)]}'
{"specs/rocky/approved/granular-api-policy.rst":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"153a83105b381937e1977776485fc169a2941a44","unresolved":false,"context_lines":[{"line_number":223,"context_line":""},{"line_number":224,"context_line":"There can be two cases of how current polices are being used-"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"#. Provider does not override these policy and reply on their default values"},{"line_number":227,"context_line":"#. Provides has override those policy in policy.json"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"To make the proposed changes with backward compatible with both cases, we will:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"df7087c5_c67b9a78","line":226,"range":{"start_line":226,"start_character":47,"end_line":226,"end_character":52},"updated":"2018-03-13 13:33:29.000000000","message":"nit: rely","commit_id":"cb7137993073a369748a5d25ca5edf989ce2ec87"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"153a83105b381937e1977776485fc169a2941a44","unresolved":false,"context_lines":[{"line_number":224,"context_line":"There can be two cases of how current polices are being used-"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"#. Provider does not override these policy and reply on their default values"},{"line_number":227,"context_line":"#. Provides has override those policy in policy.json"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"To make the proposed changes with backward compatible with both cases, we will:"},{"line_number":230,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"df7087c5_468f8a74","line":227,"range":{"start_line":227,"start_character":16,"end_line":227,"end_character":24},"updated":"2018-03-13 13:33:29.000000000","message":"nit: overriden","commit_id":"cb7137993073a369748a5d25ca5edf989ce2ec87"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"153a83105b381937e1977776485fc169a2941a44","unresolved":false,"context_lines":[{"line_number":226,"context_line":"#. Provider does not override these policy and reply on their default values"},{"line_number":227,"context_line":"#. Provides has override those policy in policy.json"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"To make the proposed changes with backward compatible with both cases, we will:"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"* Default value of the new policy rule must be same as default value of"},{"line_number":232,"context_line":"  existing policy."}],"source_content_type":"text/x-rst","patch_set":4,"id":"df7087c5_06d43247","line":229,"range":{"start_line":229,"start_character":29,"end_line":229,"end_character":33},"updated":"2018-03-13 13:33:29.000000000","message":"nit: \u0027with\u0027 is not needed here","commit_id":"cb7137993073a369748a5d25ca5edf989ce2ec87"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"153a83105b381937e1977776485fc169a2941a44","unresolved":false,"context_lines":[{"line_number":228,"context_line":""},{"line_number":229,"context_line":"To make the proposed changes with backward compatible with both cases, we will:"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"* Default value of the new policy rule must be same as default value of"},{"line_number":232,"context_line":"  existing policy."},{"line_number":233,"context_line":"* New policy enforcement should be same as old policy. For example if old"},{"line_number":234,"context_line":"  policy rule is soft enforced (not raising the exception if access denied)"},{"line_number":235,"context_line":"  then, new policy also must be softly enforced."}],"source_content_type":"text/x-rst","patch_set":4,"id":"df7087c5_66688e86","line":232,"range":{"start_line":231,"start_character":39,"end_line":232,"end_character":18},"updated":"2018-03-13 13:33:29.000000000","message":"nit:must be the same as the default value of the existing policy","commit_id":"cb7137993073a369748a5d25ca5edf989ce2ec87"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"153a83105b381937e1977776485fc169a2941a44","unresolved":false,"context_lines":[{"line_number":233,"context_line":"* New policy enforcement should be same as old policy. For example if old"},{"line_number":234,"context_line":"  policy rule is soft enforced (not raising the exception if access denied)"},{"line_number":235,"context_line":"  then, new policy also must be softly enforced."},{"line_number":236,"context_line":"* Deprecate the old policy rule with clear warning to provider to use the"},{"line_number":237,"context_line":"  new policy if they have overridden those policy. And no change in their"},{"line_number":238,"context_line":"  enforcement on API side till deprecation cycle is over."},{"line_number":239,"context_line":"* If old policy is overridden then, enforce old policy only not new policy"}],"source_content_type":"text/x-rst","patch_set":4,"id":"df7087c5_86236256","line":236,"range":{"start_line":236,"start_character":50,"end_line":236,"end_character":62},"updated":"2018-03-13 13:33:29.000000000","message":"nit:to suggest","commit_id":"cb7137993073a369748a5d25ca5edf989ce2ec87"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"153a83105b381937e1977776485fc169a2941a44","unresolved":false,"context_lines":[{"line_number":253,"context_line":"---------------"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"New policies introduce to control the below APIs operation. Cloud Provider"},{"line_number":256,"context_line":"needs to switch to new policies. Backward compatibility is maintain"},{"line_number":257,"context_line":"w.r.t old policy rules with deprecation warning."},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"* Above mentioned policies will be deprecated for removal."}],"source_content_type":"text/x-rst","patch_set":4,"id":"df7087c5_a6e5460b","line":256,"range":{"start_line":256,"start_character":59,"end_line":256,"end_character":67},"updated":"2018-03-13 13:33:29.000000000","message":"nit:maintained","commit_id":"cb7137993073a369748a5d25ca5edf989ce2ec87"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"153a83105b381937e1977776485fc169a2941a44","unresolved":false,"context_lines":[{"line_number":323,"context_line":""},{"line_number":324,"context_line":"* Introduced new policy for mentioned APIs."},{"line_number":325,"context_line":"* Deprecate the old policies in Rocky cycle."},{"line_number":326,"context_line":"* Remove the deprecated policies in future."},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"Dependencies"},{"line_number":329,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"df7087c5_a6cea67f","line":326,"range":{"start_line":326,"start_character":33,"end_line":326,"end_character":42},"updated":"2018-03-13 13:33:29.000000000","message":"nit: in the future","commit_id":"cb7137993073a369748a5d25ca5edf989ce2ec87"},{"author":{"_account_id":11564,"name":"Chris Dent","email":"cdent@anticdent.org","username":"chdent"},"change_message_id":"cadd452b0a83c225921acce940cb702f2dc56402","unresolved":false,"context_lines":[{"line_number":22,"context_line":"Auditor should not."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Now question is that whether nova policy allow to achieve the above requirement"},{"line_number":25,"context_line":"completely. Yes, it does but at some extend not completely. It is not"},{"line_number":26,"context_line":"completely because not all API operation have their own separate policy."},{"line_number":27,"context_line":"Which means different access permission to each APIs operation is not"},{"line_number":28,"context_line":"completely possible."}],"source_content_type":"text/x-rst","patch_set":5,"id":"bf659307_0cdb3c1b","line":25,"range":{"start_line":25,"start_character":37,"end_line":25,"end_character":43},"updated":"2018-03-27 12:27:21.000000000","message":"extent","commit_id":"ab5488ad4a31e081e06c75cf503268dc412ea5d4"},{"author":{"_account_id":11564,"name":"Chris Dent","email":"cdent@anticdent.org","username":"chdent"},"change_message_id":"cadd452b0a83c225921acce940cb702f2dc56402","unresolved":false,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Now question is that whether nova policy allow to achieve the above requirement"},{"line_number":25,"context_line":"completely. Yes, it does but at some extend not completely. It is not"},{"line_number":26,"context_line":"completely because not all API operation have their own separate policy."},{"line_number":27,"context_line":"Which means different access permission to each APIs operation is not"},{"line_number":28,"context_line":"completely possible."},{"line_number":29,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"bf659307_cc06a487","line":26,"range":{"start_line":26,"start_character":0,"end_line":26,"end_character":10},"updated":"2018-03-27 12:27:21.000000000","message":"complete","commit_id":"ab5488ad4a31e081e06c75cf503268dc412ea5d4"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":11,"context_line":"https://blueprints.launchpad.net/nova/+spec/granular-api-policy"},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"API policy can be used for multiple ways to secure and control the API access."},{"line_number":14,"context_line":"For example, controlling the API access among Super-Admin, Admin, Owner,"},{"line_number":15,"context_line":"non-admin users, Reader, Auditor and many more other different type of users."},{"line_number":16,"context_line":"Control and access permission in policies depends on each user role and"},{"line_number":17,"context_line":"responsibility."}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_a42035b3","line":14,"updated":"2018-06-29 15:23:58.000000000","message":"What is super-admin? How does it differ from admin?","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":12,"context_line":""},{"line_number":13,"context_line":"API policy can be used for multiple ways to secure and control the API access."},{"line_number":14,"context_line":"For example, controlling the API access among Super-Admin, Admin, Owner,"},{"line_number":15,"context_line":"non-admin users, Reader, Auditor and many more other different type of users."},{"line_number":16,"context_line":"Control and access permission in policies depends on each user role and"},{"line_number":17,"context_line":"responsibility."},{"line_number":18,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_242d05ae","line":15,"range":{"start_line":15,"start_character":71,"end_line":15,"end_character":76},"updated":"2018-06-29 15:23:58.000000000","message":"roles","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":13,"context_line":"API policy can be used for multiple ways to secure and control the API access."},{"line_number":14,"context_line":"For example, controlling the API access among Super-Admin, Admin, Owner,"},{"line_number":15,"context_line":"non-admin users, Reader, Auditor and many more other different type of users."},{"line_number":16,"context_line":"Control and access permission in policies depends on each user role and"},{"line_number":17,"context_line":"responsibility."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Admin would have access for almost all APIs and have permission to their"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_842739c8","line":16,"updated":"2018-06-29 15:23:58.000000000","message":"Should add reference to Keystone\u0027s default roles spec to give background on Reader/Auditor role terminology: https://review.openstack.org/#/c/566377/ and https://review.openstack.org/#/c/570990/\n\nKeystone decided on \u0027reader\u0027 instead of \u0027auditor\u0027 so should probably s/auditor/reader/g","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":17,"context_line":"responsibility."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Admin would have access for almost all APIs and have permission to their"},{"line_number":20,"context_line":"policy rule but non-admin would not and so does Reader and Auditor."},{"line_number":21,"context_line":"Owner of resource can delete, modify their own resources but Reader and"},{"line_number":22,"context_line":"Auditor should not."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_9f3c64c1","line":20,"updated":"2018-06-29 15:23:58.000000000","message":"How is non-admin defined here? member role?","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":19,"context_line":"Admin would have access for almost all APIs and have permission to their"},{"line_number":20,"context_line":"policy rule but non-admin would not and so does Reader and Auditor."},{"line_number":21,"context_line":"Owner of resource can delete, modify their own resources but Reader and"},{"line_number":22,"context_line":"Auditor should not."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Now question is that whether nova policy allow to achieve the above requirement"},{"line_number":25,"context_line":"completely. Yes, it does but at some extent not completely. It is not"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_df6bbcb6","line":22,"updated":"2018-06-29 15:23:58.000000000","message":"Should only mention reader role given above.","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Now question is that whether nova policy allow to achieve the above requirement"},{"line_number":25,"context_line":"completely. Yes, it does but at some extent not completely. It is not"},{"line_number":26,"context_line":"complete because not all API operation have their own separate policy."},{"line_number":27,"context_line":"Which means different access permission to each APIs operation is not"},{"line_number":28,"context_line":"completely possible."},{"line_number":29,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_7f8aa864","line":26,"updated":"2018-06-29 15:23:58.000000000","message":"First two sentences can be clearer:\n\nNow the question is whether Nova policy should strive to achieve the above requirements as well. Currently, it does to some extent but not completely.","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Now question is that whether nova policy allow to achieve the above requirement"},{"line_number":25,"context_line":"completely. Yes, it does but at some extent not completely. It is not"},{"line_number":26,"context_line":"complete because not all API operation have their own separate policy."},{"line_number":27,"context_line":"Which means different access permission to each APIs operation is not"},{"line_number":28,"context_line":"completely possible."},{"line_number":29,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_dfee5c20","line":26,"range":{"start_line":26,"start_character":29,"end_line":26,"end_character":38},"updated":"2018-06-29 15:23:58.000000000","message":"operations","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":24,"context_line":"Now question is that whether nova policy allow to achieve the above requirement"},{"line_number":25,"context_line":"completely. Yes, it does but at some extent not completely. It is not"},{"line_number":26,"context_line":"complete because not all API operation have their own separate policy."},{"line_number":27,"context_line":"Which means different access permission to each APIs operation is not"},{"line_number":28,"context_line":"completely possible."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"This spec is to address the above issue and to make API policy more granular"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_5fe24c32","line":27,"updated":"2018-06-29 15:23:58.000000000","message":"permissions for each API operation","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Problem description"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"There are some policy which are used for multiple APIs which means single"},{"line_number":38,"context_line":"policy rule control multiple APIs access."},{"line_number":39,"context_line":"For example, \u0027os_compute_api:os-agents\u0027 policy is enforced for POST, PUT,"},{"line_number":40,"context_line":"GET and DELETE ‘/os-agents’ APIs. If Cloud provider want to control the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_ffcc78bc","line":37,"range":{"start_line":37,"start_character":15,"end_line":37,"end_character":21},"updated":"2018-06-29 15:23:58.000000000","message":"policies","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"There are some policy which are used for multiple APIs which means single"},{"line_number":38,"context_line":"policy rule control multiple APIs access."},{"line_number":39,"context_line":"For example, \u0027os_compute_api:os-agents\u0027 policy is enforced for POST, PUT,"},{"line_number":40,"context_line":"GET and DELETE ‘/os-agents’ APIs. If Cloud provider want to control the"},{"line_number":41,"context_line":"policy permissions of POST, PUT, GET and DELETE APIs separatly for different"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_bfbe00fe","line":38,"range":{"start_line":38,"start_character":12,"end_line":38,"end_character":19},"updated":"2018-06-29 15:23:58.000000000","message":"can control access to multiple APIs","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":44,"context_line":"Take the example of Auditor case, Cloud Provider want to give access of"},{"line_number":45,"context_line":"GET APIs only to Auditor role and not POST or DELETE. As same policy control"},{"line_number":46,"context_line":"POST, PUT, GET and DELETE APIs, it is not possible to restrict Auditor not to"},{"line_number":47,"context_line":"make call to POST, PUT or DELETE APIs."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Use Cases"},{"line_number":50,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_5f500cd6","line":47,"updated":"2018-06-29 15:23:58.000000000","message":"++","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":49,"context_line":"Use Cases"},{"line_number":50,"context_line":"---------"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* As a cloud provider, I want separate the policy permissions control for the"},{"line_number":53,"context_line":"  read and write APIs. I do not want to make cloud APIs access security weak"},{"line_number":54,"context_line":"  and give access of POST, DELETE APIs also to Reader or Auditor user role."},{"line_number":55,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_bf6cc09d","line":52,"range":{"start_line":52,"start_character":23,"end_line":52,"end_character":42},"updated":"2018-06-29 15:23:58.000000000","message":"I would like to separate the","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":50,"context_line":"---------"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* As a cloud provider, I want separate the policy permissions control for the"},{"line_number":53,"context_line":"  read and write APIs. I do not want to make cloud APIs access security weak"},{"line_number":54,"context_line":"  and give access of POST, DELETE APIs also to Reader or Auditor user role."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_df0adccf","line":53,"range":{"start_line":53,"start_character":2,"end_line":53,"end_character":16},"updated":"2018-06-29 15:23:58.000000000","message":"read, write, update and delete\n\nWhy not include update and delete?","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* As a cloud provider, I want separate the policy permissions control for the"},{"line_number":53,"context_line":"  read and write APIs. I do not want to make cloud APIs access security weak"},{"line_number":54,"context_line":"  and give access of POST, DELETE APIs also to Reader or Auditor user role."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"Proposed change"},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_5ffeccaf","line":54,"range":{"start_line":54,"start_character":47,"end_line":54,"end_character":64},"updated":"2018-06-29 15:23:58.000000000","message":"Again, should consolidate the role name here by picking \u0027reader\u0027.","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":56,"context_line":"Proposed change"},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"This spec propose to make API policy more granular by:"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* Each API operation should have their own policy."},{"line_number":62,"context_line":"* Not any single policy should be used to control more than one API Operation."