":292,"context_line":"create DB load, even if policy says they don\u0027t have access. This is because"},{"line_number":293,"context_line":"in many actions we need to fetch the object being manipulated to check its"},{"line_number":294,"context_line":"associated project_id with the project_id in the user\u0027s token."},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"Notifications impact"},{"line_number":297,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_2398fdbf","line":294,"range":{"start_line":291,"start_character":0,"end_line":294,"end_character":62},"updated":"2017-02-23 19:26:03.000000000","message":"Doesn\u0027t this go in the perf impact section?","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ea71672c21cf81b8b0ca519b9cd4ed6307b03ea4","unresolved":false,"context_lines":[{"line_number":288,"context_line":"Having a better understanding of policy rules can only help better audit the"},{"line_number":289,"context_line":"correctness of Nova\u0027s RBAC controls for each particular deployment scenario."},{"line_number":290,"context_line":""},{"line_number":291,"context_line":"The only slight risk that is introduced is that all authenticated users can"},{"line_number":292,"context_line":"create DB load, even if policy says they don\u0027t have access. This is because"},{"line_number":293,"context_line":"in many actions we need to fetch the object being manipulated to check its"},{"line_number":294,"context_line":"associated project_id with the project_id in the user\u0027s token."},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"Notifications impact"},{"line_number":297,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"da36d5c6_1d5088d3","line":294,"range":{"start_line":291,"start_character":0,"end_line":294,"end_character":62},"in_reply_to":"da36d5c6_2398fdbf","updated":"2017-02-25 03:26:14.000000000","message":"Hmm, maybe. I should mention it. It should have zero long term impact.","commit_id":"40a49594c707867eff61a547933a4da2528a3145"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"63a45b83d2142946d9462ca2d668ee3af2d07fe7","unresolved":false,"context_lines":[{"line_number":56,"context_line":"Here we will talk about the different roles we want to support using the"},{"line_number":57,"context_line":"default policy file:"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"* No Access"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"  * By default, users should have no access to Nova, unless granted"},{"line_number":62,"context_line":"  * e.g. You may want a user that only has access to Swift\u0027s API"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_9020839d","line":59,"updated":"2017-03-15 19:21:48.000000000","message":"+1000 :)","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"63a45b83d2142946d9462ca2d668ee3af2d07fe7","unresolved":false,"context_lines":[{"line_number":59,"context_line":"* No Access"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"  * By default, users should have no access to Nova, unless granted"},{"line_number":62,"context_line":"  * e.g. You may want a user that only has access to Swift\u0027s API"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Project observer (PO)"},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_30534fe3","line":62,"updated":"2017-03-15 19:21:48.000000000","message":"This may not be the most enlightening example. Assuming that all projects eventually adopt the same ideas then giving a user a project observer role so they can access the Swift API would also give them access to the Nova API (and avoiding this would involve a massive proliferation of swift_project_observer, nova_project_observer, \u0026c. roles, all of which would generally need to be granted to users).\n\nThe real reason for doing it like this is that there are likely some specialised roles like \"can trigger autoscaling\" that we want to be able to grant to an account without giving them any access to everything else in the project.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"9e0152e23c1efad91d4d8b6a3b75e56f7562b6a9","unresolved":false,"context_lines":[{"line_number":59,"context_line":"* No Access"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"  * By default, users should have no access to Nova, unless granted"},{"line_number":62,"context_line":"  * e.g. You may want a user that only has access to Swift\u0027s API"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Project observer (PO)"},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_f941860c","line":62,"in_reply_to":"3a1ff146_30534fe3","updated":"2017-03-16 10:52:28.000000000","message":"Yeah, I much prefer your example, I will use it.\n\nI am relying on keystone\u0027s implied roles feature, so we can have all the project specific roles, but not make that a total PITA:\nhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/mitaka/implied-roles.html\n\nI should add that detail in the spec.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"ef0f0f32d2c34f9d230efabb14f50f422d927ed1","unresolved":false,"context_lines":[{"line_number":59,"context_line":"* No Access"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"  * By default, users should have no access to Nova, unless granted"},{"line_number":62,"context_line":"  * e.g. You may want a user that only has access to Swift\u0027s API"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"* Project observer (PO)"},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"1a1ced50_78a7a54f","line":62,"in_reply_to":"3a1ff146_f941860c","updated":"2017-03-16 19:07:14.000000000","message":"Ah, I wasn\u0027t aware of the implied roles thing. That sounds quite manageable then.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"63a45b83d2142946d9462ca2d668ee3af2d07fe7","unresolved":false,"context_lines":[{"line_number":113,"context_line":"Proposed change"},{"line_number":114,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"We first discuss some oslo.polcy changes that are needed as we evolve the"},{"line_number":117,"context_line":"default policy rules."},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"We then talk about how we can slowly evolve the existing rules into the"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_106d7398","line":116,"updated":"2017-03-15 19:21:48.000000000","message":"s/polcy/policy/","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"63a45b83d2142946d9462ca2d668ee3af2d07fe7","unresolved":false,"context_lines":[{"line_number":142,"context_line":"    \"compute:observer\": \"role:compute_observer\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    # NOTE context_is_observer is only here due to upgrade issues,"},{"line_number":145,"context_line":"    # because the nova_user was not previously required"},{"line_number":146,"context_line":"    \"compute:member\":"},{"line_number":147,"context_line":"        \"role:compute_member or not rule:compute:context_is_observer\""},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_32a35051","line":145,"updated":"2017-03-15 19:21:48.000000000","message":"s/nova_user/compute_member/ ?","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"9e0152e23c1efad91d4d8b6a3b75e56f7562b6a9","unresolved":false,"context_lines":[{"line_number":142,"context_line":"    \"compute:observer\": \"role:compute_observer\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    # NOTE context_is_observer is only here due to upgrade issues,"},{"line_number":145,"context_line":"    # because the nova_user was not previously required"},{"line_number":146,"context_line":"    \"compute:member\":"},{"line_number":147,"context_line":"        \"role:compute_member or not rule:compute:context_is_observer\""},{"line_number":148,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_995172db","line":145,"in_reply_to":"3a1ff146_32a35051","updated":"2017-03-16 10:52:28.000000000","message":"oops, yes.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"63a45b83d2142946d9462ca2d668ee3af2d07fe7","unresolved":false,"context_lines":[{"line_number":144,"context_line":"    # NOTE context_is_observer is only here due to upgrade issues,"},{"line_number":145,"context_line":"    # because the nova_user was not previously required"},{"line_number":146,"context_line":"    \"compute:member\":"},{"line_number":147,"context_line":"        \"role:compute_member or not rule:compute:context_is_observer\""},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"    # NOTE rule:is_admin is here only to allow a smooth upgrade"},{"line_number":150,"context_line":"    \"compute:admin\": \"role:compute_admin or rule:is_admin\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_727308e8","line":147,"updated":"2017-03-15 19:21:48.000000000","message":"This actually does make it look like you plan to have separate *_member roles for each service? That feels like a lot to manage for operators... every user will have to be given a role for every service they need to access, and every time a service is added to the cloud they\u0027ll need to decide which existing users should have access and grant them the role.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"9e0152e23c1efad91d4d8b6a3b75e56f7562b6a9","unresolved":false,"context_lines":[{"line_number":144,"context_line":"    # NOTE context_is_observer is only here due to upgrade issues,"},{"line_number":145,"context_line":"    # because the nova_user was not previously required"},{"line_number":146,"context_line":"    \"compute:member\":"},{"line_number":147,"context_line":"        \"role:compute_member or not rule:compute:context_is_observer\""},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"    # NOTE rule:is_admin is here only to allow a smooth upgrade"},{"line_number":150,"context_line":"    \"compute:admin\": \"role:compute_admin or rule:is_admin\""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_f958a6fc","line":147,"in_reply_to":"3a1ff146_727308e8","updated":"2017-03-16 10:52:28.000000000","message":"I hope implied roles smooth over that.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"9e0152e23c1efad91d4d8b6a3b75e56f7562b6a9","unresolved":false,"context_lines":[{"line_number":161,"context_line":"        \"rule:compute:context_is_observer or rule:compute:context_is_user"},{"line_number":162,"context_line":"         or rule:compute:context_is_admin\""},{"line_number":163,"context_line":"    # NOTE we are keeping admin_or_owner here to help with upgrades"},{"line_number":164,"context_line":"    \"compute:write\":"},{"line_number":165,"context_line":"        \"rule:compute:context_is_user or rule:compute:context_is_admin"},{"line_number":166,"context_line":"         or rule:admin_or_owner\""},{"line_number":167,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"ba2be162_3fe6cdb4","line":164,"updated":"2017-03-16 10:52:28.000000000","message":"Ironic already did this with is_member, is_observer and is_admin:\nhttps://github.com/openstack/ironic/blob/8db68fef4e97b2ed6552b80215ab03093f18e615/ironic/common/policy.py\n\nGiven that we might want to consider using observer rather than \"read\".\n\nWe should also note that the previous spec that deals with scope outside of the policy file makes multi-tenant and single-tenant services projects look the same now.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"63a45b83d2142946d9462ca2d668ee3af2d07fe7","unresolved":false,"context_lines":[{"line_number":251,"context_line":"Alternatives"},{"line_number":252,"context_line":"------------"},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"Rather than read / write / admin we could go for observer / member / admin."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"One big limitation of the proposed approach is that you can\u0027t have a single"},{"line_number":257,"context_line":"token that is both global read and local write. Within a given project its"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_d2883c25","line":254,"updated":"2017-03-15 19:21:48.000000000","message":"I guess this alternative was chosen?\n\nThe \u0027member\u0027 role had a specific meaning in Keystone at one point in time. Could this possibly cause confusion?","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"9e0152e23c1efad91d4d8b6a3b75e56f7562b6a9","unresolved":false,"context_lines":[{"line_number":251,"context_line":"Alternatives"},{"line_number":252,"context_line":"------------"},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"Rather than read / write / admin we could go for observer / member / admin."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"One big limitation of the proposed approach is that you can\u0027t have a single"},{"line_number":257,"context_line":"token that is both global read and local write. Within a given project its"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3a1ff146_f926e666","line":254,"in_reply_to":"3a1ff146_d2883c25","updated":"2017-03-16 10:52:28.000000000","message":"Possibly, I think it was only convention in keystone, but I should double check that. In keystone once you have *any* role in some project, you can authenticate to that project, if you don\u0027t have a role assignment in that project, your users is assumed not to be associated with that project in anyway.\n\nI need to pick one or the other I guess :) Preferences welcome, I am currently thinking about copying ironic.","commit_id":"5ccff2e24173c57378676189c6d3ef37fc0b0566"},{"author":{"_account_id":6062,"name":"jichenjc","email":"jichenjc@cn.ibm.com","username":"jichenjc"},"change_message_id":"b4be5a3ab9bd85c44010f3d6d03fc9f0cdf9dedd","unresolved":false,"context_lines":[{"line_number":339,"context_line":"Other deployer impact"},{"line_number":340,"context_line":"---------------------"},{"line_number":341,"context_line":""},{"line_number":342,"context_line":"Deployers that have modified the complete policy file, may find they"},{"line_number":343,"context_line":"need significant rework to use the new proposed policy file."},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"Developer impact"},{"line_number":346,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1a1ced50_c7e4220f","line":343,"range":{"start_line":342,"start_character":0,"end_line":343,"end_character":60},"updated":"2017-03-17 11:27:26.000000000","message":"is it possible to provide a tool as a follow up or at least some guide line doc about the migration? \n\nsome vendor ship openstack solution and the admin might have less knowledge to \u0027professional\u0027 openstack admin, then a tool or doc will smooth/help the way for migrate from old openstack release to new one","commit_id":"218d1342f8f19dda54a6be00dc308aecf950e1f0"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"1870926acf80594a913a3a4522662d13cc5ae9eb","unresolved":false,"context_lines":[{"line_number":339,"context_line":"Other deployer impact"},{"line_number":340,"context_line":"---------------------"},{"line_number":341,"context_line":""},{"line_number":342,"context_line":"Deployers that have modified the complete policy file, may find they"},{"line_number":343,"context_line":"need significant rework to use the new proposed policy file."