}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_7ffb88bd","line":59,"range":{"start_line":59,"start_character":10,"end_line":59,"end_character":17},"updated":"2018-06-29 15:23:58.000000000","message":"proposes","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":58,"context_line":""},{"line_number":59,"context_line":"This spec propose to make API policy more granular by:"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* Each API operation should have their own policy."},{"line_number":62,"context_line":"* Not any single policy should be used to control more than one API Operation."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Each API operation means each possible API url"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_1f2a942e","line":61,"range":{"start_line":61,"start_character":33,"end_line":61,"end_character":38},"updated":"2018-06-29 15:23:58.000000000","message":"its","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":59,"context_line":"This spec propose to make API policy more granular by:"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* Each API operation should have their own policy."},{"line_number":62,"context_line":"* Not any single policy should be used to control more than one API Operation."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Each API operation means each possible API url"},{"line_number":65,"context_line":" (ROUTE_LIST in nova/api/openstack/compute/routes.py)"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_ff28f833","line":62,"range":{"start_line":62,"start_character":2,"end_line":62,"end_character":9},"updated":"2018-06-29 15:23:58.000000000","message":"No","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":65,"context_line":" (ROUTE_LIST in nova/api/openstack/compute/routes.py)"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Below are the Policies list which are being used for multiple APIs control and"},{"line_number":68,"context_line":"this spec propose to make them separate for each API operation:"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"* \u0027os_compute_api:os-agents\u0027:"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_bf1a8015","line":68,"range":{"start_line":68,"start_character":10,"end_line":68,"end_character":17},"updated":"2018-06-29 15:23:58.000000000","message":"proposes","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":70,"context_line":"* \u0027os_compute_api:os-agents\u0027:"},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"  * File: nova/policies/agents.py"},{"line_number":73,"context_line":"  * APIs Operation it control:"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"    * POST /os-agents,"},{"line_number":76,"context_line":"    * PUT /os-agents,"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_7f14e8e9","line":73,"updated":"2018-06-29 15:23:58.000000000","message":"s/APIs Operation/API Operations/g","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"0bad8a09eec48658fa0ab2cc71fdbb905dfa83f8","unresolved":false,"context_lines":[{"line_number":85,"context_line":"    * GET \u0027/servers/{server_id}/os-interface\u0027"},{"line_number":86,"context_line":"    * GET \u0027/servers/{server_id}/os-interface/{port_id}\u0027"},{"line_number":87,"context_line":"    * POST \u0027/servers/{server_id}/os-interface\u0027,"},{"line_number":88,"context_line":"    * DELETE \u0027/servers/{server_id}/os-interface/{port_id}\u0027"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* \u0027os_compute_api:os-cells\u0027:"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"bf659307_9b48365c","line":88,"updated":"2018-04-04 10:04:36.000000000","message":"You know, I think we should look more at introducing the Admin vs Read vs Write roles into the mix here. That and the global role thing.\n\nIt seems that would be a better reason to add these new granular policies, we can set some really nice defaults at the same time?","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e5e79faa664731130a0b3f3f97f143c13ed7905f","unresolved":false,"context_lines":[{"line_number":85,"context_line":"    * GET \u0027/servers/{server_id}/os-interface\u0027"},{"line_number":86,"context_line":"    * GET \u0027/servers/{server_id}/os-interface/{port_id}\u0027"},{"line_number":87,"context_line":"    * POST \u0027/servers/{server_id}/os-interface\u0027,"},{"line_number":88,"context_line":"    * DELETE \u0027/servers/{server_id}/os-interface/{port_id}\u0027"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* \u0027os_compute_api:os-cells\u0027:"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_206ebfff","line":88,"in_reply_to":"bf659307_9b48365c","updated":"2018-05-31 03:02:00.000000000","message":"agree on this idea which actually help operator to have better default and developer also to avoid changing policy twice.","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":216,"context_line":"* \u0027os_compute_api:os-tenant-networks\u0027"},{"line_number":217,"context_line":"* \u0027os_compute_api:os-volumes\u0027"},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"Other point to consider is we should not break cloud either overridden the"},{"line_number":220,"context_line":"above policies in policy.json file or use their default values. Proposal is"},{"line_number":221,"context_line":"to deprecate the above mentioned policies and make new policy in such a way"},{"line_number":222,"context_line":"that we do not break any existing cloud."},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_ffab1885","line":220,"range":{"start_line":219,"start_character":0,"end_line":220,"end_character":62},"updated":"2018-06-29 15:23:58.000000000","message":"This sentence is unclear to me.\n\nDo you mean: We should not break the custom policy overrides set up by cloud operators without first deprecating those policies and their default values in policy in code?","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":223,"context_line":""},{"line_number":224,"context_line":"There can be two cases of how current polices are being used-"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"#. Provider does not override these policy and rely on their default values"},{"line_number":227,"context_line":"#. Provides has overriden those policy in policy.json"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"To make the proposed changes backward compatible with both cases, we will:"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_3f8bd01e","line":226,"range":{"start_line":226,"start_character":47,"end_line":226,"end_character":51},"updated":"2018-06-29 15:23:58.000000000","message":"relies","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"bf17d4e92b82feb1e6760e959123e0d743bec1cc","unresolved":false,"context_lines":[{"line_number":224,"context_line":"There can be two cases of how current polices are being used-"},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"#. Provider does not override these policy and rely on their default values"},{"line_number":227,"context_line":"#. Provides has overriden those policy in policy.json"},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"To make the proposed changes backward compatible with both cases, we will:"},{"line_number":230,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_9f79c431","line":227,"range":{"start_line":227,"start_character":3,"end_line":227,"end_character":11},"updated":"2018-06-29 15:23:58.000000000","message":"Provider has overridden those policies","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":17896,"name":"Rick Bartra","email":"rickbartra@microsoft.com","username":"rb560u"},"change_message_id":"4c1fce9987aeb021569993ec0d0d9fe4a002591e","unresolved":false,"context_lines":[{"line_number":228,"context_line":""},{"line_number":229,"context_line":"To make the proposed changes backward compatible with both cases, we will:"},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"* Default value of the new policy rule must be the same as the default"},{"line_number":232,"context_line":"  value of the existing policy."},{"line_number":233,"context_line":"* New policy enforcement should be same as old policy. For example if old"},{"line_number":234,"context_line":"  policy rule is soft enforced (not raising the exception if access denied)"},{"line_number":235,"context_line":"  then, new policy also must be softly enforced."}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_1d94db8b","line":232,"range":{"start_line":231,"start_character":2,"end_line":232,"end_character":31},"updated":"2018-06-29 16:45:34.000000000","message":"does this mean we can\u0027t add the granularity with good default roles as the new policy rule must be the same as the default value of the existing policy?","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e5e79faa664731130a0b3f3f97f143c13ed7905f","unresolved":false,"context_lines":[{"line_number":325,"context_line":"* Deprecate the old policies in Rocky cycle."},{"line_number":326,"context_line":"* Remove the deprecated policies in the future."},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"Dependencies"},{"line_number":329,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":330,"context_line":""},{"line_number":331,"context_line":"None"},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"Testing"},{"line_number":334,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_404e5b97","line":331,"range":{"start_line":328,"start_character":0,"end_line":331,"end_character":4},"updated":"2018-05-31 03:02:00.000000000","message":"We need to wait for default roles spec first to change in nova policy. so i need to add below spec as dependencies - https://review.openstack.org/#/c/245629/8","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"502c22f83c6759678cdbf298ceb8899da3cba1e3","unresolved":false,"context_lines":[{"line_number":325,"context_line":"* Deprecate the old policies in Rocky cycle."},{"line_number":326,"context_line":"* Remove the deprecated policies in the future."},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"Dependencies"},{"line_number":329,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":330,"context_line":""},{"line_number":331,"context_line":"None"},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"Testing"},{"line_number":334,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5f7c97a3_9b006604","line":331,"range":{"start_line":328,"start_character":0,"end_line":331,"end_character":4},"in_reply_to":"5f7c97a3_404e5b97","updated":"2018-05-31 05:00:41.000000000","message":"this one  -https://review.openstack.org/#/c/523973/","commit_id":"f7fd3225541092bc3c47eee6b1da7aadd793b5dd"}],"specs/stein/approved/policy-default-refresh.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":35,"context_line":"Use Cases"},{"line_number":36,"context_line":"---------"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_99caa26b","line":38,"updated":"2018-09-20 13:19:40.000000000","message":"By defaults here do you mean default roles that you can rely on in keystone or default policies?","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":35,"context_line":"Use Cases"},{"line_number":36,"context_line":"---------"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_f120744b","line":38,"in_reply_to":"3f79a3b5_99caa26b","updated":"2018-09-21 13:22:37.000000000","message":"I was really meaning, the default policy across all services.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":38,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_198d3230","line":41,"updated":"2018-09-20 13:19:40.000000000","message":"I was thinking about the upgrade path here, and I think Matt\u0027s upgrade checker work could make this even easier for operators. I\u0027m just not sure if adding checks for all changing policies would be considered too verbose.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":38,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_b1c43c61","line":41,"in_reply_to":"3f79a3b5_198d3230","updated":"2018-09-21 13:22:37.000000000","message":"Not sure yet, I wondered about a tool that can re-write given the deprecated names, etc.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9f4d56bc1f0829bb4acae7daac603eee6a989a6f","unresolved":false,"context_lines":[{"line_number":38,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"Proposed change"},{"line_number":44,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_9344a075","line":41,"in_reply_to":"3f79a3b5_b1c43c61","updated":"2019-03-18 02:16:17.000000000","message":"+1. I think the upgrade-checker tool can be useful here. at least we can publish about the changed policies from overridden one.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":49,"context_line":"Firstly, we must check the context object has a scope that matches or exceeds"},{"line_number":50,"context_line":"the scope required for the given API operation. Examples include:"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_d997ba38","line":52,"range":{"start_line":52,"start_character":2,"end_line":52,"end_character":76},"updated":"2018-09-20 13:19:40.000000000","message":"Feel free to link to what we have in our specifications repository, in the event folks want some more information:\n\nhttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":49,"context_line":"Firstly, we must check the context object has a scope that matches or exceeds"},{"line_number":50,"context_line":"the scope required for the given API operation. Examples include:"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_51a9288c","line":52,"range":{"start_line":52,"start_character":2,"end_line":52,"end_character":76},"in_reply_to":"3f79a3b5_d997ba38","updated":"2018-09-21 13:22:37.000000000","message":"ah, prefect.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":50,"context_line":"the scope required for the given API operation. Examples include:"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_f9b716d7","line":53,"updated":"2018-09-20 13:19:40.000000000","message":"I have a feeling these policies are going to be super similar to the ones we\u0027re writing for credentials in keystone [0].\n\n[0] https://review.openstack.org/#/c/594547/","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9f4d56bc1f0829bb4acae7daac603eee6a989a6f","unresolved":false,"context_lines":[{"line_number":50,"context_line":"the scope required for the given API operation. Examples include:"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_13067021","line":53,"in_reply_to":"3f79a3b5_b1999c7a","updated":"2019-03-18 02:16:17.000000000","message":"yeah, currently we always send the user_id as a target for keypair which we can modify to accommodate the context.system_scope similar to keystone credential APIs","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":50,"context_line":"the scope required for the given API operation. Examples include:"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_b1999c7a","line":53,"in_reply_to":"3f79a3b5_f9b716d7","updated":"2018-09-21 13:22:37.000000000","message":"heh, yeah, they totally are.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":58,"context_line":"user_id we have no concept of project, and when checking project_id we care"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_39d6eef3","line":55,"updated":"2018-09-20 13:19:40.000000000","message":"Do we want to allow this for things like creating servers? I can see where this would be useful for operators cleaning up orphaned resources after a project has been deleted, but I\u0027m wondering if it makes sense to always require this to be done with a projects-scoped token for other operations.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":58,"context_line":"user_id we have no concept of project, and when checking project_id we care"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_b1d51ce8","line":55,"in_reply_to":"3f79a3b5_39d6eef3","updated":"2018-09-21 13:22:37.000000000","message":"So in my head I always assume global scope could do anything but you raise a good point here...\n\nAt the moment you can\u0027t specify a project_id during create, so we can of restrict create.\n\nEverything else we let the admin do anything, which is largely assumed now, for things like help desks folks, etc.\n\nI think we exclude create (given its not possible), but everything else we allow global, largely because we always have allowed that. Can come back and revisit that later, if needed.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9f4d56bc1f0829bb4acae7daac603eee6a989a6f","unresolved":false,"context_lines":[{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":58,"context_line":"user_id we have no concept of project, and when checking project_id we care"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_ee2df794","line":55,"in_reply_to":"3f79a3b5_b1d51ce8","updated":"2019-03-18 02:16:17.000000000","message":"true, I think it makes sense for anything other than \u0027create\u0027. Like delete, update has to be system scoped so that these operations can be performed for scenario like project is deleted or for some orphan projects etc.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e52f1f9dcdff02fa22f2744025afb3b108d10954","unresolved":false,"context_lines":[{"line_number":52,"context_line":"* Is the context of system_scope, so is able to list all hosts in the system"},{"line_number":53,"context_line":"* Does context.user_id match keypair.user_id or is the context system_scope"},{"line_number":54,"context_line":"* Does context.project_id match server.project_id or is the context"},{"line_number":55,"context_line":"  system_scope"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":58,"context_line":"user_id we have no concept of project, and when checking project_id we care"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_152386c0","line":55,"in_reply_to":"5fc1f717_ee2df794","updated":"2019-03-19 19:36:39.000000000","message":"Yeah - I think that has become more apparent in the project clean up community goal discussion, too.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":59,"context_line":"little about the user_id."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"In hard coding this check, we remove the ability to loosen the scope via"},{"line_number":62,"context_line":"policy, which helps with interoperability. Note we currently allow users to"},{"line_number":63,"context_line":"reduce the scope on certain API calls, until we have hierarchical quotas:"},{"line_number":64,"context_line":"https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html"},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_79f9c67d","line":62,"range":{"start_line":62,"start_character":8,"end_line":62,"end_character":41},"updated":"2018-09-20 13:19:40.000000000","message":"+1","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9f4d56bc1f0829bb4acae7daac603eee6a989a6f","unresolved":false,"context_lines":[{"line_number":77,"context_line":""},{"line_number":78,"context_line":"The member role maps to the current default level of privilege."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":81,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":82,"context_line":"to have system scope to use that parameter."},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_ce4fdb68","line":80,"range":{"start_line":80,"start_character":0,"end_line":80,"end_character":45},"updated":"2019-03-18 02:16:17.000000000","message":"you mean current admin operation which really needs to be admin. We do have admin roles as default role for many reader or member role APIs operation due to lack of granularity in policies.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":81,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":82,"context_line":"to have system scope to use that parameter."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Note this means each API call will have its own policy rule, which is not"},{"line_number":85,"context_line":"currently the case today. This is required so each resource has the correct"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_3944aeb7","line":82,"updated":"2018-09-20 13:19:40.000000000","message":"Nice example","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Note this means each API call will have its own policy rule, which is not"},{"line_number":85,"context_line":"currently the case today. This is required so each resource has the correct"},{"line_number":86,"context_line":"reader, member, admin split."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Upgrade after Scope and Role chagnes"},{"line_number":89,"context_line":"------------------------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_191772a5","line":86,"updated":"2018-09-20 13:19:40.000000000","message":"Sounds like entire APIs are protected with a single policy?","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Note this means each API call will have its own policy rule, which is not"},{"line_number":85,"context_line":"currently the case today. This is required so each resource has the correct"},{"line_number":86,"context_line":"reader, member, admin split."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Upgrade after Scope and Role chagnes"},{"line_number":89,"context_line":"------------------------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_d13e9824","line":86,"in_reply_to":"3f79a3b5_191772a5","updated":"2018-09-21 13:22:37.000000000","message":"It was whole API extensions, historically speaking.\n\nMostly it was because there was no read-only role considered, and we had no way of evolving the broken policy till recently.\n\nYeah, I propose we fix that, mostly because we will need it for the read-only role.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9f4d56bc1f0829bb4acae7daac603eee6a989a6f","unresolved":false,"context_lines":[{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Note this means each API call will have its own policy rule, which is not"},{"line_number":85,"context_line":"currently the case today. This is required so each resource has the correct"},{"line_number":86,"context_line":"reader, member, admin split."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Upgrade after Scope and Role chagnes"},{"line_number":89,"context_line":"------------------------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_8e5553fc","line":86,"in_reply_to":"3f79a3b5_d13e9824","updated":"2019-03-18 02:16:17.000000000","message":"yeah, we do have many such cases with reason John mentioned.  other rst file in this spec propose the fix.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":90,"context_line":""},{"line_number":91,"context_line":"For one cycle, we need existing user permissions to work alongside the new"},{"line_number":92,"context_line":"set of roles, so operators can migrate their users to the new roles. Note"},{"line_number":93,"context_line":"this means:"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"* Remove any project or user checks from the policy file defaults, as this"},{"line_number":96,"context_line":"  is now done in code, without breaking user-id-based-policy-enforcement"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_d95a5a80","line":93,"updated":"2018-09-20 13:19:40.000000000","message":"This might be less painful if you\u0027re using oslo.policy\u0027s deprecation tooling, which ORs the deprecated check_str and the new check_str. This allows for compatibility while logging an error for operators to clean things up.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9f4d56bc1f0829bb4acae7daac603eee6a989a6f","unresolved":false,"context_lines":[{"line_number":90,"context_line":""},{"line_number":91,"context_line":"For one cycle, we need existing user permissions to work alongside the new"},{"line_number":92,"context_line":"set of roles, so operators can migrate their users to the new roles. Note"},{"line_number":93,"context_line":"this means:"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"* Remove any project or user checks from the policy file defaults, as this"},{"line_number":96,"context_line":"  is now done in code, without breaking user-id-based-policy-enforcement"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_ee7bb788","line":93,"in_reply_to":"3f79a3b5_b11c3cc2","updated":"2019-03-18 02:16:17.000000000","message":"+1. Though I am always less satisfy with one cycle policy :) operator can upgrade with skip-level upgrade (if they have any downstream solution for skip level upgrade) so we do not know which release to which release they upgrade. \n\nI always feel 1 year is at least needed to support deprecated things.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":90,"context_line":""},{"line_number":91,"context_line":"For one cycle, we need existing user permissions to work alongside the new"},{"line_number":92,"context_line":"set of roles, so operators can migrate their users to the new roles. Note"},{"line_number":93,"context_line":"this means:"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"* Remove any project or user checks from the policy file defaults, as this"},{"line_number":96,"context_line":"  is now done in code, without breaking user-id-based-policy-enforcement"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_b11c3cc2","line":93,"in_reply_to":"3f79a3b5_d95a5a80","updated":"2018-09-21 13:22:37.000000000","message":"Yeah, that is what I was thinking we would use. I should be explicit about that.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"e52f1f9dcdff02fa22f2744025afb3b108d10954","unresolved":false,"context_lines":[{"line_number":90,"context_line":""},{"line_number":91,"context_line":"For one cycle, we need existing user permissions to work alongside the new"},{"line_number":92,"context_line":"set of roles, so operators can migrate their users to the new roles. Note"},{"line_number":93,"context_line":"this means:"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"* Remove any project or user checks from the policy file defaults, as this"},{"line_number":96,"context_line":"  is now done in code, without breaking user-id-based-policy-enforcement"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_55126e64","line":93,"in_reply_to":"5fc1f717_ee7bb788","updated":"2019-03-19 19:36:39.000000000","message":"That is a good point.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":102,"context_line":"Naming"},{"line_number":103,"context_line":"------"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Ideally we standardise on names across all the projects, once agreement is"},{"line_number":106,"context_line":"reached we can say what it is."},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Something a bit like the following policy names:"},{"line_number":109,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_99ace235","line":106,"range":{"start_line":105,"start_character":0,"end_line":106,"end_character":30},"updated":"2018-09-20 13:19:40.000000000","message":"Currently trying to do that on the ML [0], in case you need to reference it or need it for book keeping.\n\n[0] http://lists.openstack.org/pipermail/openstack-dev/2018-September/134597.html","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":102,"context_line":"Naming"},{"line_number":103,"context_line":"------"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Ideally we standardise on names across all the projects, once agreement is"},{"line_number":106,"context_line":"reached we can say what it is."},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"Something a bit like the following policy names:"},{"line_number":109,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_317eece2","line":106,"range":{"start_line":105,"start_character":0,"end_line":106,"end_character":30},"in_reply_to":"3f79a3b5_99ace235","updated":"2018-09-21 13:22:37.000000000","message":"Yeah, I should add that link.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":110,"context_line":"* compute:servers:action:create_image:POST"},{"line_number":111,"context_line":"* compute:servers:POST"},{"line_number":112,"context_line":"* compute:servers:GET"},{"line_number":113,"context_line":"* compute:servers:server_id:GET"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"To match the following APIs:"},{"line_number":116,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_997142e1","line":113,"updated":"2018-09-20 13:19:40.000000000","message":"I had a note on the specifics of the HTTP method names in a follow up thread [0].\n\n[0] http://lists.openstack.org/pipermail/openstack-dev/2018-September/134860.html","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":123,"context_line":"-------"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":126,"context_line":"be addressed before making any of the above changes."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"Alternatives"},{"line_number":129,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_5925eabd","line":126,"updated":"2018-09-20 13:19:40.000000000","message":"++ I completely agree\n\nI sat down with cinder during the PTG last week while they were talking about some policy changes they made late last release that caused regression with RBAC.\n\nIdeally, it would be great to have unit test coverage that exercised the policy enforcement using oslo.policy and optionally oslo.context when testing the API. This would have caught those issues in the gate, instead of after the change landed.\n\nThe tough part that I don\u0027t think a lot of services want to deal with is figuring out how to model a keystone token in an oslo_context.context.RequestContext object. Ultimately, then they don\u0027t have to make all this an integration test that requires keystone or keystonemiddleware.\n\nI\u0027m working with the cinder team to write a few tests that they can use as templates for testing policy with their API. If this is helpful [0], I can try and do the same for nova or I can propose a patch to oslo.policy that describes the test pattern (or both?).\n\n[0] https://review.openstack.org/#/c/602489/","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":123,"context_line":"-------"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":126,"context_line":"be addressed before making any of the above changes."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"Alternatives"},{"line_number":129,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_31682cf2","line":126,"in_reply_to":"3f79a3b5_5925eabd","updated":"2018-09-21 13:22:37.000000000","message":"We already have some tests, but they do some strange-ish things.\n\nI did try some functional tests here:\nhttps://review.openstack.org/#/c/435484/1/nova/tests/unit/api/openstack/compute/test_serversV21.py\n\nIt is probably worth a look again at the unit tests, they might be fixable. Currently they do some funky things:\nhttps://github.com/openstack/nova/blob/235d03ca95aa656957ac13e29ebb3b7515cdba8a/nova/tests/unit/api/openstack/compute/test_serversV21.py#L987","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9f4d56bc1f0829bb4acae7daac603eee6a989a6f","unresolved":false,"context_lines":[{"line_number":129,"context_line":"------------"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"We could do only one or two of the above three steps, but seems more efficient"},{"line_number":132,"context_line":"to fix this as we go."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"Data model impact"},{"line_number":135,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"5fc1f717_2e5d3f14","line":132,"range":{"start_line":132,"start_character":20,"end_line":132,"end_character":21},"updated":"2019-03-18 02:16:17.000000000","message":"to avoid upgrade break multiple times, I agree with doing all these 3 changes together which is nothing but the proposal in this spec.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9595ccda56d69ba5dcc1a0e0e9f20ccec4575cf2","unresolved":false,"context_lines":[{"line_number":139,"context_line":"REST API impact"},{"line_number":140,"context_line":"---------------"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Existing users should be unaffected by these changes."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"Operators should be able to create new users with more restrictive permissions"},{"line_number":145,"context_line":"in the near future."}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_d420df9c","line":142,"updated":"2018-09-20 13:19:40.000000000","message":"I guess this depends on if the RBAC used by the deployer is going to be broken by how opinionated we are about specific behaviors upstream?","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d8c6b7aab1d16f738b93c16ae3480123f8f9333e","unresolved":false,"context_lines":[{"line_number":139,"context_line":"REST API impact"},{"line_number":140,"context_line":"---------------"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Existing users should be unaffected by these changes."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"Operators should be able to create new users with more restrictive permissions"},{"line_number":145,"context_line":"in the near future."}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f79a3b5_b102fc0a","line":142,"in_reply_to":"3f79a3b5_d420df9c","updated":"2018-09-21 13:22:37.000000000","message":"In Nova we have largely broken them already, because of this beauty:\nhttps://github.com/openstack/nova/blob/235d03ca95aa656957ac13e29ebb3b7515cdba8a/nova/context.py#L255\n\nI should make a note about that here. Once we can remove those above few lines, and keep Nova working, we know sorted the scope checks!\n\nSo if we keep our upgrade promises as described above (old config keeps working the same across at least one upgrade cycle) we should be OK.","commit_id":"baec6c562543a70964a25bc3ecb62ce74fb07a85"}],"specs/train/approved/policy-default-refresh.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"12c17529e9b8d522c316d14b5f1d4aa504b2a27a","unresolved":false,"context_lines":[{"line_number":365,"context_line":"----------"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"* Make policy rules granular"},{"line_number":368,"context_line":"* Add scope type"},{"line_number":369,"context_line":"* Add default roles"},{"line_number":370,"context_line":"* Follow naming standardization in above steps."},{"line_number":371,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_2bb71edb","line":368,"updated":"2019-03-21 03:40:27.000000000","message":"Should granular and scope type be part of the same spec? This is pretty huge scope of the work and I\u0027d think it better to separate the two into their own specs. To me, it seems like making policy for each API more granular doesn\u0027t have anything/much to do with scope types. Am I wrong?","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f684efcac91491429410186543572ad816cde061","unresolved":false,"context_lines":[{"line_number":365,"context_line":"----------"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"* Make policy rules granular"},{"line_number":368,"context_line":"* Add scope type"},{"line_number":369,"context_line":"* Add default roles"},{"line_number":370,"context_line":"* Follow naming standardization in above steps."},{"line_number":371,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_420d9b3c","line":368,"in_reply_to":"5fc1f717_2bb71edb","updated":"2019-03-21 19:11:46.000000000","message":"It can be done separately from granular and default roles. \n\nWith doing scope_type separately, I can think of the only benefit with distinguishing the scope of admin role between project and system scope. Because we do not have other default roles in policy like reader, member, admin. \n\nGranular policies are needed to define the default roles. We cannot define the proper roles of reader, member, admin without granular policies. \n\nIdea of doing all together can avoid:\n1. synchronization and patch conflict issue\n2. doing it all together per policies so that we do not break upgrade mutliple times. \n\nFor example, this can be steps for implementing it\n1. add granularity in the policy X\n2. add scope_type\n3. add proper default Roles with new check_str based on old roles and scope which should maintain the backward compatibility. \n\nLet me push the PoC patch today and then we can see how we can do all these 3 updates in a more synchronized way.","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"4150822e0d675fd09aa2de2bff3d625b4d2d339a","unresolved":false,"context_lines":[{"line_number":365,"context_line":"----------"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"* Make policy rules granular"},{"line_number":368,"context_line":"* Add scope type"},{"line_number":369,"context_line":"* Add default roles"},{"line_number":370,"context_line":"* Follow naming standardization in above steps."},{"line_number":371,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_e2e03efb","line":368,"in_reply_to":"5fc1f717_420d9b3c","updated":"2019-03-22 03:10:06.000000000","message":"Yeah, I think it would be easier to organize and reason about the efforts if we split them into separate specs. Easier organization means smaller patches, easier reviews, more chance of getting good progress this cycle.\n\nIf default roles depend on granular policies, why don\u0027t we have a spec for default roles, a spec for granular policies, and a spec for scope types? I think it would aid in review of both spec and code to have each piece logically separated.\n\nYou are saying we would have to do all three changes in one patch per API to avoid breaking upgrade multiple times? I guess I thought that all of the changes would be additive and not breaking backward compat. Apologies if I\u0027m missing something here.","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"72052925473b93fb540705f031c45fba18ebaa63","unresolved":false,"context_lines":[{"line_number":365,"context_line":"----------"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"* Make policy rules granular"},{"line_number":368,"context_line":"* Add scope type"},{"line_number":369,"context_line":"* Add default roles"},{"line_number":370,"context_line":"* Follow naming standardization in above steps."},{"line_number":371,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_105c1349","line":368,"in_reply_to":"5fc1f717_d6e8c8df","updated":"2019-03-29 02:13:03.000000000","message":"Thanks for doing that. I think we will face difficulty in receiving spec review and approval if we don\u0027t split up the spec into logical parts: granular, scope type, default role and explain each piece and show example of each in spec separately and make them depend on each other appropriately. All of it together is hard to digest, IMHO. Feel free to get other opinions, this is just my opinion.","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"29ab862ae17f8443235bfd377db2f49f73d49b62","unresolved":false,"context_lines":[{"line_number":365,"context_line":"----------"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"* Make policy rules granular"},{"line_number":368,"context_line":"* Add scope type"},{"line_number":369,"context_line":"* Add default roles"},{"line_number":370,"context_line":"* Follow naming standardization in above steps."},{"line_number":371,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_d6e8c8df","line":368,"in_reply_to":"5fc1f717_e2e03efb","updated":"2019-03-28 21:45:23.000000000","message":"That is good point about having the small patches which are easy to review and avoid regression.\n\nI have added the PoC example for each update and we can do those as a separate patch in series of related dependency. \nHow I feel the dependency of patches can be:\n\nPatch#1 - API granular and new naming: https://review.openstack.org/#/c/645427\n\nPatch#2 - Add the scope_type for the granular policy rules where we will know each separated policy rules. https://review.openstack.org/#/c/645452/\n\nPatch#3 - Now we have the scope_type added for each policy rule which will help to consider the best default roles. We can judge that we are not leaving any security issue with new default roles.: https://review.openstack.org/#/c/648480/\n  - This 3rd patch will also add the releasenotes listing all the above modification.