},{"line_number":344,"context_line":""},{"line_number":345,"context_line":"Developer impact"},{"line_number":346,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1a1ced50_a65b9f53","line":343,"range":{"start_line":342,"start_character":0,"end_line":343,"end_character":60},"in_reply_to":"1a1ced50_c7e4220f","updated":"2017-03-17 16:08:09.000000000","message":"The plan here is backwards compatibility for folks on the previous defaults, with log warning where there is more work to do.\n\nIf there are specific tools we need, totally. I am just not sure what that would be right now.","commit_id":"218d1342f8f19dda54a6be00dc308aecf950e1f0"},{"author":{"_account_id":18337,"name":"Sujitha","email":"sujitha.neti@intel.com","username":"Sujitha"},"change_message_id":"b6d2f7ecf9af7ada865a3e9e33eaffae2a474be2","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"  * they have read and write access to all resources in Nova"},{"line_number":95,"context_line":"  * that includes access to all admin functions like live-migrate"},{"line_number":96,"context_line":"  * this is equivalent to the current \"admin\" role"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"* Cinder Service role:"},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"ffe62b97_dabea9d3","line":96,"updated":"2017-03-29 22:15:19.000000000","message":"So this is global admin.","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"628127b395739e5dc23b2efde5f0d10e8c2374a9","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"  * they have read and write access to all resources in Nova"},{"line_number":95,"context_line":"  * that includes access to all admin functions like live-migrate"},{"line_number":96,"context_line":"  * this is equivalent to the current \"admin\" role"},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"* Cinder Service role:"},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"dfeb2761_aaeb25da","line":96,"in_reply_to":"ffe62b97_dabea9d3","updated":"2017-04-03 09:42:33.000000000","message":"yeah, I should be explicit, this use case is when you get the admin role in the special keystone admin project.","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"},{"author":{"_account_id":18337,"name":"Sujitha","email":"sujitha.neti@intel.com","username":"Sujitha"},"change_message_id":"b6d2f7ecf9af7ada865a3e9e33eaffae2a474be2","unresolved":false,"context_lines":[{"line_number":145,"context_line":"    # (oslo.polcy will deal with this and log warnings if needed)"},{"line_number":146,"context_line":"    \"compute:context_is_global\":"},{"line_number":147,"context_line":"        \"role:compute_global or role:admin or"},{"line_number":148,"context_line":"         role:compute_cinder or role:compute_neutron\""},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"    #"},{"line_number":151,"context_line":"    # Define the users"}],"source_content_type":"text/x-rst","patch_set":14,"id":"ffe62b97_7719e8d4","line":148,"range":{"start_line":148,"start_character":9,"end_line":148,"end_character":52},"updated":"2017-03-29 22:15:19.000000000","message":"Cinder and Neutron service roles are added here because currently external events and swap volume needs global admin?","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"628127b395739e5dc23b2efde5f0d10e8c2374a9","unresolved":false,"context_lines":[{"line_number":145,"context_line":"    # (oslo.polcy will deal with this and log warnings if needed)"},{"line_number":146,"context_line":"    \"compute:context_is_global\":"},{"line_number":147,"context_line":"        \"role:compute_global or role:admin or"},{"line_number":148,"context_line":"         role:compute_cinder or role:compute_neutron\""},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"    #"},{"line_number":151,"context_line":"    # Define the users"}],"source_content_type":"text/x-rst","patch_set":14,"id":"dfeb2761_2ab955e8","line":148,"range":{"start_line":148,"start_character":9,"end_line":148,"end_character":52},"in_reply_to":"ffe62b97_7719e8d4","updated":"2017-04-03 09:42:33.000000000","message":"Honestly, this is probably wrong. I want to give cinder and neutron roles global access, without the need for being in the special keystone admin project. I need to describe that better.","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"},{"author":{"_account_id":18337,"name":"Sujitha","email":"sujitha.neti@intel.com","username":"Sujitha"},"change_message_id":"b6d2f7ecf9af7ada865a3e9e33eaffae2a474be2","unresolved":false,"context_lines":[{"line_number":170,"context_line":"    #"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"    \"compute:read\":"},{"line_number":173,"context_line":"        \"rule:compute:context_is_observer or rule:compute:context_is_user"},{"line_number":174,"context_line":"         or rule:compute:context_is_admin\""},{"line_number":175,"context_line":"    # NOTE we are keeping admin_or_owner here to help with upgrades"},{"line_number":176,"context_line":"    \"compute:write\":"}],"source_content_type":"text/x-rst","patch_set":14,"id":"ffe62b97_b5309657","line":173,"range":{"start_line":173,"start_character":58,"end_line":173,"end_character":73},"updated":"2017-03-29 22:15:19.000000000","message":"Should we write this as context_is_member?","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"628127b395739e5dc23b2efde5f0d10e8c2374a9","unresolved":false,"context_lines":[{"line_number":170,"context_line":"    #"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"    \"compute:read\":"},{"line_number":173,"context_line":"        \"rule:compute:context_is_observer or rule:compute:context_is_user"},{"line_number":174,"context_line":"         or rule:compute:context_is_admin\""},{"line_number":175,"context_line":"    # NOTE we are keeping admin_or_owner here to help with upgrades"},{"line_number":176,"context_line":"    \"compute:write\":"}],"source_content_type":"text/x-rst","patch_set":14,"id":"dfeb2761_4ab259e8","line":173,"range":{"start_line":173,"start_character":58,"end_line":173,"end_character":73},"in_reply_to":"ffe62b97_b5309657","updated":"2017-04-03 09:42:33.000000000","message":"actually, these rules are a bit messed up, I need to look at these again, and probably do it step by step.","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"},{"author":{"_account_id":18337,"name":"Sujitha","email":"sujitha.neti@intel.com","username":"Sujitha"},"change_message_id":"b6d2f7ecf9af7ada865a3e9e33eaffae2a474be2","unresolved":false,"context_lines":[{"line_number":174,"context_line":"         or rule:compute:context_is_admin\""},{"line_number":175,"context_line":"    # NOTE we are keeping admin_or_owner here to help with upgrades"},{"line_number":176,"context_line":"    \"compute:write\":"},{"line_number":177,"context_line":"        \"rule:compute:context_is_user or rule:compute:context_is_admin"},{"line_number":178,"context_line":"         or rule:admin_or_owner\""},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"Adding new roles into policy default"}],"source_content_type":"text/x-rst","patch_set":14,"id":"ffe62b97_755d6e77","line":177,"range":{"start_line":177,"start_character":22,"end_line":177,"end_character":37},"updated":"2017-03-29 22:15:19.000000000","message":"same here","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"},{"author":{"_account_id":18337,"name":"Sujitha","email":"sujitha.neti@intel.com","username":"Sujitha"},"change_message_id":"b6d2f7ecf9af7ada865a3e9e33eaffae2a474be2","unresolved":false,"context_lines":[{"line_number":235,"context_line":"  * scope check: {\"project_id\": \"server.project_id\" }"},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"We will need to improve the policy functional tests to cover all the extra"},{"line_number":238,"context_line":"roles we are adding here, to ensure every API call has behaving as required."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"While it would be nice to consider making the policy names better match the"},{"line_number":241,"context_line":"concepts the operator is thinking about when configuring the policy, it is"}],"source_content_type":"text/x-rst","patch_set":14,"id":"ffe62b97_17797cc6","line":238,"range":{"start_line":238,"start_character":51,"end_line":238,"end_character":54},"updated":"2017-03-29 22:15:19.000000000","message":"nit: s/has/is","commit_id":"4efbb6e2716d5da46d13c865dc27b9db23917554"}],"specs/pike/approved/policy-cleanup-pike.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4748f05083ad5750dfe42d5d51439ccdeedf62fe","unresolved":false,"context_lines":[{"line_number":21,"context_line":"Deployers find it hard to modify our RBAC controls through the policy.yaml."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"In Newton, all policy rules are now defined in code. This lets us now move"},{"line_number":24,"context_line":"to evolve the policy file into a more useful position."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"One reason why deployers want to modify policy is because the default RBAC"},{"line_number":27,"context_line":"rules we ship with are extremely primitive. If we have richer rules, people"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_01c0eedf","line":24,"updated":"2017-02-01 19:57:40.000000000","message":"Documentation around this would make a great community goal.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"01c095d20bbd3347a76c16ea1a44a34799002661","unresolved":false,"context_lines":[{"line_number":21,"context_line":"Deployers find it hard to modify our RBAC controls through the policy.yaml."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"In Newton, all policy rules are now defined in code. This lets us now move"},{"line_number":24,"context_line":"to evolve the policy file into a more useful position."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"One reason why deployers want to modify policy is because the default RBAC"},{"line_number":27,"context_line":"rules we ship with are extremely primitive. If we have richer rules, people"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_edbade09","line":24,"in_reply_to":"3a461143_01c0eedf","updated":"2017-02-02 11:29:49.000000000","message":"Good point. I should do that thing. I wasn\u0027t sure how much acceptance that was getting yet.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4748f05083ad5750dfe42d5d51439ccdeedf62fe","unresolved":false,"context_lines":[{"line_number":24,"context_line":"to evolve the policy file into a more useful position."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"One reason why deployers want to modify policy is because the default RBAC"},{"line_number":27,"context_line":"rules we ship with are extremely primitive. If we have richer rules, people"},{"line_number":28,"context_line":"will only need to tweak the policy config so the role names match the default"},{"line_number":29,"context_line":"roles, rather than having to hand role a totally custom policy file."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_e1612213","line":27,"updated":"2017-02-01 19:57:40.000000000","message":"Making them unusable when modeling real-world organizations in deployments.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"01c095d20bbd3347a76c16ea1a44a34799002661","unresolved":false,"context_lines":[{"line_number":24,"context_line":"to evolve the policy file into a more useful position."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"One reason why deployers want to modify policy is because the default RBAC"},{"line_number":27,"context_line":"rules we ship with are extremely primitive. If we have richer rules, people"},{"line_number":28,"context_line":"will only need to tweak the policy config so the role names match the default"},{"line_number":29,"context_line":"roles, rather than having to hand role a totally custom policy file."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_8d715a7a","line":27,"in_reply_to":"3a461143_e1612213","updated":"2017-02-02 11:29:49.000000000","message":"Thats a good way of putting it, I should take that.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"d18670ec61a6449b1c72669fccb15d6716ebdbeb","unresolved":false,"context_lines":[{"line_number":34,"context_line":"* unit tests work against a fake policy file, rather than the in code default"},{"line_number":35,"context_line":"* there is a default target where it makes most policy rules a noop"},{"line_number":36,"context_line":"* there are no docs for any of the rules"},{"line_number":37,"context_line":"* we need to be able to deprecate and rename rules like we do configuration"},{"line_number":38,"context_line":"* policy is sometimes too flexible and leads to a lack of interop,"},{"line_number":39,"context_line":"  while API discoverability will help, there are other things we can do      "},{"line_number":40,"context_line":"* Policy checks for project membership are hardcoded in the DB layer"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_c1ba660a","line":37,"updated":"2017-02-01 19:21:58.000000000","message":"This belongs in an oslo.policy spec. I might leave it out of discussion here.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"01c095d20bbd3347a76c16ea1a44a34799002661","unresolved":false,"context_lines":[{"line_number":34,"context_line":"* unit tests work against a fake policy file, rather than the in code default"},{"line_number":35,"context_line":"* there is a default target where it makes most policy rules a noop"},{"line_number":36,"context_line":"* there are no docs for any of the rules"},{"line_number":37,"context_line":"* we need to be able to deprecate and rename rules like we do configuration"},{"line_number":38,"context_line":"* policy is sometimes too flexible and leads to a lack of interop,"},{"line_number":39,"context_line":"  while API discoverability will help, there are other things we can do      "},{"line_number":40,"context_line":"* Policy checks for project membership are hardcoded in the DB layer"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_6dceeeb5","line":37,"in_reply_to":"3a461143_c1ba660a","updated":"2017-02-02 11:29:49.000000000","message":"/me nods. I need to separate those out, assuming they are happy to merge those features.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4748f05083ad5750dfe42d5d51439ccdeedf62fe","unresolved":false,"context_lines":[{"line_number":56,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":57,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":58,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":59,"context_line":"* Nova Admin (NA): this is someone who is able to do everything in the "},{"line_number":60,"context_line":"  Nova system, although its generally not possible to create things in"},{"line_number":61,"context_line":"  another project."