\n\nThis way we can check how the final version of policy rule will look like. \n\nWe can do in separate spec also but doing it with single spec and single series of patches will give us the benefit of visualizing the final version together and finishing the all updates within single cycle.","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"12c17529e9b8d522c316d14b5f1d4aa504b2a27a","unresolved":false,"context_lines":[{"line_number":378,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":379,"context_line":""},{"line_number":380,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":381,"context_line":"be addressed before making any of the above changes."},{"line_number":382,"context_line":""},{"line_number":383,"context_line":"Add or modifiy the Tempest tests for scope and default roles."},{"line_number":384,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_8ba89277","line":381,"updated":"2019-03-21 03:40:27.000000000","message":"I think it\u0027s going to be a major undertaking to add policy-protection test coverage for the entire API, so I\u0027d be thinking to mention it much more prominently as Work Item #1, before anything else can be done.","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"4150822e0d675fd09aa2de2bff3d625b4d2d339a","unresolved":false,"context_lines":[{"line_number":378,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":379,"context_line":""},{"line_number":380,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":381,"context_line":"be addressed before making any of the above changes."},{"line_number":382,"context_line":""},{"line_number":383,"context_line":"Add or modifiy the Tempest tests for scope and default roles."},{"line_number":384,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_e28efe30","line":381,"in_reply_to":"5fc1f717_1d45b643","updated":"2019-03-22 03:10:06.000000000","message":"OK, I can draft a specless BP and request approval at a nova meeting.\n\nOK, I\u0027m not familiar with patrole. How do we use it in nova? The API protection testing Lance showed me is like this, from this doc [1]:\n\nhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/protection/v3?id\u003d77e50e49c5af37780b8b4cfe8721ba28e8a58183\n\n[1] https://docs.openstack.org/keystone/latest/contributor/services.html#ruthless-testing","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"96a3f70eb9d09d0521416b5108134da5ef48cba7","unresolved":false,"context_lines":[{"line_number":378,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":379,"context_line":""},{"line_number":380,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":381,"context_line":"be addressed before making any of the above changes."},{"line_number":382,"context_line":""},{"line_number":383,"context_line":"Add or modifiy the Tempest tests for scope and default roles."},{"line_number":384,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_cbff7a32","line":381,"in_reply_to":"5fc1f717_8ba89277","updated":"2019-03-21 04:03:10.000000000","message":"Another thought: I\u0027ve been thinking about whether we could have the policy-protection test coverage as a specless blueprint upon which the policy change specs depend. We need it as a first step before we make any major changes to policy, but adding it is not only beneficial for making policy changes. It\u0027s test coverage we ideally should have had in the first place, a long time ago. Thinking along these lines, I do wonder if it could be its own specless blueprint effort.","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f684efcac91491429410186543572ad816cde061","unresolved":false,"context_lines":[{"line_number":378,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":379,"context_line":""},{"line_number":380,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":381,"context_line":"be addressed before making any of the above changes."},{"line_number":382,"context_line":""},{"line_number":383,"context_line":"Add or modifiy the Tempest tests for scope and default roles."},{"line_number":384,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_1d45b643","line":381,"in_reply_to":"5fc1f717_cbff7a32","updated":"2019-03-21 19:11:46.000000000","message":"+1 on specless BP for policy testing. this has been long time pending item to test.\n\nAlso I am thinking about current patrole testing[1] can give us the benefit of verification if we break any policy in backward compatible way. Removed policies has been detected by Patrole in past - https://review.openstack.org/#/c/593454/\n\n[1]https://docs.openstack.org/patrole/latest/","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"29ab862ae17f8443235bfd377db2f49f73d49b62","unresolved":false,"context_lines":[{"line_number":378,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":379,"context_line":""},{"line_number":380,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":381,"context_line":"be addressed before making any of the above changes."},{"line_number":382,"context_line":""},{"line_number":383,"context_line":"Add or modifiy the Tempest tests for scope and default roles."},{"line_number":384,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"5fc1f717_16cc1087","line":381,"in_reply_to":"5fc1f717_e28efe30","updated":"2019-03-28 21:45:23.000000000","message":"Thanks.","commit_id":"f82a7f8d1f284afd25c0d71ed693301f5c8612c9"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"c13768adcdfa305dc59de1d439cde641c31e8941","unresolved":false,"context_lines":[{"line_number":480,"context_line":""},{"line_number":481,"context_line":"   * - Release Name"},{"line_number":482,"context_line":"     - Description"},{"line_number":483,"context_line":"   * - Stein"},{"line_number":484,"context_line":"     - Introduced"}],"source_content_type":"text/x-rst","patch_set":10,"id":"5fc1f717_96d6c04e","line":483,"range":{"start_line":483,"start_character":7,"end_line":483,"end_character":12},"updated":"2019-03-28 21:34:46.000000000","message":"Train","commit_id":"308cc5c2a4b9b76cf580f9d36f9af9778513ae5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":480,"context_line":""},{"line_number":481,"context_line":"   * - Release Name"},{"line_number":482,"context_line":"     - Description"},{"line_number":483,"context_line":"   * - Stein"},{"line_number":484,"context_line":"     - Introduced"}],"source_content_type":"text/x-rst","patch_set":10,"id":"5fc1f717_962d4dff","line":483,"range":{"start_line":483,"start_character":7,"end_line":483,"end_character":12},"in_reply_to":"5fc1f717_96d6c04e","updated":"2019-04-02 18:59:57.000000000","message":"thanks, done","commit_id":"308cc5c2a4b9b76cf580f9d36f9af9778513ae5a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":15,"context_line":""},{"line_number":16,"context_line":"When operators must modify policy, or need to audit the defaults, they are"},{"line_number":17,"context_line":"thinking about API operations what policy to change, so the policy should"},{"line_number":18,"context_line":"always clearly relate to the API node the code."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Problem description"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_38a0f291","line":18,"range":{"start_line":18,"start_character":33,"end_line":18,"end_character":41},"updated":"2019-04-01 14:01:09.000000000","message":"nit: s/node the// ?","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":15,"context_line":""},{"line_number":16,"context_line":"When operators must modify policy, or need to audit the defaults, they are"},{"line_number":17,"context_line":"thinking about API operations what policy to change, so the policy should"},{"line_number":18,"context_line":"always clearly relate to the API node the code."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Problem description"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_3c1d2673","line":18,"range":{"start_line":18,"start_character":33,"end_line":18,"end_character":41},"in_reply_to":"5fc1f717_38a0f291","updated":"2019-04-02 18:59:57.000000000","message":"Done","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"},{"line_number":27,"context_line":"the API."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The relationship between Nova API policy and those in Cinder, Neutron, etc."},{"line_number":30,"context_line":"is out of scope for this spec. Except to say we currently assume the user"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_d8ba0ebf","line":27,"updated":"2019-04-01 14:01:09.000000000","message":"... or open up security holes in the deployment accidentally.","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"},{"line_number":27,"context_line":"the API."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The relationship between Nova API policy and those in Cinder, Neutron, etc."},{"line_number":30,"context_line":"is out of scope for this spec. Except to say we currently assume the user"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_1c186a82","line":27,"in_reply_to":"5fc1f717_d8ba0ebf","updated":"2019-04-02 18:59:57.000000000","message":"Done","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":67,"context_line":"This scope type can be applied to API policies which need"},{"line_number":68,"context_line":"access permission at system level for example os-hypervisiors,"},{"line_number":69,"context_line":"os-services etc. By adding scope_type as \u0027system\u0027 to API policy"},{"line_number":70,"context_line":"means project-level scoped token cannot access these API."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"2. ``project``: policy with \u0027project\u0027 scope means user with"},{"line_number":73,"context_line":"\u0027project-scoped\u0027 token have permission to access."}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_98e9e6b8","line":70,"range":{"start_line":70,"start_character":33,"end_line":70,"end_character":57},"updated":"2019-04-01 14:01:09.000000000","message":"This is only true when enforce_scope\u003dTrue, but it looks like you\u0027re covering that below.","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":67,"context_line":"This scope type can be applied to API policies which need"},{"line_number":68,"context_line":"access permission at system level for example os-hypervisiors,"},{"line_number":69,"context_line":"os-services etc. By adding scope_type as \u0027system\u0027 to API policy"},{"line_number":70,"context_line":"means project-level scoped token cannot access these API."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"2. ``project``: policy with \u0027project\u0027 scope means user with"},{"line_number":73,"context_line":"\u0027project-scoped\u0027 token have permission to access."}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_7c296e99","line":70,"range":{"start_line":70,"start_character":33,"end_line":70,"end_character":57},"in_reply_to":"5fc1f717_98e9e6b8","updated":"2019-04-02 18:59:57.000000000","message":"Done","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"},{"line_number":81,"context_line":"\u0027project\u0027 in nova case."},{"line_number":82,"context_line":"For example GET /os-services will be scoped as \u0027system\u0027 so that user"},{"line_number":83,"context_line":"with system scope token will be authorized to access tis API otherwise not."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"POST \u0027/servers/{server_id}/action (lock) will be scoped as"},{"line_number":86,"context_line":"[\u0027system\u0027, \u0027project\u0027] which means system scope token as well as project"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_98ec8690","line":83,"range":{"start_line":82,"start_character":59,"end_line":83,"end_character":75},"updated":"2019-04-01 14:01:09.000000000","message":"nit: so that only users with system-scoped tokens will be authorized to access this API.","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"},{"line_number":81,"context_line":"\u0027project\u0027 in nova case."},{"line_number":82,"context_line":"For example GET /os-services will be scoped as \u0027system\u0027 so that user"},{"line_number":83,"context_line":"with system scope token will be authorized to access tis API otherwise not."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"POST \u0027/servers/{server_id}/action (lock) will be scoped as"},{"line_number":86,"context_line":"[\u0027system\u0027, \u0027project\u0027] which means system scope token as well as project"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_5c2cb2ab","line":83,"range":{"start_line":82,"start_character":59,"end_line":83,"end_character":75},"in_reply_to":"5fc1f717_98ec8690","updated":"2019-04-02 18:59:57.000000000","message":"Done","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"PoC: https://review.openstack.org/#/c/645452/"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"This feature is disabled by default in oslo.policy which only log warning"},{"line_number":92,"context_line":"if token scope is not matched. Feature can be enabled via configuration"},{"line_number":93,"context_line":"option ``nova.conf [oslo_policy] enforce_scope\u003dTrue``."},{"line_number":94,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_d8c0cee3","line":91,"range":{"start_line":91,"start_character":0,"end_line":91,"end_character":12},"updated":"2019-04-01 14:01:09.000000000","message":"I\u0027d elaborate on this a bit more so that it\u0027s clear why this is disabled by default. We need to allow for operators to migrate off of the old policy enforcement system in a somewhat graceful way. The enforce_scope option helps us with that by giving operators a toggle to enforce scope checking when they\u0027re ready and they\u0027ve audited their users and assignments.","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"PoC: https://review.openstack.org/#/c/645452/"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"This feature is disabled by default in oslo.policy which only log warning"},{"line_number":92,"context_line":"if token scope is not matched. Feature can be enabled via configuration"},{"line_number":93,"context_line":"option ``nova.conf [oslo_policy] enforce_scope\u003dTrue``."},{"line_number":94,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_bc1fd66e","line":91,"range":{"start_line":91,"start_character":0,"end_line":91,"end_character":12},"in_reply_to":"5fc1f717_d8c0cee3","updated":"2019-04-02 18:59:57.000000000","message":"Done","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":130,"context_line":"system_scope:all\u0027 where system_scope:all is special check so that token of"},{"line_number":131,"context_line":"reader role and project scope cannot access this API. Once nova default the"},{"line_number":132,"context_line":"[oslo_policy].enforce_scope to True then, system_scope:all can be removed"},{"line_number":133,"context_line":"from check_str."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"PoC: https://review.openstack.org/#/c/648480/"},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_58085e2c","line":133,"updated":"2019-04-01 14:01:09.000000000","message":"Cool, thanks for clarifying this.","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":130,"context_line":"system_scope:all\u0027 where system_scope:all is special check so that token of"},{"line_number":131,"context_line":"reader role and project scope cannot access this API. Once nova default the"},{"line_number":132,"context_line":"[oslo_policy].enforce_scope to True then, system_scope:all can be removed"},{"line_number":133,"context_line":"from check_str."},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"PoC: https://review.openstack.org/#/c/648480/"},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_fc3d5edd","line":133,"in_reply_to":"5fc1f717_58085e2c","updated":"2019-04-02 18:59:57.000000000","message":"Done","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":148,"context_line":"Below are the Policies list which are being used for multiple APIs control and"},{"line_number":149,"context_line":"this spec propose to make them separate for each API operation:"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"* \u0027os_compute_api:os-agents\u0027:"},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"  * File: nova/policies/agents.py"},{"line_number":154,"context_line":"  * APIs Operation it control:"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_33101550","line":151,"updated":"2019-04-01 14:01:09.000000000","message":"These are going to be renamed?\n\nIf so, I wonder if we should go through the renaming step before we describe this?","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":148,"context_line":"Below are the Policies list which are being used for multiple APIs control and"},{"line_number":149,"context_line":"this spec propose to make them separate for each API operation:"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"* \u0027os_compute_api:os-agents\u0027:"},{"line_number":152,"context_line":""},{"line_number":153,"context_line":"  * File: nova/policies/agents.py"},{"line_number":154,"context_line":"  * APIs Operation it control:"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_1c770a0b","line":151,"in_reply_to":"5fc1f717_33101550","updated":"2019-04-02 18:59:57.000000000","message":"done. These are current policies list but yes it will be good to mention the renaming things before this","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":302,"context_line":"Naming"},{"line_number":303,"context_line":"------"},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Ideally we standardise on names across all the projects, once agreement is"},{"line_number":306,"context_line":"reached we can say what it is."},{"line_number":307,"context_line":""},{"line_number":308,"context_line":"Naming will follow the standard naming recommendation:"},{"line_number":309,"context_line":"https://docs.openstack.org/oslo.policy/latest/user/usage.html#naming-policies"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_382232bc","line":306,"range":{"start_line":305,"start_character":0,"end_line":306,"end_character":30},"updated":"2019-04-01 14:01:09.000000000","message":"I think we\u0027ve already done this part?\n\nhttp://lists.openstack.org/pipermail/openstack-dev/2018-September/134597.html","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":302,"context_line":"Naming"},{"line_number":303,"context_line":"------"},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Ideally we standardise on names across all the projects, once agreement is"},{"line_number":306,"context_line":"reached we can say what it is."},{"line_number":307,"context_line":""},{"line_number":308,"context_line":"Naming will follow the standard naming recommendation:"},{"line_number":309,"context_line":"https://docs.openstack.org/oslo.policy/latest/user/usage.html#naming-policies"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_1cee2a8b","line":306,"range":{"start_line":305,"start_character":0,"end_line":306,"end_character":30},"in_reply_to":"5fc1f717_382232bc","updated":"2019-04-02 18:59:57.000000000","message":"yeah. we have standard naming guidelines now.","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ac13026064d2272716ac2dc2305a85837c13fea0","unresolved":false,"context_lines":[{"line_number":441,"context_line":""},{"line_number":442,"context_line":"Work Items"},{"line_number":443,"context_line":"----------"},{"line_number":444,"context_line":""},{"line_number":445,"context_line":"* Make policy rules granular with new naming:"},{"line_number":446,"context_line":"  Example: https://review.openstack.org/#/c/645427/"},{"line_number":447,"context_line":"* Add scope type:"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_138cf97d","line":444,"updated":"2019-04-01 14:01:09.000000000","message":"Is there going to be an effort to elaborate on the protection testing available in nova?\n\nhttps://docs.openstack.org/keystone/latest/contributor/services.html#ruthless-testing","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c0f02f27986032de64ac3072afb358ca86a5cb4a","unresolved":false,"context_lines":[{"line_number":441,"context_line":""},{"line_number":442,"context_line":"Work Items"},{"line_number":443,"context_line":"----------"},{"line_number":444,"context_line":""},{"line_number":445,"context_line":"* Make policy rules granular with new naming:"},{"line_number":446,"context_line":"  Example: https://review.openstack.org/#/c/645427/"},{"line_number":447,"context_line":"* Add scope type:"}],"source_content_type":"text/x-rst","patch_set":15,"id":"5fc1f717_dc38a2ef","line":444,"in_reply_to":"5fc1f717_138cf97d","updated":"2019-04-02 18:59:57.000000000","message":"yeah, we will have spec-less BP for that.","commit_id":"2b72ce3eaca0b5d7890af1f9b00badfb7ead3b8a"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d422da371e3e9a61b69e3ec75e2e45ef79adfcf9","unresolved":false,"context_lines":[{"line_number":20,"context_line":"Problem description"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"The default policy is not good enough for many use cases."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_d1c32f56","line":23,"updated":"2019-04-30 17:20:48.000000000","message":"Mel makes great points here, we don\u0027t describe the problem we are fixing here.\n\nMy use cases for this work are:\n\n* want a user in a project with no access to nova (i.e. only has access to swift)\n* want a read_only user in nova\n* want a domain/project admin that can manage quotas on all sub projects\n\nThat later one is harder... but something we want long term. Probably out of scope here.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":20,"context_line":"Problem description"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"The default policy is not good enough for many use cases."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_15d95782","line":23,"in_reply_to":"ffb9cba7_31e72baf","updated":"2019-05-03 06:22:42.000000000","message":"Done","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"00380463630cc8e5d7ab83b81aa93526406587aa","unresolved":false,"context_lines":[{"line_number":20,"context_line":"Problem description"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"The default policy is not good enough for many use cases."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_31e72baf","line":23,"in_reply_to":"ffb9cba7_d1c32f56","updated":"2019-04-30 17:22:18.000000000","message":"Actually, lets say domain scoped admin should be able to update any project that is in the given domain. But that is something for a follow on spec, this enables it.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d817dea2b914c800bbd242f1b746bc24cc919092","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"},{"line_number":27,"context_line":"the API or open up security holes in the deployment accidentally."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The relationship between Nova API policy and those in Cinder, Neutron, etc."},{"line_number":30,"context_line":"is out of scope for this spec. Except to say we currently assume the user"}],"source_content_type":"text/x-rst","patch_set":16,"id":"3fce034c_25eddd24","line":27,"updated":"2019-04-16 23:04:59.000000000","message":"Can you give an example of a misleading default that breaks the API or opens security holes when modified by an operator? That would help the reader to understand the problem you are aiming to solve.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d422da371e3e9a61b69e3ec75e2e45ef79adfcf9","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"},{"line_number":27,"context_line":"the API or open up security holes in the deployment accidentally."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The relationship between Nova API policy and those in Cinder, Neutron, etc."},{"line_number":30,"context_line":"is out of scope for this spec. Except to say we currently assume the user"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_91e377d9","line":27,"in_reply_to":"3fce034c_25eddd24","updated":"2019-04-30 17:20:48.000000000","message":"Current default policy of admin_or_owner means admin or *any\" role in this project. Its missleading, make it hard to add roles in other projects that Nova doesn\u0027t \"understand\". Basically we should have a white list approach in the defaults.\n\n+1 to needing these examples here.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The current defaults are misleading and hard to understand, such that when"},{"line_number":26,"context_line":"operators attempt to audit or modify the policy defaults, its easy to break"},{"line_number":27,"context_line":"the API or open up security holes in the deployment accidentally."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"The relationship between Nova API policy and those in Cinder, Neutron, etc."},{"line_number":30,"context_line":"is out of scope for this spec. Except to say we currently assume the user"}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_55602f33","line":27,"in_reply_to":"ffb9cba7_91e377d9","updated":"2019-05-03 06:22:42.000000000","message":"Done","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d817dea2b914c800bbd242f1b746bc24cc919092","unresolved":false,"context_lines":[{"line_number":29,"context_line":"The relationship between Nova API policy and those in Cinder, Neutron, etc."},{"line_number":30,"context_line":"is out of scope for this spec. Except to say we currently assume the user"},{"line_number":31,"context_line":"is directly accessing the Nova API, and it is not being accessed on the user\u0027s"},{"line_number":32,"context_line":"behalf via Heat, or similar. That problem is for another spec."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":16,"id":"3fce034c_25d63d51","line":32,"updated":"2019-04-16 23:04:59.000000000","message":"I think this problem statement is missing coverage of the granular policy and scope types aspects of this spec. What problems are granular policy and scope types trying to solve? Are they trying to solve the problem of default policy? If so, how? All of that info should be in the problem statement here.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":29,"context_line":"The relationship between Nova API policy and those in Cinder, Neutron, etc."},{"line_number":30,"context_line":"is out of scope for this spec. Except to say we currently assume the user"},{"line_number":31,"context_line":"is directly accessing the Nova API, and it is not being accessed on the user\u0027s"},{"line_number":32,"context_line":"behalf via Heat, or similar. That problem is for another spec."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_f554c356","line":32,"in_reply_to":"3fce034c_25d63d51","updated":"2019-05-03 06:22:42.000000000","message":"Done","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d817dea2b914c800bbd242f1b746bc24cc919092","unresolved":false,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"},{"line_number":42,"context_line":"* As a cloud provider, I want separate policy permissions control for the"},{"line_number":43,"context_line":"  read and write APIs."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"3fce034c_a5654de3","line":41,"range":{"start_line":40,"start_character":2,"end_line":41,"end_character":11},"updated":"2019-04-16 23:04:59.000000000","message":"What does this mean? Many operators with existing custom policy can easily move to policy defaults and get rid of their custom policy once the changes in this spec are implemented?","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":37,"context_line":""},{"line_number":38,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"},{"line_number":42,"context_line":"* As a cloud provider, I want separate policy permissions control for the"},{"line_number":43,"context_line":"  read and write APIs."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_f587e3b5","line":41,"range":{"start_line":40,"start_character":2,"end_line":41,"end_character":11},"in_reply_to":"3fce034c_a5654de3","updated":"2019-05-03 06:22:42.000000000","message":"yeah, except their special customize cases, new defaults policies should be able to replace their current custom policy file.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d817dea2b914c800bbd242f1b746bc24cc919092","unresolved":false,"context_lines":[{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"},{"line_number":42,"context_line":"* As a cloud provider, I want separate policy permissions control for the"},{"line_number":43,"context_line":"  read and write APIs."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":16,"id":"3fce034c_e57355b0","line":43,"range":{"start_line":42,"start_character":2,"end_line":43,"end_character":22},"updated":"2019-04-16 23:04:59.000000000","message":"I don\u0027t see how this is related to the problem description about providing better policy defaults.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":39,"context_line":"* Ideally never need to change the defaults"},{"line_number":40,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":41,"context_line":"  structure"},{"line_number":42,"context_line":"* As a cloud provider, I want separate policy permissions control for the"},{"line_number":43,"context_line":"  read and write APIs."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"Proposed change"},{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_55bcaf68","line":43,"range":{"start_line":42,"start_character":2,"end_line":43,"end_character":22},"in_reply_to":"3fce034c_e57355b0","updated":"2019-05-03 06:22:42.000000000","message":"added the granular policies issue in problem section.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d817dea2b914c800bbd242f1b746bc24cc919092","unresolved":false,"context_lines":[{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"This spec propose the multiple modification in Nova API policies to provide"},{"line_number":49,"context_line":"better RBAC support."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Scope"},{"line_number":52,"context_line":"-----"}],"source_content_type":"text/x-rst","patch_set":16,"id":"3fce034c_a5aa2dcf","line":49,"range":{"start_line":49,"start_character":0,"end_line":49,"end_character":19},"updated":"2019-04-16 23:04:59.000000000","message":"This is really vague and not really related to the problem description section above. Is this spec about \"better RBAC support\" or is it about establishing better policy defaults? Given that this spec encompasses policy defaults, granular policy, and policy scope types, I think the spec needs to be either renamed and address all aspects in the problem description, or be separated into one spec per concept.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d422da371e3e9a61b69e3ec75e2e45ef79adfcf9","unresolved":false,"context_lines":[{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"This spec propose the multiple modification in Nova API policies to provide"},{"line_number":49,"context_line":"better RBAC support."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Scope"},{"line_number":52,"context_line":"-----"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_71c84321","line":49,"range":{"start_line":49,"start_character":0,"end_line":49,"end_character":19},"in_reply_to":"3fce034c_a5aa2dcf","updated":"2019-04-30 17:20:48.000000000","message":"I think what we are saying here is:\n\nWe need to review every policy role and make them compliant with a set of reviewing rules.\n\n* Name updated to be API centric\n* Rule default updated to be match keystone\u0027s new default roles and scope definitions.\n\nCurrently Nova roughly has:\n\n* global admin\n* project user\n\nGenerally, the global admin moves to global scoped with \"admin role\". The project user is \"project\" scope and \"member\" role.\n\nIn addition we want to add a \"project\" with \"read\" role, for monitoring tools to use to list instances. Also a \"global\" \"read\" role for things like operational tooling to list instances in all projects for reporting, etc.\n\nTo have this read distinction, we need more granular roles for some APIs where there is currently a single policy rule that covers read and member like operations.\n\nMore importantly, we want to get to the point where roles are added in other projects with zero affect on Nova. In addition, we need to help operators that have custom policy get warnings to help them transition to the new names and defaults.\n\nTODO: what would project admin get access to at this point?","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":46,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"This spec propose the multiple modification in Nova API policies to provide"},{"line_number":49,"context_line":"better RBAC support."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Scope"},{"line_number":52,"context_line":"-----"}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_951ea76e","line":49,"range":{"start_line":49,"start_character":0,"end_line":49,"end_character":19},"in_reply_to":"ffb9cba7_71c84321","updated":"2019-05-03 06:22:42.000000000","message":"Done","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d817dea2b914c800bbd242f1b746bc24cc919092","unresolved":false,"context_lines":[{"line_number":47,"context_line":""},{"line_number":48,"context_line":"This spec propose the multiple modification in Nova API policies to provide"},{"line_number":49,"context_line":"better RBAC support."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Scope"},{"line_number":52,"context_line":"-----"},{"line_number":53,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"3fce034c_e544b51d","line":50,"updated":"2019-04-16 23:04:59.000000000","message":"Which part of the following proposed change addresses the changing of default policy? I don\u0027t notice anything about changing any of the existing default values (for example, live migration defaults to admin API as a default). Are you referring to new defaults that would be introduced by granular policies?","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":47,"context_line":""},{"line_number":48,"context_line":"This spec propose the multiple modification in Nova API policies to provide"},{"line_number":49,"context_line":"better RBAC support."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Scope"},{"line_number":52,"context_line":"-----"},{"line_number":53,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_55182f80","line":50,"in_reply_to":"3fce034c_e544b51d","updated":"2019-05-03 06:22:42.000000000","message":"yeah, once we add the missing granularity in policies then we define the better roles for them by following the keystone\u0027s default roles.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"102819e4957ad02bf02bd2e2491101009ffebc38","unresolved":false,"context_lines":[{"line_number":75,"context_line":"This scope type can be applied to API policies which need"},{"line_number":76,"context_line":"access permission at project level for example GET /servers."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Any policy need permission for both scope \u0027system\u0027 and \u0027project\u0027"},{"line_number":79,"context_line":"can be added with both scope, for example: scope_type[\u0027system\u0027, \u0027project\u0027]"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"},{"line_number":82,"context_line":"\u0027project\u0027 in nova case."}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_4ad22102","line":79,"range":{"start_line":78,"start_character":0,"end_line":79,"end_character":74},"updated":"2019-05-01 01:10:22.000000000","message":"In this case, the logic that differentiates the behavior between these different scopes needs to happen in-code, for example:\n\nhttps://opendev.org/openstack/keystone/src/branch/master/keystone/api/groups.py#L87-L92","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":75,"context_line":"This scope type can be applied to API policies which need"},{"line_number":76,"context_line":"access permission at project level for example GET /servers."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"Any policy need permission for both scope \u0027system\u0027 and \u0027project\u0027"},{"line_number":79,"context_line":"can be added with both scope, for example: scope_type[\u0027system\u0027, \u0027project\u0027]"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"},{"line_number":82,"context_line":"\u0027project\u0027 in nova case."}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_f50cc343","line":79,"range":{"start_line":78,"start_character":0,"end_line":79,"end_character":74},"in_reply_to":"ffb9cba7_4ad22102","updated":"2019-05-03 06:22:42.000000000","message":"yeah, same for list instances in nova case. I will mention this point.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"102819e4957ad02bf02bd2e2491101009ffebc38","unresolved":false,"context_lines":[{"line_number":84,"context_line":"with system-scoped tokens will be authorized to access this API."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"POST \u0027/servers/{server_id}/action (lock) will be scoped as"},{"line_number":87,"context_line":"[\u0027system\u0027, \u0027project\u0027] which means system scope token as well as project"},{"line_number":88,"context_line":"scope token can lock the servers."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"PoC: https://review.openstack.org/#/c/645452/"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_2ad56de5","line":88,"range":{"start_line":87,"start_character":34,"end_line":88,"end_character":32},"updated":"2019-05-01 01:10:22.000000000","message":"Why does this need to be a system-scoped action? A server is owned by a project, so this should be a project-scoped action only.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":84,"context_line":"with system-scoped tokens will be authorized to access this API."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"POST \u0027/servers/{server_id}/action (lock) will be scoped as"},{"line_number":87,"context_line":"[\u0027system\u0027, \u0027project\u0027] which means system scope token as well as project"},{"line_number":88,"context_line":"scope token can lock the servers."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"PoC: https://review.openstack.org/#/c/645452/"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_6b623019","line":88,"range":{"start_line":87,"start_character":34,"end_line":88,"end_character":32},"in_reply_to":"ffb9cba7_2ad56de5","updated":"2019-05-03 06:22:42.000000000","message":"system level admin also should be able to lock the server for any projects. In current policy also, admin can lock any server.\n\nI mean locking server can be an operational level things. for example, if any user does not pay the fee then, the system admin should be lock it for the time being.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"102819e4957ad02bf02bd2e2491101009ffebc38","unresolved":false,"context_lines":[{"line_number":102,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":103,"context_line":"little about the user_id."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"In hard coding this check, we remove the ability to loosen the scope via"},{"line_number":106,"context_line":"policy, which helps with interoperability. Note we currently allow users to"},{"line_number":107,"context_line":"reduce the scope on certain API calls, until we have hierarchical quotas:"},{"line_number":108,"context_line":"https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_aa02bd6d","line":105,"range":{"start_line":105,"start_character":15,"end_line":105,"end_character":25},"updated":"2019-05-01 01:10:22.000000000","message":"which check?","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":102,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":103,"context_line":"little about the user_id."},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"In hard coding this check, we remove the ability to loosen the scope via"},{"line_number":106,"context_line":"policy, which helps with interoperability. Note we currently allow users to"},{"line_number":107,"context_line":"reduce the scope on certain API calls, until we have hierarchical quotas:"},{"line_number":108,"context_line":"https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html"}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_06128b59","line":105,"range":{"start_line":105,"start_character":15,"end_line":105,"end_character":25},"in_reply_to":"ffb9cba7_aa02bd6d","updated":"2019-05-03 06:22:42.000000000","message":"this is for scope check. done","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"102819e4957ad02bf02bd2e2491101009ffebc38","unresolved":false,"context_lines":[{"line_number":122,"context_line":"The member role maps to the current default level of privilege."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":125,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":126,"context_line":"to have system scope to use that parameter."