},{"line_number":62,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_04039c0e","line":59,"updated":"2017-02-01 19:57:40.000000000","message":"Is this the role we would give to the nova service user? I assume the nova service user would be able to get away with even a subset of the permissions given to NA. It would be nice to have those operations documented in a specific role and only grant the service user exactly what it needs and nothing more.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"01c095d20bbd3347a76c16ea1a44a34799002661","unresolved":false,"context_lines":[{"line_number":56,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":57,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":58,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":59,"context_line":"* Nova Admin (NA): this is someone who is able to do everything in the "},{"line_number":60,"context_line":"  Nova system, although its generally not possible to create things in"},{"line_number":61,"context_line":"  another project."},{"line_number":62,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_0db9eaec","line":59,"in_reply_to":"3a461143_04039c0e","updated":"2017-02-02 11:29:49.000000000","message":"Dam it, the Nova service user is another one. Actually I believe there is one for Cinder and one for Neutron.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4748f05083ad5750dfe42d5d51439ccdeedf62fe","unresolved":false,"context_lines":[{"line_number":60,"context_line":"  Nova system, although its generally not possible to create things in"},{"line_number":61,"context_line":"  another project."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"TODO - what is the keystone model for these?"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"TODO - common deployment patterns"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_24dc1846","line":63,"updated":"2017-02-01 19:57:40.000000000","message":"Using the same model from above, but applying it to keystone resources (if that\u0027s what you mean):\n\n  * Project observer (PO): Has the ability to authenticate and validate\n    for a token scoped to the project. Has the ability to change their \n    password and other self service user operations.\n  * Project member (PM): Same as above, but not much more only because\n    most things within the identity service are admin-like things, which more\n    than likely require an operator (at least at the domain level).\n  * Domain observer (DO): Has the ability to list users, projects, and roles\n    within a specific domain, strictly read-only access to domain-level\n    attributes.\n  * Domain member (DM): Has the ability to create users, groups,\n    projects, and roles within the domain. Has the ability to assign\n    users to projects or place users in groups but only within a specific\n    domain.\n  * Operator observer (OO): Has the ability to list services, endpoints,\n    regions. Cannot make any changes to the service catalog.\n  * Operator member (OM): Has all the access of the Operator observer\n    and the ability to create and modify entities of the service catalog.\n  * Keystone Admin (KA): Has the ability to do everything within the\n    identity system.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"01c095d20bbd3347a76c16ea1a44a34799002661","unresolved":false,"context_lines":[{"line_number":60,"context_line":"  Nova system, although its generally not possible to create things in"},{"line_number":61,"context_line":"  another project."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"TODO - what is the keystone model for these?"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"TODO - common deployment patterns"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_2d8ce634","line":63,"in_reply_to":"3a461143_24dc1846","updated":"2017-02-02 11:29:49.000000000","message":"Lets call that a service admin, then we get the same abreviations.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f992d1623739db34f6f71e0f3b234091f6281fba","unresolved":false,"context_lines":[{"line_number":60,"context_line":"  Nova system, although its generally not possible to create things in"},{"line_number":61,"context_line":"  another project."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"TODO - what is the keystone model for these?"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"TODO - common deployment patterns"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_ab0997df","line":63,"in_reply_to":"3a461143_2d8ce634","updated":"2017-02-02 15:10:29.000000000","message":"Do we want to have the same role name for both the keystone and nova roles? If we have service admin that allows the ability for specific keystone admin things and nova admin things, and I assign it to the nova service user, they will have the ability to do keystone service user operations. Do we want that? Does that violate principal of least privilege?","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2603e6360e202edfb662e283c8234caa4105e04","unresolved":false,"context_lines":[{"line_number":60,"context_line":"  Nova system, although its generally not possible to create things in"},{"line_number":61,"context_line":"  another project."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"TODO - what is the keystone model for these?"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"TODO - common deployment patterns"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1a430d35_d865e5e1","line":63,"in_reply_to":"3a461143_ab0997df","updated":"2017-02-03 18:05:01.000000000","message":"I was really meaning get the same terms/names/definitions if we can.\n\nThe role names totally have to be per service, and different for each service. For all the reasons you state.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"d18670ec61a6449b1c72669fccb15d6716ebdbeb","unresolved":false,"context_lines":[{"line_number":81,"context_line":"for \"any authenticated user\"."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"So we should stop the policy check having an optional target, every call"},{"line_number":84,"context_line":"should explicitly specify a target."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":87,"context_line":"this massive problem, and as such we should look at some new unit tests"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_81ca1e6d","line":84,"updated":"2017-02-01 19:21:58.000000000","message":"+1. Before this spec is approved there should be a quick audit to ensure that this makes sense for all policy checks. I seem to recall that there was one or two for which it didn\u0027t make sense to pass a target, however my memory is fuzzy on it.\n\nOne other thing to consider is that it can be meaningful to distinguish between \"this policy check fails regardless of target\" and \"this policy check fails for this target\". How that\u0027s done is an implementation detail but it might be useful to allow for non-targetted policy checks to make this distinction.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"01c095d20bbd3347a76c16ea1a44a34799002661","unresolved":false,"context_lines":[{"line_number":81,"context_line":"for \"any authenticated user\"."},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"So we should stop the policy check having an optional target, every call"},{"line_number":84,"context_line":"should explicitly specify a target."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":87,"context_line":"this massive problem, and as such we should look at some new unit tests"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_0d81ea4d","line":84,"in_reply_to":"3a461143_81ca1e6d","updated":"2017-02-02 11:29:49.000000000","message":"I was actually thinking about going for a target of {} for those ones. But very good point.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"d18670ec61a6449b1c72669fccb15d6716ebdbeb","unresolved":false,"context_lines":[{"line_number":84,"context_line":"should explicitly specify a target."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":87,"context_line":"this massive problem, and as such we should look at some new unit tests"},{"line_number":88,"context_line":"for the policy checks, that test the default policy rule. In some cases"},{"line_number":89,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"},{"line_number":90,"context_line":"should ensure those work by overriding the policy file."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_c1726649","line":87,"updated":"2017-02-01 19:21:58.000000000","message":"It\u0027s somewhat intentional that they don\u0027t address this problem. Changing policy rules to take a target is an API breaking change that needs to take versioning into account, or a decision needs to be made that policy controls supercede strict backwards compatibility.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2603e6360e202edfb662e283c8234caa4105e04","unresolved":false,"context_lines":[{"line_number":84,"context_line":"should explicitly specify a target."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":87,"context_line":"this massive problem, and as such we should look at some new unit tests"},{"line_number":88,"context_line":"for the policy checks, that test the default policy rule. In some cases"},{"line_number":89,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"},{"line_number":90,"context_line":"should ensure those work by overriding the policy file."}],"source_content_type":"text/x-rst","patch_set":1,"id":"1a430d35_f890e197","line":87,"in_reply_to":"3a461143_abd7d721","updated":"2017-02-03 18:05:01.000000000","message":"The follow has my funky plan of how we change all this with zero impact. Its a little nuts.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"01c095d20bbd3347a76c16ea1a44a34799002661","unresolved":false,"context_lines":[{"line_number":84,"context_line":"should explicitly specify a target."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":87,"context_line":"this massive problem, and as such we should look at some new unit tests"},{"line_number":88,"context_line":"for the policy checks, that test the default policy rule. In some cases"},{"line_number":89,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"},{"line_number":90,"context_line":"should ensure those work by overriding the policy file."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_cde60244","line":87,"in_reply_to":"3a461143_c1726649","updated":"2017-02-02 11:29:49.000000000","message":"Honestly, it doesn\u0027t seem to change the behaviour at all, in the majority of cases, we would just be replacing the DB checks.\n\nAgreed if you have non-default policy, it opens a different can of worms.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f992d1623739db34f6f71e0f3b234091f6281fba","unresolved":false,"context_lines":[{"line_number":84,"context_line":"should explicitly specify a target."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":87,"context_line":"this massive problem, and as such we should look at some new unit tests"},{"line_number":88,"context_line":"for the policy checks, that test the default policy rule. In some cases"},{"line_number":89,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"},{"line_number":90,"context_line":"should ensure those work by overriding the policy file."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a461143_abd7d721","line":87,"in_reply_to":"3a461143_cde60244","updated":"2017-02-02 15:10:29.000000000","message":"That\u0027s a good point - I never thought of that. This would be an interesting discussion and something we\u0027d need to document the outcome of before other projects start adopting/implementing these default roles.","commit_id":"d7d0c713505b9ecf3cfc064af8835bc277daefc3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"746010ae2bc59f0b5fc324a23d95900524f22106","unresolved":false,"context_lines":[{"line_number":24,"context_line":"the policy file into a more useful position, without breaking our upgrades"},{"line_number":25,"context_line":"rules of release N configuration working unmodified with release N+1."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"In an ideal work, deployers should only need to configure which rule names"},{"line_number":28,"context_line":"are used in their environment. However our default policy file is very flat,"},{"line_number":29,"context_line":"only supporting admin and owner. This forces many users to attempt to rewrite"},{"line_number":30,"context_line":"the whole policy file. This is hard, and few have succeeded. It is hoped we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a461143_0b546b52","line":27,"updated":"2017-02-02 16:05:26.000000000","message":"world*?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"99fd1c3411e15c26c6ae1393b55de20e15fe056d","unresolved":false,"context_lines":[{"line_number":24,"context_line":"the policy file into a more useful position, without breaking our upgrades"},{"line_number":25,"context_line":"rules of release N configuration working unmodified with release N+1."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"In an ideal work, deployers should only need to configure which rule names"},{"line_number":28,"context_line":"are used in their environment. However our default policy file is very flat,"},{"line_number":29,"context_line":"only supporting admin and owner. This forces many users to attempt to rewrite"},{"line_number":30,"context_line":"the whole policy file. This is hard, and few have succeeded. It is hoped we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_98f8bde7","line":27,"in_reply_to":"3a461143_0b546b52","updated":"2017-02-03 18:06:28.000000000","message":"+1","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":31,"context_line":"can make the default policy file richer, so less deployers will need to do"},{"line_number":32,"context_line":"a full customization of the policy file, and we can better cover 80% of cases."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"In a similar vain, we should provide a little more indirection in the policy"},{"line_number":35,"context_line":"file, so its easier to change the access to multiple API endpoint in one rule."},{"line_number":36,"context_line":"For example, we should make it easy to allow users to have access to both"},{"line_number":37,"context_line":"user and operator instance actions. Operators should not be forced to check"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_4ba7b3bc","line":34,"range":{"start_line":34,"start_character":13,"end_line":34,"end_character":17},"updated":"2017-02-08 22:08:21.000000000","message":"vein*","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":34,"context_line":"In a similar vain, we should provide a little more indirection in the policy"},{"line_number":35,"context_line":"file, so its easier to change the access to multiple API endpoint in one rule."