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":129,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_2aeecdb3","line":126,"range":{"start_line":125,"start_character":29,"end_line":126,"end_character":43},"updated":"2019-05-01 01:10:22.000000000","message":"This sounds a little bit dangerous, it seems like there is one API that would need to have a different policy based on the body of the request?","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"330175b8c80f7c30aefe6b2fe5cf0e5ea5b34d81","unresolved":false,"context_lines":[{"line_number":122,"context_line":"The member role maps to the current default level of privilege."},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":125,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":126,"context_line":"to have system scope to use that parameter."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":129,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":16,"id":"dfbec78f_4b3f2cd6","line":126,"range":{"start_line":125,"start_character":29,"end_line":126,"end_character":43},"in_reply_to":"ffb9cba7_2aeecdb3","updated":"2019-05-03 06:22:42.000000000","message":"Yeah, this is a little tricky where we except the destination host in same API request but that is an actually different level of request which only system can specify. \n\nOne good way to understand this is GET /os-hosts also system level scope not project.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"102819e4957ad02bf02bd2e2491101009ffebc38","unresolved":false,"context_lines":[{"line_number":385,"context_line":"REST API impact"},{"line_number":386,"context_line":"---------------"},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Existing users should be unaffected by these changes."},{"line_number":389,"context_line":""},{"line_number":390,"context_line":"Operators should be able to create new users with more restrictive permissions"},{"line_number":391,"context_line":"in the near future."}],"source_content_type":"text/x-rst","patch_set":16,"id":"ffb9cba7_8a8019c1","line":388,"range":{"start_line":388,"start_character":1,"end_line":388,"end_character":53},"updated":"2019-05-01 01:10:22.000000000","message":"Once the deprecation cycle is over and enforce_scope is enabled and the deprecated policies are removed, users will have to be retrained to use the correct scope for the operation they want to perform.","commit_id":"cfae970808bc81c2d86be1f297dfc20d08a1a61c"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":63,"context_line":"Use Cases"},{"line_number":64,"context_line":"---------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":67,"context_line":"* Ideally never need to change the defaults"},{"line_number":68,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":69,"context_line":"  structure. New default policies should be able st of the customized"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_36033345","line":66,"range":{"start_line":66,"start_character":0,"end_line":66,"end_character":78},"updated":"2019-05-04 01:49:05.000000000","message":"\"Easy to understand current defaults across ..\".\nIn addition, this seems a merit, not usecase.","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"5777c11d4fe105909d2afcf5b3aacd30cb9c0be8","unresolved":false,"context_lines":[{"line_number":63,"context_line":"Use Cases"},{"line_number":64,"context_line":"---------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":67,"context_line":"* Ideally never need to change the defaults"},{"line_number":68,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":69,"context_line":"  structure. New default policies should be able st of the customized"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_86940946","line":66,"range":{"start_line":66,"start_character":0,"end_line":66,"end_character":78},"in_reply_to":"dfbec78f_36033345","updated":"2019-05-07 11:33:13.000000000","message":"Agreed, hopefully the new text works better now.","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":64,"context_line":"---------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":67,"context_line":"* Ideally never need to change the defaults"},{"line_number":68,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":69,"context_line":"  structure. New default policies should be able st of the customized"},{"line_number":70,"context_line":"  policy and replace their custom file."}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_76e9ab7e","line":67,"range":{"start_line":67,"start_character":0,"end_line":67,"end_character":43},"updated":"2019-05-04 01:49:05.000000000","message":"ditto: This seems a merit, not usecase.","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":66,"context_line":"* Understand the current defaults across Keystone, Nova, Cinder, Neutron, etc."},{"line_number":67,"context_line":"* Ideally never need to change the defaults"},{"line_number":68,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":69,"context_line":"  structure. New default policies should be able st of the customized"},{"line_number":70,"context_line":"  policy and replace their custom file."},{"line_number":71,"context_line":"* As a cloud provider, I want separate policy permissions control for the"},{"line_number":72,"context_line":"  read and write APIs. Granularity policies will solve the problem to"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_b6ef2386","line":69,"range":{"start_line":69,"start_character":41,"end_line":69,"end_character":69},"updated":"2019-05-04 01:49:05.000000000","message":"I am not sure what we wanted to say here..\njust \"be able to customize\" ?","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":68,"context_line":"* Operators with existing custom policy can easily move to new policy"},{"line_number":69,"context_line":"  structure. New default policies should be able st of the customized"},{"line_number":70,"context_line":"  policy and replace their custom file."},{"line_number":71,"context_line":"* As a cloud provider, I want separate policy permissions control for the"},{"line_number":72,"context_line":"  read and write APIs. Granularity policies will solve the problem to"},{"line_number":73,"context_line":"  provide different access permission among read and write APIs."},{"line_number":74,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_56002735","line":71,"range":{"start_line":71,"start_character":25,"end_line":71,"end_character":38},"updated":"2019-05-04 01:49:05.000000000","message":"\"want to separate\"","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":69,"context_line":"  structure. New default policies should be able st of the customized"},{"line_number":70,"context_line":"  policy and replace their custom file."},{"line_number":71,"context_line":"* As a cloud provider, I want separate policy permissions control for the"},{"line_number":72,"context_line":"  read and write APIs. Granularity policies will solve the problem to"},{"line_number":73,"context_line":"  provide different access permission among read and write APIs."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_d699771f","line":72,"range":{"start_line":72,"start_character":21,"end_line":72,"end_character":22},"updated":"2019-05-04 01:49:05.000000000","message":"\" on the same resource\".","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":75,"context_line":"Proposed change"},{"line_number":76,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"This spec propose the three improvements in Nova API policies."},{"line_number":79,"context_line":"We need to review every policy role and make them compliant with"},{"line_number":80,"context_line":"a set of reviewing rules:"},{"line_number":81,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_769e8b08","line":78,"range":{"start_line":78,"start_character":10,"end_line":78,"end_character":17},"updated":"2019-05-04 01:49:05.000000000","message":"\"proposes\"","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":79,"context_line":"We need to review every policy role and make them compliant with"},{"line_number":80,"context_line":"a set of reviewing rules:"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"#. Rule defaults updated to be match keystone\u0027s new default roles"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"#. Scope_type support in Nova as defined in keystone\u0027s scope feature."},{"line_number":85,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_168f0fcd","line":82,"range":{"start_line":82,"start_character":37,"end_line":82,"end_character":65},"updated":"2019-05-04 01:49:05.000000000","message":"What is this new default roles? Do we have a link of that?","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":90,"context_line":""},{"line_number":91,"context_line":"In addition we want to add a ``project`` with ``reader`` role, for"},{"line_number":92,"context_line":"monitoring tools to use to list instances or say to perform the project"},{"line_number":93,"context_line":"level operations. Also a ``system` ``reader`` role for operation like"},{"line_number":94,"context_line":"operational tooling to list instances in all projects for reporting, or"},{"line_number":95,"context_line":"global level operations like enable or disable nova services."},{"line_number":96,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_d6c2d7e9","line":93,"range":{"start_line":93,"start_character":33,"end_line":93,"end_character":34},"updated":"2019-05-04 01:49:05.000000000","message":"nit: need to add one more `","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":99,"context_line":"and member like operations as mentioned in problem section."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"More importantly, we want to get to the point where roles are added in"},{"line_number":102,"context_line":"other projects with zero affect on Nova. In addition, we need to help"},{"line_number":103,"context_line":"operators that have custom policy get warnings to help them transition"},{"line_number":104,"context_line":"to the new names and defaults."},{"line_number":105,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_d6673725","line":102,"range":{"start_line":102,"start_character":25,"end_line":102,"end_character":31},"updated":"2019-05-04 01:49:05.000000000","message":"nit: \"effect\" or \"impact\"","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":104,"context_line":"to the new names and defaults."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"What operation will get the ``system`` or ``project`` level scope and"},{"line_number":107,"context_line":"defaults roles will be discussed during implementation."},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"Scope"},{"line_number":110,"context_line":"-----"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_365fb342","line":107,"range":{"start_line":107,"start_character":0,"end_line":107,"end_character":55},"updated":"2019-05-04 01:49:05.000000000","message":"This description makes me conservative because it could set unhappy default policies against operators even but we are saying\n\n Ideally never need to change the defaults\n\nat line 67. Do you have actual plan or strategy which changes default policies in your mind?","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"5777c11d4fe105909d2afcf5b3aacd30cb9c0be8","unresolved":false,"context_lines":[{"line_number":104,"context_line":"to the new names and defaults."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"What operation will get the ``system`` or ``project`` level scope and"},{"line_number":107,"context_line":"defaults roles will be discussed during implementation."},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"Scope"},{"line_number":110,"context_line":"-----"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_469e1164","line":107,"range":{"start_line":107,"start_character":0,"end_line":107,"end_character":55},"in_reply_to":"dfbec78f_365fb342","updated":"2019-05-07 11:33:13.000000000","message":"The main aim here is changing the default policy rules, hopefully that is clearer now.","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":133,"context_line":"This scope type can be applied to API policies which need"},{"line_number":134,"context_line":"access permission at project level for example GET /servers."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Any policy need permission for both scope \u0027system\u0027 and \u0027project\u0027"},{"line_number":137,"context_line":"can be added with both scope, for example: scope_type[\u0027system\u0027, \u0027project\u0027]."},{"line_number":138,"context_line":"In such cases there might be possibility that behavior will be different"},{"line_number":139,"context_line":"between these scope type for example: GET /os-servers will return servers"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_362493c6","line":136,"range":{"start_line":136,"start_character":4,"end_line":136,"end_character":10},"updated":"2019-05-04 01:49:05.000000000","message":"policies","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":136,"context_line":"Any policy need permission for both scope \u0027system\u0027 and \u0027project\u0027"},{"line_number":137,"context_line":"can be added with both scope, for example: scope_type[\u0027system\u0027, \u0027project\u0027]."},{"line_number":138,"context_line":"In such cases there might be possibility that behavior will be different"},{"line_number":139,"context_line":"between these scope type for example: GET /os-servers will return servers"},{"line_number":140,"context_line":"of that project only if to\tken is project scope and all project\u0027s servers"},{"line_number":141,"context_line":"if token is system scope."},{"line_number":142,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_562107b4","line":139,"range":{"start_line":139,"start_character":20,"end_line":139,"end_character":24},"updated":"2019-05-04 01:49:05.000000000","message":"types","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":137,"context_line":"can be added with both scope, for example: scope_type[\u0027system\u0027, \u0027project\u0027]."},{"line_number":138,"context_line":"In such cases there might be possibility that behavior will be different"},{"line_number":139,"context_line":"between these scope type for example: GET /os-servers will return servers"},{"line_number":140,"context_line":"of that project only if to\tken is project scope and all project\u0027s servers"},{"line_number":141,"context_line":"if token is system scope."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_568587ac","line":140,"range":{"start_line":140,"start_character":26,"end_line":140,"end_character":27},"updated":"2019-05-04 01:49:05.000000000","message":"nit: need to remove tab","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":140,"context_line":"of that project only if to\tken is project scope and all project\u0027s servers"},{"line_number":141,"context_line":"if token is system scope."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"},{"line_number":144,"context_line":"\u0027project\u0027 in nova case."},{"line_number":145,"context_line":"For example GET /os-services will be scoped as \u0027system\u0027 so that only users"},{"line_number":146,"context_line":"with system-scoped tokens will be authorized to access this API."}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_b6196389","line":143,"range":{"start_line":143,"start_character":12,"end_line":143,"end_character":17},"updated":"2019-05-04 01:49:05.000000000","message":"rule","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"bb2de6b7efdda5b17aa6d613462440b3df0ad0b1","unresolved":false,"context_lines":[{"line_number":145,"context_line":"For example GET /os-services will be scoped as \u0027system\u0027 so that only users"},{"line_number":146,"context_line":"with system-scoped tokens will be authorized to access this API."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"POST \u0027/servers/{server_id}/action (lock) will be scoped as"},{"line_number":149,"context_line":"[\u0027system\u0027, \u0027project\u0027] which means system scope token as well as project"},{"line_number":150,"context_line":"scope token can lock the servers."},{"line_number":151,"context_line":""}],"source_content_type":"text/x-rst","patch_set":17,"id":"dfbec78f_7613eb67","line":148,"range":{"start_line":148,"start_character":39,"end_line":148,"end_character":40},"updated":"2019-05-04 01:49:05.000000000","message":"nit: \u0027 is necessary after )","commit_id":"6d22cb3a5c812e5d624aa7b1215a3f10ce238ba3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Secondly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":35,"context_line":"project. However, for most APIs we use the default target which means this"},{"line_number":36,"context_line":"test will pass for any authenticated user. The database layer has a check"},{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_b8cec02a","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":4},"updated":"2019-05-11 00:57:10.000000000","message":"nit: s/test/rule/ ?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"3fd945478047732adf2023644e9ec1e6f807e968","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Secondly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":35,"context_line":"project. However, for most APIs we use the default target which means this"},{"line_number":36,"context_line":"test will pass for any authenticated user. The database layer has a check"},{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_fbf97bc7","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":4},"in_reply_to":"dfbec78f_b8cec02a","updated":"2019-05-13 16:20:25.000000000","message":"+1","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c1dca541577c0e4bb383c15c784c81ef20863d24","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Secondly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":35,"context_line":"project. However, for most APIs we use the default target which means this"},{"line_number":36,"context_line":"test will pass for any authenticated user. The database layer has a check"},{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_74a283ff","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":4},"in_reply_to":"dfbec78f_fbf97bc7","updated":"2019-05-27 05:49:00.000000000","message":"Done","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f6226d2f49e7d182305c6a9e5af6950bd3f542c6","unresolved":false,"context_lines":[{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"},{"line_number":40,"context_line":"of a server in a different project to their token, which the user being given"},{"line_number":41,"context_line":"the global admin role. In addition, should a user have any role in a project,"},{"line_number":42,"context_line":"using the default policy, that user is able to access Nova and start instances"},{"line_number":43,"context_line":"in that project (subject to any quota limits on that project)."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_4ffc53b4","line":40,"range":{"start_line":40,"start_character":51,"end_line":40,"end_character":56},"updated":"2019-05-15 22:49:31.000000000","message":"without?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c1dca541577c0e4bb383c15c784c81ef20863d24","unresolved":false,"context_lines":[{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"},{"line_number":40,"context_line":"of a server in a different project to their token, which the user being given"},{"line_number":41,"context_line":"the global admin role. In addition, should a user have any role in a project,"},{"line_number":42,"context_line":"using the default policy, that user is able to access Nova and start instances"},{"line_number":43,"context_line":"in that project (subject to any quota limits on that project)."}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_34a88bd9","line":40,"range":{"start_line":40,"start_character":51,"end_line":40,"end_character":56},"in_reply_to":"bfb3d3c7_022549c2","updated":"2019-05-27 05:49:00.000000000","message":"Done","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8d442e0b5d04f940b36b14dceecdc1a3861b6e35","unresolved":false,"context_lines":[{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"},{"line_number":40,"context_line":"of a server in a different project to their token, which the user being given"},{"line_number":41,"context_line":"the global admin role. In addition, should a user have any role in a project,"},{"line_number":42,"context_line":"using the default policy, that user is able to access Nova and start instances"},{"line_number":43,"context_line":"in that project (subject to any quota limits on that project)."}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_022549c2","line":40,"range":{"start_line":40,"start_character":51,"end_line":40,"end_character":56},"in_reply_to":"dfbec78f_4ffc53b4","updated":"2019-05-22 15:43:54.000000000","message":"oops, yes.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":62,"context_line":"* System Scoped Administrator (live-migrate, disable services, etc)"},{"line_number":63,"context_line":"* Project Scoped Member (create servers, delete servers)"},{"line_number":64,"context_line":"* System Scoped Reader (list hosts, list all servers)"},{"line_number":65,"context_line":"* Project Scoped Reader (list servers)"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"In introducing the above new default permissions, we must ensure:"},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_7805a845","line":65,"updated":"2019-05-11 00:57:10.000000000","message":"++ Thanks for updating :-)","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":83,"context_line":"   behavior before any changes are made."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"#. Add ability to restrict each policy check to either System Scoped Admin"},{"line_number":86,"context_line":"   or Project member, with a fallback to the old \"admin_or_owner\" policy,"},{"line_number":87,"context_line":"   and defaulting to enforce_scope\u003dFalse."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"#. DB check around project id loosened to include any admin scoped token"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_189cac0d","line":86,"range":{"start_line":86,"start_character":6,"end_line":86,"end_character":20},"updated":"2019-05-11 00:57:10.000000000","message":"nit: s/Project member/Project Scoped Member/ for matching the above name.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c1dca541577c0e4bb383c15c784c81ef20863d24","unresolved":false,"context_lines":[{"line_number":83,"context_line":"   behavior before any changes are made."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"#. Add ability to restrict each policy check to either System Scoped Admin"},{"line_number":86,"context_line":"   or Project member, with a fallback to the old \"admin_or_owner\" policy,"},{"line_number":87,"context_line":"   and defaulting to enforce_scope\u003dFalse."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"#. DB check around project id loosened to include any admin scoped token"}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_d4b00f46","line":86,"range":{"start_line":86,"start_character":6,"end_line":86,"end_character":20},"in_reply_to":"dfbec78f_189cac0d","updated":"2019-05-27 05:49:00.000000000","message":"Done","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"#. Implement the system reader and project reader roles, with appropriate"},{"line_number":92,"context_line":"   tests added. Also add additional policy rules where more granularity"},{"line_number":93,"context_line":"   is needed."},{"line_number":94,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_d8a13448","line":91,"range":{"start_line":91,"start_character":35,"end_line":91,"end_character":49},"updated":"2019-05-11 00:57:10.000000000","message":"nit: Project Scoped Reader","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"#. Implement the system reader and project reader roles, with appropriate"},{"line_number":92,"context_line":"   tests added. Also add additional policy rules where more granularity"},{"line_number":93,"context_line":"   is needed."},{"line_number":94,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_b89c800e","line":91,"range":{"start_line":91,"start_character":17,"end_line":91,"end_character":30},"updated":"2019-05-11 00:57:10.000000000","message":"nit: System Scoped Reader","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c1dca541577c0e4bb383c15c784c81ef20863d24","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"#. Implement the system reader and project reader roles, with appropriate"},{"line_number":92,"context_line":"   tests added. Also add additional policy rules where more granularity"},{"line_number":93,"context_line":"   is needed."},{"line_number":94,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_f4ad13e9","line":91,"range":{"start_line":91,"start_character":35,"end_line":91,"end_character":49},"in_reply_to":"dfbec78f_d8a13448","updated":"2019-05-27 05:49:00.000000000","message":"Done","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":95,"context_line":"#. In a future release, enforce_scope will be enforced to be True, the"},{"line_number":96,"context_line":"   legacy admin_or_owner style checking will be removed and the DB check"},{"line_number":97,"context_line":"   can be removed. At this point operators will have been given time to"},{"line_number":98,"context_line":"   ensure all their users work with the new policy defaults, and we will be"},{"line_number":99,"context_line":"   happy we have enough testing in place to not regress the checks we have"},{"line_number":100,"context_line":"   in policy."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Testing"},{"line_number":103,"context_line":"-------"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_98873cb6","line":100,"range":{"start_line":98,"start_character":65,"end_line":100,"end_character":13},"updated":"2019-05-11 00:57:10.000000000","message":"++","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f6226d2f49e7d182305c6a9e5af6950bd3f542c6","unresolved":false,"context_lines":[{"line_number":128,"context_line":"us with that by giving operators a toggle to enforce scope checking when"},{"line_number":129,"context_line":"they\u0027re ready and they\u0027ve audited their users and assignments."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"``enforce_scope`` config option default value is False which menas if"},{"line_number":132,"context_line":"token scope is not matches then, it only log warning. This feature can"},{"line_number":133,"context_line":"be enabled via config option ``nova.conf [oslo_policy] enforce_scope\u003dTrue``"},{"line_number":134,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_2f9d5f65","line":131,"range":{"start_line":131,"start_character":61,"end_line":131,"end_character":66},"updated":"2019-05-15 22:49:31.000000000","message":"means","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1904dfcaecf35e9c40d24279315e9e1c4664812f","unresolved":false,"context_lines":[{"line_number":128,"context_line":"us with that by giving operators a toggle to enforce scope checking when"},{"line_number":129,"context_line":"they\u0027re ready and they\u0027ve audited their users and assignments."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"``enforce_scope`` config option default value is False which menas if"},{"line_number":132,"context_line":"token scope is not matches then, it only log warning. This feature can"},{"line_number":133,"context_line":"be enabled via config option ``nova.conf [oslo_policy] enforce_scope\u003dTrue``"},{"line_number":134,"context_line":""}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_14446773","line":131,"range":{"start_line":131,"start_character":61,"end_line":131,"end_character":66},"in_reply_to":"dfbec78f_2f9d5f65","updated":"2019-05-30 14:27:38.000000000","message":"Done","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f6226d2f49e7d182305c6a9e5af6950bd3f542c6","unresolved":false,"context_lines":[{"line_number":129,"context_line":"they\u0027re ready and they\u0027ve audited their users and assignments."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"``enforce_scope`` config option default value is False which menas if"},{"line_number":132,"context_line":"token scope is not matches then, it only log warning. This feature can"},{"line_number":133,"context_line":"be enabled via config option ``nova.conf [oslo_policy] enforce_scope\u003dTrue``"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_4f98d373","line":132,"range":{"start_line":132,"start_character":12,"end_line":132,"end_character":52},"updated":"2019-05-15 22:49:31.000000000","message":"does not match, only a warning is logged. ?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8d442e0b5d04f940b36b14dceecdc1a3861b6e35","unresolved":false,"context_lines":[{"line_number":129,"context_line":"they\u0027re ready and they\u0027ve audited their users and assignments."},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"``enforce_scope`` config option default value is False which menas if"},{"line_number":132,"context_line":"token scope is not matches then, it only log warning. This feature can"},{"line_number":133,"context_line":"be enabled via config option ``nova.conf [oslo_policy] enforce_scope\u003dTrue``"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_e229159b","line":132,"range":{"start_line":132,"start_character":12,"end_line":132,"end_character":52},"in_reply_to":"dfbec78f_4f98d373","updated":"2019-05-22 15:43:54.000000000","message":"oops, yes","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f6226d2f49e7d182305c6a9e5af6950bd3f542c6","unresolved":false,"context_lines":[{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"In hard coding the scope check, we remove the ability to loosen the scope via"},{"line_number":140,"context_line":"policy, which helps with interoperability. Note we currently allow users to"},{"line_number":141,"context_line":"reduce the scope on certain API calls, until we have hierarchical quotas:"},{"line_number":142,"context_line":"https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_4f71b343","line":139,"range":{"start_line":139,"start_character":3,"end_line":139,"end_character":30},"updated":"2019-05-15 22:49:31.000000000","message":"Not sure I understand this part, what is hard coded regarding policy scope check? Is this referring to the DB check?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c1dca541577c0e4bb383c15c784c81ef20863d24","unresolved":false,"context_lines":[{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"In hard coding the scope check, we remove the ability to loosen the scope via"},{"line_number":140,"context_line":"policy, which helps with interoperability. Note we currently allow users to"},{"line_number":141,"context_line":"reduce the scope on certain API calls, until we have hierarchical quotas:"},{"line_number":142,"context_line":"https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html"}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_b48c7b7f","line":139,"range":{"start_line":139,"start_character":3,"end_line":139,"end_character":30},"in_reply_to":"bfb3d3c7_e202750b","updated":"2019-05-27 05:49:00.000000000","message":"i think for DB checks of projects id or user id for owner check etc. \n\nThese lines are little confusing now with policy scope_type and current implementation. As we have classfied the current problems above, let me remove this paragraph.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8d442e0b5d04f940b36b14dceecdc1a3861b6e35","unresolved":false,"context_lines":[{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"In hard coding the scope check, we remove the ability to loosen the scope via"},{"line_number":140,"context_line":"policy, which helps with interoperability. Note we currently allow users to"},{"line_number":141,"context_line":"reduce the scope on certain API calls, until we have hierarchical quotas:"},{"line_number":142,"context_line":"https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html"}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_e202750b","line":139,"range":{"start_line":139,"start_character":3,"end_line":139,"end_character":30},"in_reply_to":"dfbec78f_4f71b343","updated":"2019-05-22 15:43:54.000000000","message":"I am not sure I do yet... I think I miss understood this really.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"592983d46a06fdf238169646ca84bdaaeeab7c75","unresolved":false,"context_lines":[{"line_number":154,"context_line":""},{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_b8da4048","line":158,"range":{"start_line":157,"start_character":47,"end_line":158,"end_character":27},"updated":"2019-05-10 23:34:42.000000000","message":"I think we discussed live-migration being a system-scoped action?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"69dac17117b6268eebb6052652b46ace3b21687c","unresolved":false,"context_lines":[{"line_number":154,"context_line":""},{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_db67d7b6","line":158,"range":{"start_line":157,"start_character":47,"end_line":158,"end_character":27},"in_reply_to":"dfbec78f_b8da4048","updated":"2019-05-13 16:17:32.000000000","message":"We did, but I think this is more accurate. Quite a few operators want to allow project scoped users to do this action.\n\nBut if you specify a specific host, that is system scope for sure. Or at least, it is in our current model of the world.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f6226d2f49e7d182305c6a9e5af6950bd3f542c6","unresolved":false,"context_lines":[{"line_number":154,"context_line":""},{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_4fbf73a9","line":158,"range":{"start_line":157,"start_character":47,"end_line":158,"end_character":27},"in_reply_to":"dfbec78f_db67d7b6","updated":"2019-05-15 22:49:31.000000000","message":"For my customer\u0027s use case, they don\u0027t want to allow project scoped users to live migrate, but rather be able to have a role:Operator that can live migrate. In the new world, I imagine that meaning that on the keystone side, when someone with role:Operator asks for a system-scoped token, they will be allowed to have one. Then they will pass that system-scoped token to the live migrate API and be allowed to live migrate.\n\nDuring the first pass, are we looking to first cover \"parity\" with what we have today? Or are we going to go ahead and expand all APIs where project-scoped could make sense? I don\u0027t have an opinion either way, unless a two phase approach will make things go faster (if debating about where to add project scope will add delay).","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"592983d46a06fdf238169646ca84bdaaeeab7c75","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_38ee50ed","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"updated":"2019-05-10 23:34:42.000000000","message":"I commented on patchset 16, if possible it would be better to not introduce APIs that have different policies depending on the parameters that are passed to them. Policies like this and the actions API are harder to document using oslo.policy\u0027s notation. Separate from policy, it also makes access control in keystonemiddleware (like what will happen with app cred access rules) harder and require workarounds like this: https://review.opendev.org/456974","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c1dca541577c0e4bb383c15c784c81ef20863d24","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_14a9c78e","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"in_reply_to":"bfb3d3c7_5d81e249","updated":"2019-05-27 05:49:00.000000000","message":"yeah, with check_str it can be overridden to restrict live migration to system scope only with the special case of \"system_scope:all\". \n\nBut scope_type is not overridden. If live migration is scope as system only then operator will not be able to overrride it to project scope. we need to extend the scope_type in our policy. IMO, keeping it with both scope scope_type [\u0027system\u0027, \u0027project\u0027] is better approach here for live migration. \n\nIn the case of \u0027host\u0027, we need a special check-in code to check system scope.\n\nAnyways, I think we can discuss each API scope while implementation? Doing it in spec might be a little complex and time consuming.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8d442e0b5d04f940b36b14dceecdc1a3861b6e35","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_5d81e249","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"in_reply_to":"dfbec78f_20700008","updated":"2019-05-22 15:43:54.000000000","message":"OK... in my head we hardcoded the scope bits, but it totally just goes in the check_str. Need to re-think a bit of how we structure this spec I think...","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"69dac17117b6268eebb6052652b46ace3b21687c","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_bb6a237e","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"in_reply_to":"dfbec78f_38ee50ed","updated":"2019-05-13 16:17:32.000000000","message":"I agree, but we have that all over the place already inherited from the base Rackspace API that was copied into OpenStack :(\n\nLargely its because system scope users get extra information and extra control of APIs we use primarily for project scoped stuff.\n\nOr rather we have objects that get controlled by both system and project scoped users. Maybe there is a better way forward here?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"0c0aa9c3757583e30f64eb2101a44c07d391ce7c","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_cf84c3d5","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"in_reply_to":"dfbec78f_8fcecb57","updated":"2019-05-15 22:54:42.000000000","message":"To clarify, I\u0027m asking if we add both system scope and project scope to the live migrate API, for example, would that make it impossible for a cloud admin to treat live migrate as only system scope allowed?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f57cc191939129e09432cd06b683fe4c8c20304a","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_20700008","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"in_reply_to":"dfbec78f_a0b390e8","updated":"2019-05-16 16:51:05.000000000","message":"Thanks Colleen++","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f6226d2f49e7d182305c6a9e5af6950bd3f542c6","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_8fcecb57","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"in_reply_to":"dfbec78f_bb6a237e","updated":"2019-05-15 22:49:31.000000000","message":"I\u0027d like to keep it simple if we can, and just make live migrate a system scoped API across the board, unless there\u0027s a strong desire by operators to have project scoped live migration.\n\nSomething I just realized I\u0027m not clear on is, what happens when an API is both system and project scoped? Can the cloud administrator configure policy to make that API allow only system scoped tokens in their environment?","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"1ab4bd3211c929152b7db936c15579fc45380281","unresolved":false,"context_lines":[{"line_number":155,"context_line":"The member role maps to the current default level of privilege."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"The admin role maps to the current admin role. Note this means live-migration"},{"line_number":158,"context_line":"is project scoped and admin. Although if you specify a host, you would need"},{"line_number":159,"context_line":"to have system scope to use that parameter."},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"It is important to consider the scope_type of the policy when defining the"},{"line_number":162,"context_line":"appropriate default roles."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_a0b390e8","line":159,"range":{"start_line":158,"start_character":29,"end_line":159,"end_character":43},"in_reply_to":"dfbec78f_cf84c3d5","updated":"2019-05-16 16:36:50.000000000","message":"If scope_types is [\u0027system\u0027, \u0027project\u0027], then the default behavior (with enforce_scope\u003dtrue) would allow both types of tokens to access the live migrate API. However, the cloud admin could override check_str to be \u0027role:Operator and system_scope:all\u0027 which would only allow system-scoped tokens for users with the Operator role to access the API.