},{"line_number":36,"context_line":"For example, we should make it easy to allow users to have access to both"},{"line_number":37,"context_line":"user and operator instance actions. Operators should not be forced to check"},{"line_number":38,"context_line":"on every upgrade to see if a new action has been added that they need to"},{"line_number":39,"context_line":"configure."},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_4b95f330","line":37,"range":{"start_line":37,"start_character":1,"end_line":37,"end_character":34},"updated":"2017-02-08 22:08:21.000000000","message":"what are \"user and operator instance actions\"?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":34,"context_line":"In a similar vain, we should provide a little more indirection in the policy"},{"line_number":35,"context_line":"file, so its easier to change the access to multiple API endpoint in one rule."},{"line_number":36,"context_line":"For example, we should make it easy to allow users to have access to both"},{"line_number":37,"context_line":"user and operator instance actions. Operators should not be forced to check"},{"line_number":38,"context_line":"on every upgrade to see if a new action has been added that they need to"},{"line_number":39,"context_line":"configure."},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_f440aca7","line":37,"range":{"start_line":37,"start_character":1,"end_line":37,"end_character":34},"in_reply_to":"1a430d35_4b95f330","updated":"2017-02-13 10:55:28.000000000","message":"I am talking about boot vs live-migration.\n\nThe instance actions that are admin only today, largely.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":45,"context_line":"consider interoperability when deciding how granular to make our policy rules."},{"line_number":46,"context_line":"For example, it is likely that each instance action should have its own policy"},{"line_number":47,"context_line":"rule. While some actions have pairs, often only one of the pairs is a"},{"line_number":48,"context_line":"destructive action. But when you consider the read APIs for instances, it"},{"line_number":49,"context_line":"would be better if we have a single set of rules that covers listing, detailed"},{"line_number":50,"context_line":"listing, and fetching the details of a specific instance. It would be strange"},{"line_number":51,"context_line":"if you found an API where you had access to only one of these operations, so"},{"line_number":52,"context_line":"we should restrict the policy rules so we don\u0027t increase interoperability"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_faa4a34b","line":49,"range":{"start_line":48,"start_character":71,"end_line":49,"end_character":68},"updated":"2017-02-08 22:08:21.000000000","message":"I think that will work in nova if (and only if) you fix the issue of scope checks being done in policy in some places. E.g. os_compute_api:os-simple-tenant-usage:list (admin only) vs. os_compute_api:os-simple-tenant-usage:show (admin or owner). More explanation on this in a later comment...","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":45,"context_line":"consider interoperability when deciding how granular to make our policy rules."},{"line_number":46,"context_line":"For example, it is likely that each instance action should have its own policy"},{"line_number":47,"context_line":"rule. While some actions have pairs, often only one of the pairs is a"},{"line_number":48,"context_line":"destructive action. But when you consider the read APIs for instances, it"},{"line_number":49,"context_line":"would be better if we have a single set of rules that covers listing, detailed"},{"line_number":50,"context_line":"listing, and fetching the details of a specific instance. It would be strange"},{"line_number":51,"context_line":"if you found an API where you had access to only one of these operations, so"},{"line_number":52,"context_line":"we should restrict the policy rules so we don\u0027t increase interoperability"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_7413dcb8","line":49,"range":{"start_line":48,"start_character":71,"end_line":49,"end_character":68},"in_reply_to":"1a430d35_faa4a34b","updated":"2017-02-13 10:55:28.000000000","message":"Agreed that needs fixing.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"746010ae2bc59f0b5fc324a23d95900524f22106","unresolved":false,"context_lines":[{"line_number":49,"context_line":"would be better if we have a single set of rules that covers listing, detailed"},{"line_number":50,"context_line":"listing, and fetching the details of a specific instance. It would be strange"},{"line_number":51,"context_line":"if you found an API where you had access to only one of these operations, so"},{"line_number":52,"context_line":"we should restrict the policy rules so we don\u0027t increase interoperability"},{"line_number":53,"context_line":"problems."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Currently the policy rules are undocumented. To make things worse, the names"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3a461143_d6ebe6ae","line":52,"updated":"2017-02-02 16:05:26.000000000","message":"This sounds like we want each \"level\" of policy (i.e. project, domain, operator, etc..) to have two separate roles. The \"member\" role being a super set of functionality from the \"observer\" role?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"99fd1c3411e15c26c6ae1393b55de20e15fe056d","unresolved":false,"context_lines":[{"line_number":49,"context_line":"would be better if we have a single set of rules that covers listing, detailed"},{"line_number":50,"context_line":"listing, and fetching the details of a specific instance. It would be strange"},{"line_number":51,"context_line":"if you found an API where you had access to only one of these operations, so"},{"line_number":52,"context_line":"we should restrict the policy rules so we don\u0027t increase interoperability"},{"line_number":53,"context_line":"problems."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"Currently the policy rules are undocumented. To make things worse, the names"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_58d57541","line":52,"in_reply_to":"3a461143_d6ebe6ae","updated":"2017-02-03 18:06:28.000000000","message":"Yeah, although I am not sure its quite so simple once you go past member and observer.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":61,"context_line":"some cases create usability issues):"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* unit tests work against a fake policy file, rather than the in code default"},{"line_number":64,"context_line":"* there is a default target where it makes most policy rules a noop"},{"line_number":65,"context_line":"* Policy checks for project membership are hardcoded in the DB layer"},{"line_number":66,"context_line":"* we need to have a clear pattern to be able to deprecate and rename rules,"},{"line_number":67,"context_line":"  and more generally evolve the polcy rules."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_8ea44408","line":64,"range":{"start_line":64,"start_character":2,"end_line":64,"end_character":67},"updated":"2017-02-08 22:08:21.000000000","message":"can you explain this better? I didn\u0027t follow.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":61,"context_line":"some cases create usability issues):"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* unit tests work against a fake policy file, rather than the in code default"},{"line_number":64,"context_line":"* there is a default target where it makes most policy rules a noop"},{"line_number":65,"context_line":"* Policy checks for project membership are hardcoded in the DB layer"},{"line_number":66,"context_line":"* we need to have a clear pattern to be able to deprecate and rename rules,"},{"line_number":67,"context_line":"  and more generally evolve the polcy rules."}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_d48728d5","line":64,"range":{"start_line":64,"start_character":2,"end_line":64,"end_character":67},"in_reply_to":"1a430d35_8ea44408","updated":"2017-02-13 10:55:28.000000000","message":"This is the DB level policy hard coding problem you mention, just described another way.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* unit tests work against a fake policy file, rather than the in code default"},{"line_number":64,"context_line":"* there is a default target where it makes most policy rules a noop"},{"line_number":65,"context_line":"* Policy checks for project membership are hardcoded in the DB layer"},{"line_number":66,"context_line":"* we need to have a clear pattern to be able to deprecate and rename rules,"},{"line_number":67,"context_line":"  and more generally evolve the polcy rules."},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_6ec0f850","line":65,"range":{"start_line":65,"start_character":2,"end_line":65,"end_character":68},"updated":"2017-02-08 22:08:21.000000000","message":"checks for project membership should be hardcoded, because that\u0027s not something you should be allowed to override with policy (first, there\u0027s no reason to allow it, and second, if you make people check this in policy you will find that it is not done properly somewhere and boom: security problem), but they shouldn\u0027t be in the DB layer or in general be using policy (exception is when/where you want to have an all_tenants policy check to control visibility outside your project). So then the admin_or_owner rule goes away. Please clarify so we can make sure everyone\u0027s on the same page.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":62,"context_line":""},{"line_number":63,"context_line":"* unit tests work against a fake policy file, rather than the in code default"},{"line_number":64,"context_line":"* there is a default target where it makes most policy rules a noop"},{"line_number":65,"context_line":"* Policy checks for project membership are hardcoded in the DB layer"},{"line_number":66,"context_line":"* we need to have a clear pattern to be able to deprecate and rename rules,"},{"line_number":67,"context_line":"  and more generally evolve the polcy rules."},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_54e258a0","line":65,"range":{"start_line":65,"start_character":2,"end_line":65,"end_character":68},"in_reply_to":"1a430d35_6ec0f850","updated":"2017-02-13 10:55:28.000000000","message":"Its not quite that simple.\n\nI am really talking about how do you give several people \"admin\" access, its more like global access.\n\nToday you have to make them pass the is_admin check, otherwise they don\u0027t get access.\n\nAgreed with making it hard to screw that up. We just need to find a good way of doing that. I need to put my thinking cap on.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":66,"context_line":"* we need to have a clear pattern to be able to deprecate and rename rules,"},{"line_number":67,"context_line":"  and more generally evolve the polcy rules."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"In this spec we are not considering hierarchical tenancy. Nor do we address"},{"line_number":70,"context_line":"Nova\u0027s lack of support for keystone\u0027s \"Domain\" concept. We are also not"},{"line_number":71,"context_line":"looking at the efforts around a capability discoverability API that will"},{"line_number":72,"context_line":"aid interoperability in the face of deployments with different policy set."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_ee930859","line":69,"range":{"start_line":69,"start_character":36,"end_line":69,"end_character":56},"updated":"2017-02-08 22:08:21.000000000","message":"usually called hierarchical multitenancy","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":77,"context_line":"Here we will talk about the roles we want to create inside our default policy"},{"line_number":78,"context_line":"file:"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Project observer (PO): monitoring applications may want to get a list of all"},{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_84a42508","line":80,"range":{"start_line":80,"start_character":2,"end_line":80,"end_character":18},"updated":"2017-02-08 22:08:21.000000000","message":"\"project observer\" and \"operator observer\" are really the same role. The only difference in your definition is the scope, and that is something that should come from the role assignment, not from the role itself. There should be a single observer role, then you can either assign someone that role on any single project (equivalent of project observer) or assign it globally (equivalent of operator observer). Today, the way you give a global assignment is by giving them the assignment on a special project called the admin project (I would like to see them take projects completely out of that by creating a true global scope, but that doesn\u0027t really matter here... it would just be a different way to do the same thing).","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":77,"context_line":"Here we will talk about the roles we want to create inside our default policy"},{"line_number":78,"context_line":"file:"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Project observer (PO): monitoring applications may want to get a list of all"},{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_d4ec8891","line":80,"range":{"start_line":80,"start_character":2,"end_line":80,"end_character":18},"in_reply_to":"1a430d35_84a42508","updated":"2017-02-13 10:55:28.000000000","message":"Keystone doesn\u0027t work like that right now, as I understand it.\n\nThis works within the current long established model. That might be the wrong approach.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Project observer (PO): monitoring applications may want to get a list of all"},{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_381680f1","line":83,"range":{"start_line":82,"start_character":2,"end_line":83,"end_character":68},"updated":"2017-02-07 12:00:01.000000000","message":"If I want to create a role which is similar to PM, but it didn\u0027t have permission on few destructive action for the instance. So I have to just follow the PM to set the rule, there is no way to Inherit the permission from PM directly. But I guess that is the case for hierarchical tenancy?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Project observer (PO): monitoring applications may want to get a list of all"},{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_fc406336","line":83,"range":{"start_line":82,"start_character":2,"end_line":83,"end_character":68},"in_reply_to":"1a430d35_381680f1","updated":"2017-02-07 14:35:31.000000000","message":"Sorry, not sure I understand what you mean there.\n\nWe could create a project creator or something like that, that is like PM, but isn\u0027t allowed to do any destructive actions. Thats actually a role that keeps coming up that I have missed off here.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"342d6b13f62d4fd160fc9dd11e6bdf408fa92456","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Project observer (PO): monitoring applications may want to get a list of all"},{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_b4b1d4e3","line":83,"range":{"start_line":82,"start_character":2,"end_line":83,"end_character":68},"in_reply_to":"1a430d35_d6235a54","updated":"2017-02-13 10:24:36.000000000","message":"Sorry, I am still not quite getting the problem you describe. We should probably write out that use case.\n\nThe hierarchical bits I describe later on, I think help your use case. Because you can probably just edit the equivalent of admin or owner, so you can get similar permissions to the current set of rules, and maybe you have to edit one or two extra rules to customise things.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"757f33664146a54ea3666c9e02bf6183a109f6ed","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"* Project observer (PO): monitoring applications may want to get a list of all"},{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_d6235a54","line":83,"range":{"start_line":82,"start_character":2,"end_line":83,"end_character":68},"in_reply_to":"1a430d35_fc406336","updated":"2017-02-09 08:54:14.000000000","message":"Sorry for I didn\u0027t describe clearly.\n\nI mean the deployer wants to define a new role. So the deployer needs to edit the policy config file and go through all the policy rules. Even the deployer knows that the new role is very close to a existed role, there still is no way to re-use the policy configuration of existed role.\n\nI\u0027m kind of feeling Sean talk about same thing in the yesterday meeting. I need to re-read the meeting log....","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_0403d5b8","line":85,"range":{"start_line":85,"start_character":14,"end_line":85,"end_character":37},"updated":"2017-02-08 22:08:21.000000000","message":"when it comes to listing keypairs, it\u0027s fine for someone to be able to see someone else\u0027s keypairs in general, but we need to ensure that they can\u0027t see the private keys (for the case where OpenStack was used to generate the keypair, rather than just uploading the public key)","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_542c18ab","line":85,"range":{"start_line":85,"start_character":14,"end_line":85,"end_character":37},"in_reply_to":"1a430d35_0403d5b8","updated":"2017-02-13 10:55:28.000000000","message":"So no one can see the private keys. We don\u0027t store them, they are downloaded to the user that created the key.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_e46b291c","line":86,"range":{"start_line":86,"start_character":2,"end_line":86,"end_character":17},"updated":"2017-02-08 22:08:21.000000000","message":"to avoid confusion, you need to call this something else without \"member\" in the name since it is fundamentally different from the current member role that does allow deleting a server. I suggest simply calling it \"operator\", since we shouldn\u0027t need an \"operator observer\" role per my previous comment.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_d7248ab0","line":86,"range":{"start_line":86,"start_character":2,"end_line":86,"end_character":17},"in_reply_to":"1a430d35_e46b291c","updated":"2017-02-13 10:55:28.000000000","message":"It does appear common to give your L1 Support global read only access to the whole system.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_04c83573","line":88,"range":{"start_line":88,"start_character":30,"end_line":88,"end_character":42},"updated":"2017-02-08 22:08:21.000000000","message":"destructive*","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_98f13404","line":88,"range":{"start_line":84,"start_character":2,"end_line":88,"end_character":71},"updated":"2017-02-07 12:00:01.000000000","message":"whether OO and OM can read or operate on aggregate and service stuff?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":81,"context_line":"  the servers in a project, this observer role should allow that kind of thing"},{"line_number":82,"context_line":"* Project member (PM): this is the current default, they have full CRUD access"},{"line_number":83,"context_line":"  to the servers resource, and access to all user facing operations."},{"line_number":84,"context_line":"* Operator observer (OO): this is someone who can look at the servers in any"},{"line_number":85,"context_line":"  project and list any users keypairs, but they can\u0027t make changes."},{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_7c7b938c","line":88,"range":{"start_line":84,"start_character":2,"end_line":88,"end_character":71},"in_reply_to":"1a430d35_98f13404","updated":"2017-02-07 14:35:31.000000000","message":"Yes, they can read all host and aggregate info, in my head anyways. I should add that in here, somehow.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."},{"line_number":92,"context_line":"* Service User for Cinder: there are Nova APIs cinder needs to be able to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_87a42708","line":89,"range":{"start_line":89,"start_character":2,"end_line":89,"end_character":20},"updated":"2017-02-08 22:08:21.000000000","message":"I read this to be something that you\u0027d give to end users who you want to be compute admins but not, for example, block storage admins. If so, call it Compute Admin. \"Nova\" is just a codename and \"Service\" implies that it\u0027s for service users. And note that this will require nova changes to use a service token rather than the user\u0027s token to make calls to cinder, glance, neutron, etc., since this role would not allow them to talk to those other services.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."},{"line_number":92,"context_line":"* Service User for Cinder: there are Nova APIs cinder needs to be able to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_98a7220a","line":89,"range":{"start_line":89,"start_character":22,"end_line":89,"end_character":24},"updated":"2017-02-08 22:08:21.000000000","message":"you refer to this as \"NA\" throughout the rest of the spec, so better make that change here.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":86,"context_line":"* Operator member (OM): has all the access of Operator observer,"},{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."},{"line_number":92,"context_line":"* Service User for Cinder: there are Nova APIs cinder needs to be able to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_97513211","line":89,"range":{"start_line":89,"start_character":22,"end_line":89,"end_character":24},"in_reply_to":"1a430d35_98a7220a","updated":"2017-02-13 10:55:28.000000000","message":"Nova already uses service tokens in a similar way to how you describe. There are a few rough edges around there that means there is more to do there.\n\nIts likely an admin would need to the admin role across many projects, this simply is the first step towards making a true Nova only admin a reality, like you say, will need work.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."},{"line_number":92,"context_line":"* Service User for Cinder: there are Nova APIs cinder needs to be able to"},{"line_number":93,"context_line":"  call, like swap_volume. This user only has access to those."},{"line_number":94,"context_line":"  Ideally we should be using a service token with a user token, to call this"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_c48c6ddc","line":91,"range":{"start_line":90,"start_character":16,"end_line":91,"end_character":17},"updated":"2017-02-08 22:08:21.000000000","message":"the ability to read, update, and delete things in other projects but not create in other projects is crazy and confusing. We\u0027re going to have to fix that one way or the other so that there is consistency.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":87,"context_line":"  but also can do operations like live-migration, and migration."},{"line_number":88,"context_line":"  But they are not able to do destructuive things like delete a server."},{"line_number":89,"context_line":"* Nova Service Admin (SA): this is someone who is able to do everything in the"},{"line_number":90,"context_line":"  Nova service, although its generally not possible to create things in"},{"line_number":91,"context_line":"  another project."},{"line_number":92,"context_line":"* Service User for Cinder: there are Nova APIs cinder needs to be able to"},{"line_number":93,"context_line":"  call, like swap_volume. This user only has access to those."},{"line_number":94,"context_line":"  Ideally we should be using a service token with a user token, to call this"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_97d77222","line":91,"range":{"start_line":90,"start_character":16,"end_line":91,"end_character":17},"in_reply_to":"1a430d35_c48c6ddc","updated":"2017-02-13 10:55:28.000000000","message":"Thats the current state, it turns out.\n\nImpersonation is required, or explicit access to the given tenant.\n\nI actually quite like the current state.\n\nFWIW, its more an API restriction, there is no way to tell Nova which project you want to create the instance in.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":91,"context_line":"  another project."},{"line_number":92,"context_line":"* Service User for Cinder: there are Nova APIs cinder needs to be able to"},{"line_number":93,"context_line":"  call, like swap_volume. This user only has access to those."},{"line_number":94,"context_line":"  Ideally we should be using a service token with a user token, to call this"},{"line_number":95,"context_line":"  API."},{"line_number":96,"context_line":"* Service User for External Events: there is an external events callback API"},{"line_number":97,"context_line":"  that is used by Neutron to say when a VIF is ready. There should be a role"},{"line_number":98,"context_line":"  that only gives you access to that API."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_47b95fcb","line":95,"range":{"start_line":94,"start_character":72,"end_line":95,"end_character":5},"updated":"2017-02-08 22:08:21.000000000","message":"plural, these APIs","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":93,"context_line":"  call, like swap_volume. This user only has access to those."},{"line_number":94,"context_line":"  Ideally we should be using a service token with a user token, to call this"},{"line_number":95,"context_line":"  API."},{"line_number":96,"context_line":"* Service User for External Events: there is an external events callback API"},{"line_number":97,"context_line":"  that is used by Neutron to say when a VIF is ready. There should be a role"},{"line_number":98,"context_line":"  that only gives you access to that API."},{"line_number":99,"context_line":"  Ideally we should be using a service token with a user token, to call this"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_07f2f799","line":96,"range":{"start_line":96,"start_character":19,"end_line":96,"end_character":34},"updated":"2017-02-08 22:08:21.000000000","message":"I\u0027d make this neutron-specific rather than events API specific. Then if/when neutron needs to be able to call some other API, that can simply be added to this role.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":93,"context_line":"  call, like swap_volume. This user only has access to those."},{"line_number":94,"context_line":"  Ideally we should be using a service token with a user token, to call this"},{"line_number":95,"context_line":"  API."},{"line_number":96,"context_line":"* Service User for External Events: there is an external events callback API"},{"line_number":97,"context_line":"  that is used by Neutron to say when a VIF is ready. There should be a role"},{"line_number":98,"context_line":"  that only gives you access to that API."},{"line_number":99,"context_line":"  Ideally we should be using a service token with a user token, to call this"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_d7b80ae8","line":96,"range":{"start_line":96,"start_character":19,"end_line":96,"end_character":34},"in_reply_to":"1a430d35_07f2f799","updated":"2017-02-13 10:55:28.000000000","message":"Yeah, maybe. I was trying to avoid that, but its probably the real use case here.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  Ideally we should be using a service token with a user token, to call this"},{"line_number":100,"context_line":"  API."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"TODO - what is the keystone model for these?"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"TODO - common deployment patterns"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_072037f6","line":102,"range":{"start_line":102,"start_character":0,"end_line":102,"end_character":44},"updated":"2017-02-08 22:08:21.000000000","message":"Scope (project vs. beyond-project) should come from the token\u0027s scope, not from the role.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":99,"context_line":"  Ideally we should be using a service token with a user token, to call this"},{"line_number":100,"context_line":"  API."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"TODO - what is the keystone model for these?"},{"line_number":103,"context_line":""},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"TODO - common deployment patterns"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_d79d6a5a","line":102,"range":{"start_line":102,"start_character":0,"end_line":102,"end_character":44},"in_reply_to":"1a430d35_072037f6","updated":"2017-02-13 10:55:28.000000000","message":"I didn\u0027t know that was a thing. I should look into what keystone has planned there.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":105,"context_line":"TODO - common deployment patterns"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* default, can just be PM and NA (or just NA)"},{"line_number":108,"context_line":"* everyone is an admin in their own project (self service cloud)"},{"line_number":109,"context_line":"* complicated / custom"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"TODO - list out common policy changes deployers want to make."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_e7aecb2c","line":108,"range":{"start_line":108,"start_character":2,"end_line":108,"end_character":64},"updated":"2017-02-08 22:08:21.000000000","message":"that is unworkable today, since the current \"admin\" role implementation lets you read/update/delete in other projects. We desperately need to fix that. See https://review.openstack.org/#/c/384148/","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":105,"context_line":"TODO - common deployment patterns"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"* default, can just be PM and NA (or just NA)"},{"line_number":108,"context_line":"* everyone is an admin in their own project (self service cloud)"},{"line_number":109,"context_line":"* complicated / custom"},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"TODO - list out common policy changes deployers want to make."}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_1779c22f","line":108,"range":{"start_line":108,"start_character":2,"end_line":108,"end_character":64},"in_reply_to":"1a430d35_e7aecb2c","updated":"2017-02-13 10:55:28.000000000","message":"Its actually possible to edit policy to make this happen, but its hard work. Not sure how that change is relevant to this actually. I must be missing something.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Currently many operations default to admin_or_owner, but we don\u0027t actually"},{"line_number":120,"context_line":"specify the policy target in the policy check call. This means most rules"},{"line_number":121,"context_line":"fall back the default target, which means the policy turns into a check"},{"line_number":122,"context_line":"for \"any authenticated user\"."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So we should stop the policy check having an optional target, every call"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_fdac988d","line":121,"range":{"start_line":121,"start_character":14,"end_line":121,"end_character":28},"updated":"2017-02-08 22:08:21.000000000","message":"A large part of the problem here is that there is a default target in the first place. Target is supposed to be specific to the resource being queried, so you can\u0027t set it to be information from the context, which is what is happening today... it\u0027s supposed to be checked AGAINST the context, so, as you say, it devolves to an \"any authorized user\" check. So you\u0027re absolutely right, but I totally thought you were wrong until I dug into the code and really thought about it... can you clarify to save others that time?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Currently many operations default to admin_or_owner, but we don\u0027t actually"},{"line_number":120,"context_line":"specify the policy target in the policy check call. This means most rules"},{"line_number":121,"context_line":"fall back the default target, which means the policy turns into a check"},{"line_number":122,"context_line":"for \"any authenticated user\"."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So we should stop the policy check having an optional target, every call"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_d7100aab","line":121,"range":{"start_line":121,"start_character":14,"end_line":121,"end_character":28},"in_reply_to":"1a430d35_fdac988d","updated":"2017-02-13 10:55:28.000000000","message":"Yep, the default target needs removing. I could try describe that better in v2 of the spec.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":119,"context_line":"Currently many operations default to admin_or_owner, but we don\u0027t actually"},{"line_number":120,"context_line":"specify the policy target in the policy check call. This means most rules"},{"line_number":121,"context_line":"fall back the default target, which means the policy turns into a check"},{"line_number":122,"context_line":"for \"any authenticated user\"."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So we should stop the policy check having an optional target, every call"},{"line_number":125,"context_line":"should explicitly specify a target. The calls without any target should"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_7d0b487d","line":122,"range":{"start_line":122,"start_character":4,"end_line":122,"end_character":28},"updated":"2017-02-08 22:08:21.000000000","message":"This gives me all kinds of heebie jeebies... Isn\u0027t this a security bug? Why are we talking about this in a spec and not in a Private Security bug?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":119,"context_line":"Currently many operations default to admin_or_owner, but we don\u0027t actually"},{"line_number":120,"context_line":"specify the policy target in the policy check call. This means most rules"},{"line_number":121,"context_line":"fall back the default target, which means the policy turns into a check"},{"line_number":122,"context_line":"for \"any authenticated user\"."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"So we should stop the policy check having an optional target, every call"},{"line_number":125,"context_line":"should explicitly specify a target. The calls without any target should"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_571dfabb","line":122,"range":{"start_line":122,"start_character":4,"end_line":122,"end_character":28},"in_reply_to":"1a430d35_7d0b487d","updated":"2017-02-13 10:55:28.000000000","message":"Yes, but we are safe here due to the checks deeper in the code. This has been widely discussed in public channels at this point. It feels like more attention around that area can only help us at this point.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":125,"context_line":"should explicitly specify a target. The calls without any target should"},{"line_number":126,"context_line":"explicitly specify an empty dictionary as the target."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":129,"context_line":"this massive problem, and as such we should look at some new unit tests"},{"line_number":130,"context_line":"for the policy checks, that test the default policy rule. In some cases"},{"line_number":131,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_1de2442f","line":128,"range":{"start_line":128,"start_character":28,"end_line":128,"end_character":50},"updated":"2017-02-08 22:08:21.000000000","message":"there\u0027s a lot of work to be done on UTs, I totally agree. I have a patch up for one issue if you have a chance to look: https://review.openstack.org/#/c/398610","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":125,"context_line":"should explicitly specify a target. The calls without any target should"},{"line_number":126,"context_line":"explicitly specify an empty dictionary as the target."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"At the same time, we should revisit the unit tests. They haven\u0027t spotted"},{"line_number":129,"context_line":"this massive problem, and as such we should look at some new unit tests"},{"line_number":130,"context_line":"for the policy checks, that test the default policy rule. In some cases"},{"line_number":131,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_f7dc2ee6","line":128,"range":{"start_line":128,"start_character":28,"end_line":128,"end_character":50},"in_reply_to":"1a430d35_1de2442f","updated":"2017-02-13 10:55:28.000000000","message":"Honestly, I really want us to agree a plan, its so inconsistent right now, which is terrible.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":131,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"},{"line_number":132,"context_line":"should ensure those work by overriding the policy file."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"Note that all of this should be done without affecting the API. This is simply"},{"line_number":135,"context_line":"replacing the existing DB checks with policy layer checks. It is also worth"},{"line_number":136,"context_line":"noting we will need to make extra DB calls to determine the correct target for"},{"line_number":137,"context_line":"each of the API calls. But once we remove the DB hardcoding, we should be back"},{"line_number":138,"context_line":"to the same number of DB calls."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_9d11d406","line":135,"range":{"start_line":134,"start_character":64,"end_line":135,"end_character":57},"updated":"2017-02-08 22:08:21.000000000","message":"Was this paragraph originally somewhere else? It sounds like it had something before it that is now missing.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":131,"context_line":"where we added the ability to specify \"user_id\" based policy rules, we"},{"line_number":132,"context_line":"should ensure those work by overriding the policy file."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"Note that all of this should be done without affecting the API. This is simply"},{"line_number":135,"context_line":"replacing the existing DB checks with policy layer checks. It is also worth"},{"line_number":136,"context_line":"noting we will need to make extra DB calls to determine the correct target for"},{"line_number":137,"context_line":"each of the API calls. But once we remove the DB hardcoding, we should be back"},{"line_number":138,"context_line":"to the same number of DB calls."}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_b7e9d682","line":135,"range":{"start_line":134,"start_character":64,"end_line":135,"end_character":57},"in_reply_to":"1a430d35_9d11d406","updated":"2017-02-13 10:55:28.000000000","message":"oops.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":134,"context_line":"Note that all of this should be done without affecting the API. This is simply"},{"line_number":135,"context_line":"replacing the existing DB checks with policy layer checks. It is also worth"},{"line_number":136,"context_line":"noting we will need to make extra DB calls to determine the correct target for"},{"line_number":137,"context_line":"each of the API calls. But once we remove the DB hardcoding, we should be back"},{"line_number":138,"context_line":"to the same number of DB calls."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Remove DB hardcoding"},{"line_number":141,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_950f4487","line":138,"range":{"start_line":137,"start_character":23,"end_line":138,"end_character":31},"updated":"2017-02-07 12:00:01.000000000","message":"For removing the db layer project checks, it means we only remove a filter condition from the sql. I didn\u0027t get why it will reduce the number of DB calls.\n\nAnd what about list the resources, will we remove the project checks? If we remove the check, it will return all the resources from all the projects, that sounds bad.\n\nOr for the list method, the default API behaviour always list the project-owned resources, only lists resource across project with specific parameter. But the rule will still means \"any authenticated user\" for list method....","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":134,"context_line":"Note that all of this should be done without affecting the API. This is simply"},{"line_number":135,"context_line":"replacing the existing DB checks with policy layer checks. It is also worth"},{"line_number":136,"context_line":"noting we will need to make extra DB calls to determine the correct target for"},{"line_number":137,"context_line":"each of the API calls. But once we remove the DB hardcoding, we should be back"},{"line_number":138,"context_line":"to the same number of DB calls."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Remove DB hardcoding"},{"line_number":141,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_5c6097a5","line":138,"range":{"start_line":137,"start_character":23,"end_line":138,"end_character":31},"in_reply_to":"1a430d35_950f4487","updated":"2017-02-07 14:35:31.000000000","message":"Lots of the checks in the DB layer are actually a separate DB call to look up the instance:\nhttps://github.com/openstack/nova/blob/master/nova/db/sqlalchemy/api.py#L6932\n\nWe don\u0027t remove the check for list instances, thats different right. The default list instances implies you filter by tenant_id in the token, unless you have all_tenants. Just like any server you create is created in the tenant_id in the token right now.\n\nWhat will change is we add that filter in the API based on policy, rather than it living in the DB layer.\n\nClearly that all needs expressing better, but honestly the code is easier than explaining that.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":146,"context_line":"* properly tested using the policy defaults in the code"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"We can now consider removing the hard coded project checks from the database"},{"line_number":149,"context_line":"layer, and instead only check the policy at the tip on the API. This follows"},{"line_number":150,"context_line":"on from the removal of all the \"requires_admin\" checks from the database."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"If we don\u0027t do this, users are only really only ever able to restrict using"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_f5ab2873","line":149,"range":{"start_line":149,"start_character":48,"end_line":149,"end_character":51},"updated":"2017-02-07 12:00:01.000000000","message":"top?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":146,"context_line":"* properly tested using the policy defaults in the code"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"We can now consider removing the hard coded project checks from the database"},{"line_number":149,"context_line":"layer, and instead only check the policy at the tip on the API. This follows"},{"line_number":150,"context_line":"on from the removal of all the \"requires_admin\" checks from the database."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"If we don\u0027t do this, users are only really only ever able to restrict using"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_7c6553b3","line":149,"range":{"start_line":149,"start_character":48,"end_line":149,"end_character":51},"in_reply_to":"1a430d35_f5ab2873","updated":"2017-02-07 14:35:31.000000000","message":"oops, yes.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":168,"context_line":"* POST /servers"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"  * This is a \"Create\" operation (scoped in my own project)"},{"line_number":171,"context_line":"  * PO: False, PM: True, OO: False, OM: False, NA: False"},{"line_number":172,"context_line":"  * new rule: compute:servers:create"},{"line_number":173,"context_line":"  * NOTE: its interesting that"},{"line_number":174,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_33bd71d8","line":171,"range":{"start_line":171,"start_character":47,"end_line":171,"end_character":56},"updated":"2017-02-08 22:08:21.000000000","message":"I think this should be true... or I\u0027ve totally misunderstood the role definition. See my earlier comment for how I understood this. If you intend this to be less-than-admin role, a) what is the value proposition for that and b) do you not envision a need for them to create something for someone who\u0027s having trouble, or for themselves to test something out or to get something ready to snapshot into a new image, etc.? And why allow delete if you don\u0027t allow create?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":168,"context_line":"* POST /servers"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"  * This is a \"Create\" operation (scoped in my own project)"},{"line_number":171,"context_line":"  * PO: False, PM: True, OO: False, OM: False, NA: False"},{"line_number":172,"context_line":"  * new rule: compute:servers:create"},{"line_number":173,"context_line":"  * NOTE: its interesting that"},{"line_number":174,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_f78a6ebe","line":171,"range":{"start_line":171,"start_character":47,"end_line":171,"end_character":56},"in_reply_to":"1a430d35_33bd71d8","updated":"2017-02-13 10:55:28.000000000","message":"This is more about representing the current reality in the policy rules. There is now way to say which tenant you create your instance in, although we could look at fixing that. Its probably more needed for hierarchical cases really.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":170,"context_line":"  * This is a \"Create\" operation (scoped in my own project)"},{"line_number":171,"context_line":"  * PO: False, PM: True, OO: False, OM: False, NA: False"},{"line_number":172,"context_line":"  * new rule: compute:servers:create"},{"line_number":173,"context_line":"  * NOTE: its interesting that"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* GET /servers"},{"line_number":176,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_d8660aec","line":173,"range":{"start_line":173,"start_character":2,"end_line":173,"end_character":30},"updated":"2017-02-08 22:08:21.000000000","message":"what\u0027s interesting?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":170,"context_line":"  * This is a \"Create\" operation (scoped in my own project)"},{"line_number":171,"context_line":"  * PO: False, PM: True, OO: False, OM: False, NA: False"},{"line_number":172,"context_line":"  * new rule: compute:servers:create"},{"line_number":173,"context_line":"  * NOTE: its interesting that"},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* GET /servers"},{"line_number":176,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_97c052e2","line":173,"range":{"start_line":173,"start_character":2,"end_line":173,"end_character":30},"in_reply_to":"1a430d35_d8660aec","updated":"2017-02-13 10:55:28.000000000","message":"oops, that was the admin thing you pointed out I think.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"  * This is a \"Read\" operation, scoped in my own project"},{"line_number":178,"context_line":"  * PO: True, PM: True, OO: True, OM: True, NA: True"},{"line_number":179,"context_line":"  * new rule: compute:servers:read"},{"line_number":180,"context_line":"  * same is used by /server/\u003cid\u003e and /servers/details, etc"},{"line_number":181,"context_line":""},{"line_number":182,"context_line":"* GET /servers?project_id\u003d\u003cnot_my_project\u003e"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_b50e0039","line":179,"range":{"start_line":179,"start_character":4,"end_line":179,"end_character":34},"updated":"2017-02-07 12:00:01.000000000","message":"What should we call for getting single resource?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":176,"context_line":""},{"line_number":177,"context_line":"  * This is a \"Read\" operation, scoped in my own project"},{"line_number":178,"context_line":"  * PO: True, PM: True, OO: True, OM: True, NA: True"},{"line_number":179,"context_line":"  * new rule: compute:servers:read"},{"line_number":180,"context_line":"  * same is used by /server/\u003cid\u003e and /servers/details, etc"},{"line_number":181,"context_line":""},{"line_number":182,"context_line":"* GET /servers?project_id\u003d\u003cnot_my_project\u003e"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_1c6b6f86","line":179,"range":{"start_line":179,"start_character":4,"end_line":179,"end_character":34},"in_reply_to":"1a430d35_b50e0039","updated":"2017-02-07 14:35:31.000000000","message":"No, I believe we shouldn\u0027t see below.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":183,"context_line":""},{"line_number":184,"context_line":"  * This is a \"Read\" operation, scoped outside my own project"},{"line_number":185,"context_line":"  * PO: False, PM: False, OO: True, OM: True, NA: True"},{"line_number":186,"context_line":"  * new rule: compute:servers:read_all"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_b0436e41","line":186,"range":{"start_line":186,"start_character":14,"end_line":186,"end_character":38},"updated":"2017-02-07 12:00:01.000000000","message":"I feel this is confuse. \"read\" sounds like for \"GET /servers/{uuid}\", \"readall\" sounds like for \"GET /servers\"","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":183,"context_line":""},{"line_number":184,"context_line":"  * This is a \"Read\" operation, scoped outside my own project"},{"line_number":185,"context_line":"  * PO: False, PM: False, OO: True, OM: True, NA: True"},{"line_number":186,"context_line":"  * new rule: compute:servers:read_all"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_18b97215","line":186,"range":{"start_line":186,"start_character":14,"end_line":186,"end_character":38},"in_reply_to":"1a430d35_3cff4bab","updated":"2017-02-08 22:08:21.000000000","message":"compute:servers:read:other_projects. Start with \"compute:servers:read\" since that should always be checked first (when you first enter the methods handling GET /servers and GET /servers/{server_id}) and then nova should subsequently make this check when it determines the request is targeting something outside the current project. It says \"other\" instead of \"all\" because it\u0027s not necessarily only used when you ask for all... it would also be used when you ask for a specific instance in another project via GET /servers/{server_id}, though in that case you should catch the exception so you can raise NotFound instead of Forbidden.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":183,"context_line":""},{"line_number":184,"context_line":"  * This is a \"Read\" operation, scoped outside my own project"},{"line_number":185,"context_line":"  * PO: False, PM: False, OO: True, OM: True, NA: True"},{"line_number":186,"context_line":"  * new rule: compute:servers:read_all"},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_3cff4bab","line":186,"range":{"start_line":186,"start_character":14,"end_line":186,"end_character":38},"in_reply_to":"1a430d35_b0436e41","updated":"2017-02-07 14:35:31.000000000","message":"yeah, needs a better name. compute:servers:acess_all_tenants might be better here.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"  * This is an \"Update\" operation"},{"line_number":191,"context_line":"  * PO: False, PM: False, OO: False, OM: False, NA: True"},{"line_number":192,"context_line":"  * new rule: compute:servers:update"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"* DELETE /servers/\u003cid\u003e"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_53840f5d","line":191,"range":{"start_line":191,"start_character":37,"end_line":191,"end_character":39},"updated":"2017-02-07 12:00:01.000000000","message":"OM should be true also? The update isn\u0027t a destructive action.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":18337,"name":"Sujitha","email":"sujitha.neti@intel.com","username":"Sujitha"},"change_message_id":"17a7ae41b5c4b23797c0e1958b7ae43c4b69e50a","unresolved":false,"context_lines":[{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"  * This is an \"Update\" operation"},{"line_number":191,"context_line":"  * PO: False, PM: False, OO: False, OM: False, NA: True"},{"line_number":192,"context_line":"  * new rule: compute:servers:update"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"* DELETE /servers/\u003cid\u003e"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_7a301c9f","line":191,"range":{"start_line":191,"start_character":19,"end_line":191,"end_character":24},"updated":"2017-02-06 19:02:52.000000000","message":"PM should be true for this?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"  * This is an \"Update\" operation"},{"line_number":191,"context_line":"  * PO: False, PM: False, OO: False, OM: False, NA: True"},{"line_number":192,"context_line":"  * new rule: compute:servers:update"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"* DELETE /servers/\u003cid\u003e"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_98eac272","line":191,"range":{"start_line":191,"start_character":37,"end_line":191,"end_character":39},"in_reply_to":"1a430d35_3c72eb49","updated":"2017-02-08 22:08:21.000000000","message":"the confusion here backs up my previous comment... OM should not have member in the name, since that will confuse people who will want to equate it with PM.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":188,"context_line":"* PUT /servers/\u003cid\u003e"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"  * This is an \"Update\" operation"},{"line_number":191,"context_line":"  * PO: False, PM: False, OO: False, OM: False, NA: True"},{"line_number":192,"context_line":"  * new rule: compute:servers:update"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"* DELETE /servers/\u003cid\u003e"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_3c72eb49","line":191,"range":{"start_line":191,"start_character":37,"end_line":191,"end_character":39},"in_reply_to":"1a430d35_53840f5d","updated":"2017-02-07 14:35:31.000000000","message":"Oops, yes PM should be true.\n\nOM is different really, they have no need to update names, so I didn\u0027t want to give them that access, regardless of wether we call this destructive or not. Personally as it changes what the API returns without the user modifying something, so I am calling that destructive.\n\nOM I was really putting there for things like moving VMs. Now that means they can call things that are destructive, like migrate, but I think that is required given the role of that user.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":237,"context_line":"operators to smoothly upgrade to the new version, and supplies them with"},{"line_number":238,"context_line":"appropriate warnings."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"These are the main cases to worry about:"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"* Rename: simplest case, rule1 becomes the new rule42, a user should be able"},{"line_number":243,"context_line":"  to specify the old name of rule1, but it will generate a warning. Should"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_776b64b7","line":240,"range":{"start_line":240,"start_character":0,"end_line":240,"end_character":39},"updated":"2017-02-08 22:08:21.000000000","message":"there will be others... e.g. https://review.openstack.org/#/c/389314/ raised some questions from folks.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":258,"context_line":"When we evolve the policy file, we will need to transition is_admin_or_owner"},{"line_number":259,"context_line":"from requiring the role \"admin\" or just being a member of a project to"},{"line_number":260,"context_line":"requiring the role \"compute_admin\" or being a member of a project and having"},{"line_number":261,"context_line":"the \"compute_member\" role. To ease this transition, we really want to provide"},{"line_number":262,"context_line":"both a default rule, and a \"deprecated default\" rule."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"If you have no override in the policy file, and a context fails the test for"},{"line_number":265,"context_line":"the default rule, oslo.policy should then check if they pass the \"deprecated"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_17a780bd","line":262,"range":{"start_line":261,"start_character":27,"end_line":262,"end_character":53},"updated":"2017-02-08 22:08:21.000000000","message":"I\u0027m not following quite what these are... Note that the current \"default\" rule that oslo.policy defines is no longer used anywhere in nova, since the move to policy-in-code. Each rule that nova checks, being defined in code, never meets the condition that the rule has no definition and thus the default rule is never used. Maybe you\u0027re talking about having these 2 default values for each rule that nova checks? Please clarify.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":258,"context_line":"When we evolve the policy file, we will need to transition is_admin_or_owner"},{"line_number":259,"context_line":"from requiring the role \"admin\" or just being a member of a project to"},{"line_number":260,"context_line":"requiring the role \"compute_admin\" or being a member of a project and having"},{"line_number":261,"context_line":"the \"compute_member\" role. To ease this transition, we really want to provide"},{"line_number":262,"context_line":"both a default rule, and a \"deprecated default\" rule."},{"line_number":263,"context_line":""},{"line_number":264,"context_line":"If you have no override in the policy file, and a context fails the test for"},{"line_number":265,"context_line":"the default rule, oslo.policy should then check if they pass the \"deprecated"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_d771eae1","line":262,"range":{"start_line":261,"start_character":27,"end_line":262,"end_character":53},"in_reply_to":"1a430d35_17a780bd","updated":"2017-02-13 10:55:28.000000000","message":"Yeah, the latter, in the code definition, we have two \"defaults\", it needs a better name. Maybe deprecated_fallback_rule or some such.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":263,"context_line":""},{"line_number":264,"context_line":"If you have no override in the policy file, and a context fails the test for"},{"line_number":265,"context_line":"the default rule, oslo.policy should then check if they pass the \"deprecated"},{"line_number":266,"context_line":"default\" rule. If a user fails the default, buy passes the \"deprecated"},{"line_number":267,"context_line":"default\" rule, then a warning message should be logged telling the operator"},{"line_number":268,"context_line":"that they need to assign new rules to their users (or update their policy"},{"line_number":269,"context_line":"file) before they next upgrade. We should only log this warning the first time"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_575ae8f2","line":266,"range":{"start_line":266,"start_character":44,"end_line":266,"end_character":47},"updated":"2017-02-08 22:08:21.000000000","message":"but*","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":276,"context_line":"To help with this evolution, we should warn users if they have a policy file"},{"line_number":277,"context_line":"that defines a policy override that exactly matches either the default or the"},{"line_number":278,"context_line":"deprecated default policy rule. Users will find upgrades much smoother if they"},{"line_number":279,"context_line":"only override the rules what intent to change. We could also warn if a"},{"line_number":280,"context_line":"commented out rule no longer matches the default in the code. This check need"},{"line_number":281,"context_line":"only work if the comment format matches that generated by the sample policy"},{"line_number":282,"context_line":"file generator."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_977a9022","line":279,"range":{"start_line":279,"start_character":24,"end_line":279,"end_character":35},"updated":"2017-02-08 22:08:21.000000000","message":"they intend?","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":276,"context_line":"To help with this evolution, we should warn users if they have a policy file"},{"line_number":277,"context_line":"that defines a policy override that exactly matches either the default or the"},{"line_number":278,"context_line":"deprecated default policy rule. Users will find upgrades much smoother if they"},{"line_number":279,"context_line":"only override the rules what intent to change. We could also warn if a"},{"line_number":280,"context_line":"commented out rule no longer matches the default in the code. This check need"},{"line_number":281,"context_line":"only work if the comment format matches that generated by the sample policy"},{"line_number":282,"context_line":"file generator."},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"As part of this change, we need to update the sample policy file generation to"},{"line_number":285,"context_line":"default to commenting out all the rules, so the sample file doesn\u0027t generate"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_f7911448","line":282,"range":{"start_line":279,"start_character":47,"end_line":282,"end_character":15},"updated":"2017-02-08 22:08:21.000000000","message":"I think that\u0027s going too far","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":276,"context_line":"To help with this evolution, we should warn users if they have a policy file"},{"line_number":277,"context_line":"that defines a policy override that exactly matches either the default or the"},{"line_number":278,"context_line":"deprecated default policy rule. Users will find upgrades much smoother if they"},{"line_number":279,"context_line":"only override the rules what intent to change. We could also warn if a"},{"line_number":280,"context_line":"commented out rule no longer matches the default in the code. This check need"},{"line_number":281,"context_line":"only work if the comment format matches that generated by the sample policy"},{"line_number":282,"context_line":"file generator."},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"As part of this change, we need to update the sample policy file generation to"},{"line_number":285,"context_line":"default to commenting out all the rules, so the sample file doesn\u0027t generate"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_b7455671","line":282,"range":{"start_line":279,"start_character":47,"end_line":282,"end_character":15},"in_reply_to":"1a430d35_f7911448","updated":"2017-02-13 10:55:28.000000000","message":"Turns out we have a tool for that already.\n\nThe intent here is to help folks with upgrades. When we change them, they may not have realized they started over-riding the default.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":293,"context_line":"features, we can look at how to transition from the existing rules to the new"},{"line_number":294,"context_line":"policy rules."},{"line_number":295,"context_line":""},{"line_number":296,"context_line":"We will need to review every existing policy rule, rename or combine the old"},{"line_number":297,"context_line":"rules by using the above deprecation systems. We then update the default rule"},{"line_number":298,"context_line":"to the new role structure, moving the old rule default to the \"deprecated"},{"line_number":299,"context_line":"default\" rule. The unit tests we added for the old policy rules should be"},{"line_number":300,"context_line":"retained to ensure we don\u0027t break users that are upgrading."}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_170a208a","line":297,"range":{"start_line":296,"start_character":51,"end_line":297,"end_character":44},"updated":"2017-02-08 22:08:21.000000000","message":"in some cases you will also need to split a check that\u0027s shared across multiple APIs into separate checks, as I\u0027m trying to do in https://review.openstack.org/#/c/389314/ to give a level of control consistent with other APIs.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":303,"context_line":"------------"},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Keystone have proposed adding rules into keystone middlewere, that understand"},{"line_number":306,"context_line":"the standard REST patterns. This is tricky for Nova because some policy rules"},{"line_number":307,"context_line":"relate to specific body or query string parameters to the API."},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"There has been discussions around dynamic policy, policy that is centrally"},{"line_number":310,"context_line":"configured inside keystone, and can be updated via keystone APIs. This is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_4e1aa67e","line":307,"range":{"start_line":306,"start_character":52,"end_line":307,"end_character":62},"updated":"2017-02-07 12:00:01.000000000","message":"Emm....is that right thing? Some fields in the API whether showing up is controlled by policy. And we said for \u0027all_tenants\u0027 that we should API behaviour is same between different users.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":303,"context_line":"------------"},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Keystone have proposed adding rules into keystone middlewere, that understand"},{"line_number":306,"context_line":"the standard REST patterns. This is tricky for Nova because some policy rules"},{"line_number":307,"context_line":"relate to specific body or query string parameters to the API."},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"There has been discussions around dynamic policy, policy that is centrally"},{"line_number":310,"context_line":"configured inside keystone, and can be updated via keystone APIs. This is"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_fcc9435a","line":307,"range":{"start_line":306,"start_character":52,"end_line":307,"end_character":62},"in_reply_to":"1a430d35_4e1aa67e","updated":"2017-02-07 14:35:31.000000000","message":"I really mean about snapshot vs live-migrate, they all use the \"action\" URL. I can be more specific here.\n\nall_tenants will still need a policy check to decide where the context says its allowed to return things from. The difference is that we are allowing any user to pass that, and you will not get 403 errors if you try to pass it.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":322,"context_line":""},{"line_number":323,"context_line":"None."},{"line_number":324,"context_line":""},{"line_number":325,"context_line":"Security impact"},{"line_number":326,"context_line":"---------------"},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"Having a better understanding of policy rules can only help better audit the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_1a2c0598","line":325,"range":{"start_line":325,"start_character":0,"end_line":325,"end_character":15},"updated":"2017-02-08 22:08:21.000000000","message":"It should be noted that any time you\u0027re changing policy there is a risk of making a mistake and creating a security issue. However, this effort should help find and fix security issues, like the admin_or_owner issue mentioned above. So on the whole, we should expect to see security improvements here more than be worrying about the risks. Just have to be careful.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":322,"context_line":""},{"line_number":323,"context_line":"None."},{"line_number":324,"context_line":""},{"line_number":325,"context_line":"Security impact"},{"line_number":326,"context_line":"---------------"},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"Having a better understanding of policy rules can only help better audit the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_1709c231","line":325,"range":{"start_line":325,"start_character":0,"end_line":325,"end_character":15},"in_reply_to":"1a430d35_1a2c0598","updated":"2017-02-13 10:55:28.000000000","message":"+1","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":328,"context_line":"Having a better understanding of policy rules can only help better audit the"},{"line_number":329,"context_line":"correctness of Nova\u0027s RBAC controls for each particular deployment scenario."},{"line_number":330,"context_line":""},{"line_number":331,"context_line":"The only slight risk that is introduced is that all authenticated users can"},{"line_number":332,"context_line":"create DB load, even if policy says they don\u0027t have access. This is because"},{"line_number":333,"context_line":"in many actions we need to fetch the object being manipulated to check its"},{"line_number":334,"context_line":"associated project_id with the project_id in the user\u0027s token."},{"line_number":335,"context_line":""},{"line_number":336,"context_line":"Notifications impact"},{"line_number":337,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_770fe436","line":334,"range":{"start_line":331,"start_character":0,"end_line":334,"end_character":62},"updated":"2017-02-08 22:08:21.000000000","message":"this is easily solved... as commented above, the project check should be done in code, not in policy. When you make that change, the methods handling API requests would first do their policy check, and only thereafter, when policy passes, worry about project.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":328,"context_line":"Having a better understanding of policy rules can only help better audit the"},{"line_number":329,"context_line":"correctness of Nova\u0027s RBAC controls for each particular deployment scenario."},{"line_number":330,"context_line":""},{"line_number":331,"context_line":"The only slight risk that is introduced is that all authenticated users can"},{"line_number":332,"context_line":"create DB load, even if policy says they don\u0027t have access. This is because"},{"line_number":333,"context_line":"in many actions we need to fetch the object being manipulated to check its"},{"line_number":334,"context_line":"associated project_id with the project_id in the user\u0027s token."},{"line_number":335,"context_line":""},{"line_number":336,"context_line":"Notifications impact"},{"line_number":337,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_c20a0621","line":334,"range":{"start_line":331,"start_character":0,"end_line":334,"end_character":62},"in_reply_to":"1a430d35_770fe436","updated":"2017-02-13 10:55:28.000000000","message":"Well, this goes back to the token being, in some sense, global.\n\nI need to look into that. I don\u0027t believe we use those properly today.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"d81fae956dcd93cc5e4d71cb17ae33d8a648d4a4","unresolved":false,"context_lines":[{"line_number":362,"context_line":"We will have a new set of rules around how to add policy for new or"},{"line_number":363,"context_line":"updated APIs."},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"Implementation"},{"line_number":366,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"Assignee(s)"},{"line_number":369,"context_line":"-----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_700d86e7","line":366,"range":{"start_line":365,"start_character":0,"end_line":366,"end_character":14},"updated":"2017-02-07 12:00:01.000000000","message":"If we can move the policy check code into the base class or put into a decorator, that will be great.\n\nKeystone puts the check into decorator https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L83\n\nNeutron puts the check into base-class https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L317","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"716dfe847876c5cf6d47462667053ce55eba4af8","unresolved":false,"context_lines":[{"line_number":362,"context_line":"We will have a new set of rules around how to add policy for new or"},{"line_number":363,"context_line":"updated APIs."},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"Implementation"},{"line_number":366,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"Assignee(s)"},{"line_number":369,"context_line":"-----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_fa7659a2","line":366,"range":{"start_line":365,"start_character":0,"end_line":366,"end_character":14},"in_reply_to":"1a430d35_1c1fefb7","updated":"2017-02-08 22:08:21.000000000","message":"how did keystone get past that problem? And actually I think you\u0027ll have very few of those cases once you no longer check project in policy.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ffb1c8b452313ded8faeb2e7aa9e88be8392d71e","unresolved":false,"context_lines":[{"line_number":362,"context_line":"We will have a new set of rules around how to add policy for new or"},{"line_number":363,"context_line":"updated APIs."},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"Implementation"},{"line_number":366,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"Assignee(s)"},{"line_number":369,"context_line":"-----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1a430d35_1c1fefb7","line":366,"range":{"start_line":365,"start_character":0,"end_line":366,"end_character":14},"in_reply_to":"1a430d35_700d86e7","updated":"2017-02-07 14:35:31.000000000","message":"I quite like the check being explicit.\n\nSadly a decorator will not work because we need to make a DB call to pass the correct target into the policy check (it seems in lots of cases, not just a few edge cases).","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b317ba665afb58548627e8f176ffa19f06445016","unresolved":false,"context_lines":[{"line_number":362,"context_line":"We will have a new set of rules around how to add policy for new or"},{"line_number":363,"context_line":"updated APIs."},{"line_number":364,"context_line":""},{"line_number":365,"context_line":"Implementation"},{"line_number":366,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"Assignee(s)"},{"line_number":369,"context_line":"-----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"fa31d9ce_02b17e47","line":366,"range":{"start_line":365,"start_character":0,"end_line":366,"end_character":14},"in_reply_to":"1a430d35_fa7659a2","updated":"2017-02-13 10:55:28.000000000","message":"I don\u0027t believe keystone has looked at solving these issues yet, but I could be wrong.","commit_id":"59e084cbf8bafe0557419c3ca81cff3fe2f596e1"}]}