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":403,"context_line":""},{"line_number":404,"context_line":"Once enforcing scope, system scope users will need to learn how to request"},{"line_number":405,"context_line":"system scoped tokens. But regular project scoped tokens remain the same for"},{"line_number":406,"context_line":"the majority of users."},{"line_number":407,"context_line":""},{"line_number":408,"context_line":"Operators should be able to create new roles with more restrictive permissions"},{"line_number":409,"context_line":"in the near future."}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_d8ba946c","line":406,"updated":"2019-05-11 00:57:10.000000000","message":"++","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"ccd0c3189c7a264b399b2517eb8c930c99c13e8e","unresolved":false,"context_lines":[{"line_number":483,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":484,"context_line":"be addressed before making any of the above changes."},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"Modify the Tempest tests for scope and default roles."},{"line_number":487,"context_line":""},{"line_number":488,"context_line":"Documentation Impact"},{"line_number":489,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":18,"id":"dfbec78f_f84d189a","line":486,"updated":"2019-05-11 00:57:10.000000000","message":"just comment: gmann has been working for improving the Nova API coverage on Tempest side in long-term. That is really helpful for this spec implementation.\n\nOne thing is a little bit less coverage for microversions as https://github.com/openstack/tempest/blob/master/doc/source/microversion_testing.rst#microversion-tests-implemented-in-tempest\nbut I guess that cannot be a matter because policy check implementation doesn\u0027t tend to depend on microversions on Nova side.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c1dca541577c0e4bb383c15c784c81ef20863d24","unresolved":false,"context_lines":[{"line_number":483,"context_line":"The current unit tests are generally quite bad at testing policy, this should"},{"line_number":484,"context_line":"be addressed before making any of the above changes."},{"line_number":485,"context_line":""},{"line_number":486,"context_line":"Modify the Tempest tests for scope and default roles."},{"line_number":487,"context_line":""},{"line_number":488,"context_line":"Documentation Impact"},{"line_number":489,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":18,"id":"bfb3d3c7_14b0e7dc","line":486,"in_reply_to":"dfbec78f_f84d189a","updated":"2019-05-27 05:49:00.000000000","message":"As you pointed out that policy updates are not microversion specific, we need to take care of all existing tests. \n\nRelated to Tempest test modification, we had the related discussion with keystone team about testing the keystone new policies. As Tempest is not a strict policy testing tool and should work on default policy only.\n\nTempest will have configurable options to start test the APIs with system scope with fall back to project scope and all reader roles will be tested with member role as of now. later we will slowly switch them to reader role. \n\nBasic idea is, keep modifying the failing Tempest tests for policy changes done under this spec.","commit_id":"7357ed2325df8439794fe8b6b7ff96b8d04cd0b3"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8cc8b1835167d3e1ceb9b69c240f274aeaaa4d9a","unresolved":false,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":"#. Add ability to restrict each policy check to either System Scoped Admin"},{"line_number":86,"context_line":"   or Project Scoped member, with a fallback to the old \"admin_or_owner\""},{"line_number":87,"context_line":"   policy, and defaulting to enforce_scope\u003dFalse."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":90,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_92f1236e","line":87,"updated":"2019-05-29 09:31:02.000000000","message":"I think we should explicity add we are using oslo.policy\u0027s \"scope_types\" to each API.","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1904dfcaecf35e9c40d24279315e9e1c4664812f","unresolved":false,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":"#. Add ability to restrict each policy check to either System Scoped Admin"},{"line_number":86,"context_line":"   or Project Scoped member, with a fallback to the old \"admin_or_owner\""},{"line_number":87,"context_line":"   policy, and defaulting to enforce_scope\u003dFalse."},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":90,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_8d800cf7","line":87,"in_reply_to":"bfb3d3c7_92f1236e","updated":"2019-05-30 14:27:38.000000000","message":"done","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8cc8b1835167d3e1ceb9b69c240f274aeaaa4d9a","unresolved":false,"context_lines":[{"line_number":99,"context_line":"   happy we have enough testing in place to not regress the checks we have"},{"line_number":100,"context_line":"   in policy."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Testing"},{"line_number":103,"context_line":"-------"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Focus on functional tests to cover the DB check and policy do the right thing"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_f2f73f58","line":102,"updated":"2019-05-29 09:31:02.000000000","message":"Nit: These sections could map better to the steps above","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1904dfcaecf35e9c40d24279315e9e1c4664812f","unresolved":false,"context_lines":[{"line_number":99,"context_line":"   happy we have enough testing in place to not regress the checks we have"},{"line_number":100,"context_line":"   in policy."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Testing"},{"line_number":103,"context_line":"-------"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Focus on functional tests to cover the DB check and policy do the right thing"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_4d769440","line":102,"in_reply_to":"bfb3d3c7_f2f73f58","updated":"2019-05-30 14:27:38.000000000","message":"Done","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8cc8b1835167d3e1ceb9b69c240f274aeaaa4d9a","unresolved":false,"context_lines":[{"line_number":111,"context_line":"Scope"},{"line_number":112,"context_line":"-----"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"},{"line_number":115,"context_line":"\u0027project\u0027 in nova case."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"For example GET /os-services will be scoped as \u0027system\u0027 so that only users"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_b2f6a762","line":114,"range":{"start_line":114,"start_character":51,"end_line":114,"end_character":61},"updated":"2019-05-29 09:31:02.000000000","message":"Nit: oslo.policy `scope_types` maybe? so it is explicit.","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1904dfcaecf35e9c40d24279315e9e1c4664812f","unresolved":false,"context_lines":[{"line_number":111,"context_line":"Scope"},{"line_number":112,"context_line":"-----"},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Each policy rules will be covered with appropriate scope_type, \u0027system\u0027,"},{"line_number":115,"context_line":"\u0027project\u0027 in nova case."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"For example GET /os-services will be scoped as \u0027system\u0027 so that only users"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_ed9ae85f","line":114,"range":{"start_line":114,"start_character":51,"end_line":114,"end_character":61},"in_reply_to":"bfb3d3c7_b2f6a762","updated":"2019-05-30 14:27:38.000000000","message":"Done","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8cc8b1835167d3e1ceb9b69c240f274aeaaa4d9a","unresolved":false,"context_lines":[{"line_number":135,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Role"},{"line_number":140,"context_line":"----"},{"line_number":141,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_402e7692","line":138,"updated":"2019-05-29 09:31:02.000000000","message":"So this covers changes to the \"scope_types\" member, but doesn\u0027t cover the changes we will need on the \"check_str\" side of things.\n\nThinking through this... its a bit complicated in terms of transitioning.\n\nAt this stagemost APIs are one of these:\n\n* admin_only\n* admin_or_owner\n* any authenticated user\n\nThinking about the rules here:\nhttps://opendev.org/openstack/nova/src/branch/master/nova/policies/base.py#L15\n\nIn terms of scope_types, we have:\n\n* admin_only: [\"system\"]\n* admin_or_owner: [\"project\", \"system\"]\n* any_authenticated_user: [\"project\", \"system\"]\n\nNow... when it comes to the rules, we want to update them to something like this:\n\n* admin: \"scope:system and role:admin\"\n* owner: \"scope:project and role:member and project_id:%(project_id)s\"\n* admin_or_owner: \"rule:admin or rule:owner:\"\n\nAt the same time, we update all policy checks to specify the correct project_id target. When there is no relevant project, we do not specify a project_id at all (i.e. stop defaulting to target\u003d{context.project_id}\n\nNow this is all good as an end goal, but it would break most current deployments if we make this change.\n\nI propose we actually use the olso policy conf of CONF.oslo_policy.enforce_scope to decide if we register either the new or old policy defaults in the base, assuming that will work.","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1904dfcaecf35e9c40d24279315e9e1c4664812f","unresolved":false,"context_lines":[{"line_number":135,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Role"},{"line_number":140,"context_line":"----"},{"line_number":141,"context_line":""}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_28530e19","line":138,"in_reply_to":"bfb3d3c7_402e7692","updated":"2019-05-30 14:27:38.000000000","message":"+1 on scope_types mapping to current rules.\n\non check_str, we will be using special string  \u0027system_scope:all\u0027 until enforce_scope is defaulted to false. Below are the exact check_str we can use:\n\n\n# TODO(gmann): Remove the \u0027system_scope:all\u0027 special case from\n# below rules once CONF.oslo_policy\u0027s enforce_scope\n# is default to True.\nREADER \u003d \u0027role:reader\u0027\nMEMBER \u003d \u0027role:member\u0027\nOWNER \u003d \u0027project_id:%(project_id)s\u0027\nSYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027\nSYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027\nSYSTEM_ADMIN_OR_OWNER \u003d \u0027(role:admin and system_scope:all) or \u0027 + OWNER\nPROJECT_MEMBER \u003d \u0027role:member\u0027\nPROJECT_READER \u003d \u0027role:reader\u0027\n\nI tried some example in below PoC patch- \n\nhttps://review.opendev.org/#/c/648480/2/nova/policies/base.py","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8cc8b1835167d3e1ceb9b69c240f274aeaaa4d9a","unresolved":false,"context_lines":[{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Role"},{"line_number":140,"context_line":"----"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Once the scope has checked, we need to ensure what role the user has for their"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_b29b0716","line":139,"updated":"2019-05-29 09:31:02.000000000","message":"This section is really \"Add System Scoped Reader and Project Scoped Reader roles\".","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1904dfcaecf35e9c40d24279315e9e1c4664812f","unresolved":false,"context_lines":[{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Role"},{"line_number":140,"context_line":"----"},{"line_number":141,"context_line":""},{"line_number":142,"context_line":"Once the scope has checked, we need to ensure what role the user has for their"}],"source_content_type":"text/x-rst","patch_set":19,"id":"bfb3d3c7_c85592fb","line":139,"in_reply_to":"bfb3d3c7_b29b0716","updated":"2019-05-30 14:27:38.000000000","message":"I will add the details","commit_id":"41498e81feff9fd53277e5b944447255034d4ba2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a2a784c4b3e905a27fc5c20a30ea0f581f25ea25","unresolved":false,"context_lines":[{"line_number":69,"context_line":"* Operators using default policy are given at least one cycle to add"},{"line_number":70,"context_line":"  additional roles to users (likely via implied roles)"},{"line_number":71,"context_line":"* Operators with over-ridden policy are given at least one cycle to"},{"line_number":72,"context_line":"  understand how the new defaults may or may not help them"},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"Proposed change"},{"line_number":75,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":20,"id":"9fb8cfa7_a574b99a","line":72,"updated":"2019-06-04 10:23:49.000000000","message":"++ all this, great work :)","commit_id":"d298e4ba480024963f92345d3481e14637a365e6"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a2a784c4b3e905a27fc5c20a30ea0f581f25ea25","unresolved":false,"context_lines":[{"line_number":85,"context_line":"#. Add ability to restrict each policy check to either System Scoped"},{"line_number":86,"context_line":"   or Project Scoped by defining the oslo.policy\u0027s \"scope_types\" for"},{"line_number":87,"context_line":"   each policy. Scope_type check in oslo will be disabled by default"},{"line_number":88,"context_line":"   via config options enforce_scope default value to False."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"9fb8cfa7_e53b9199","line":88,"updated":"2019-06-04 10:23:49.000000000","message":"I think we also need to specify the correct target in each API call (i.e. the project_id) and modify the default check_str to include a scope check (in a backwards compatible way).","commit_id":"d298e4ba480024963f92345d3481e14637a365e6"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67e65419f90377af2463f41850f81744121683d2","unresolved":false,"context_lines":[{"line_number":85,"context_line":"#. Add ability to restrict each policy check to either System Scoped"},{"line_number":86,"context_line":"   or Project Scoped by defining the oslo.policy\u0027s \"scope_types\" for"},{"line_number":87,"context_line":"   each policy. Scope_type check in oslo will be disabled by default"},{"line_number":88,"context_line":"   via config options enforce_scope default value to False."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":91,"context_line":""}],"source_content_type":"text/x-rst","patch_set":20,"id":"9fb8cfa7_000a53d1","line":88,"in_reply_to":"9fb8cfa7_e53b9199","updated":"2019-06-04 11:24:21.000000000","message":"Done","commit_id":"d298e4ba480024963f92345d3481e14637a365e6"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a2a784c4b3e905a27fc5c20a30ea0f581f25ea25","unresolved":false,"context_lines":[{"line_number":87,"context_line":"   each policy. Scope_type check in oslo will be disabled by default"},{"line_number":88,"context_line":"   via config options enforce_scope default value to False."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"#. Implement the System Scoped Reader and Project Scoped Reader roles, with"},{"line_number":93,"context_line":"   appropriate tests added. Also add additional policy rules where more"}],"source_content_type":"text/x-rst","patch_set":20,"id":"9fb8cfa7_e59f11b2","line":90,"range":{"start_line":90,"start_character":54,"end_line":90,"end_character":59},"updated":"2019-06-04 10:23:49.000000000","message":"Do we really mean change from \"role:admin\" to \"scope:system\" when enforce_scope \u003d True.","commit_id":"d298e4ba480024963f92345d3481e14637a365e6"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67e65419f90377af2463f41850f81744121683d2","unresolved":false,"context_lines":[{"line_number":87,"context_line":"   each policy. Scope_type check in oslo will be disabled by default"},{"line_number":88,"context_line":"   via config options enforce_scope default value to False."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. DB check around project id loosened to include any admin scoped token"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"#. Implement the System Scoped Reader and Project Scoped Reader roles, with"},{"line_number":93,"context_line":"   appropriate tests added. Also add additional policy rules where more"}],"source_content_type":"text/x-rst","patch_set":20,"id":"9fb8cfa7_c013db0c","line":90,"range":{"start_line":90,"start_character":54,"end_line":90,"end_character":59},"in_reply_to":"9fb8cfa7_e59f11b2","updated":"2019-06-04 11:24:21.000000000","message":"Done","commit_id":"d298e4ba480024963f92345d3481e14637a365e6"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a2a784c4b3e905a27fc5c20a30ea0f581f25ea25","unresolved":false,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"#. Implement the System Scoped Reader and Project Scoped Reader roles, with"},{"line_number":93,"context_line":"   appropriate tests added. Also add additional policy rules where more"},{"line_number":94,"context_line":"   granularity is needed."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"#. In a future release, enforce_scope will be enforced to be True, the"},{"line_number":97,"context_line":"   legacy admin_or_owner style checking will be removed and the DB check"}],"source_content_type":"text/x-rst","patch_set":20,"id":"9fb8cfa7_454a9d27","line":94,"updated":"2019-06-04 10:23:49.000000000","message":"We should note this involves updating the default check_str again, in a backwards compatible way.","commit_id":"d298e4ba480024963f92345d3481e14637a365e6"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67e65419f90377af2463f41850f81744121683d2","unresolved":false,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"#. Implement the System Scoped Reader and Project Scoped Reader roles, with"},{"line_number":93,"context_line":"   appropriate tests added. Also add additional policy rules where more"},{"line_number":94,"context_line":"   granularity is needed."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"#. In a future release, enforce_scope will be enforced to be True, the"},{"line_number":97,"context_line":"   legacy admin_or_owner style checking will be removed and the DB check"}],"source_content_type":"text/x-rst","patch_set":20,"id":"9fb8cfa7_60f8efc3","line":94,"in_reply_to":"9fb8cfa7_454a9d27","updated":"2019-06-04 11:24:21.000000000","message":"Done","commit_id":"d298e4ba480024963f92345d3481e14637a365e6"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":77,"context_line":"We will support the four new roles described in the use cases section"},{"line_number":78,"context_line":"above."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"The change will be made in the following stages:"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"#. Lock down existing behavior in unit tests. Add functional test of each APIs"},{"line_number":83,"context_line":"   behavior before any changes are made."}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_9518be1d","line":80,"updated":"2019-06-04 15:05:41.000000000","message":"How about this ordering instead:\n\n* add tests to each API endpoint\n\n* ensure all context.can calls specify a target, then make target a required parameter and remove the default target.\n\n* change DB check from \"role:admin\" to \"scope:system\" if enforce_scope is True\n\n* refresh each API endpoint picking from: SYSTEM_ADMIN, SYSTEM_READER, PROJECT_MEMBER_OR_SYSTEM_ADMIN, PROJECT_READER_OR_SYSTEM_READER (and a few other ones for things like keypairs), adding extra granularity if needed\n\n* future release enforce_scope defaults to True, etc.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":77,"context_line":"We will support the four new roles described in the use cases section"},{"line_number":78,"context_line":"above."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"The change will be made in the following stages:"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"#. Lock down existing behavior in unit tests. Add functional test of each APIs"},{"line_number":83,"context_line":"   behavior before any changes are made."}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_0635348f","line":80,"in_reply_to":"9fb8cfa7_9518be1d","updated":"2019-06-09 06:24:12.000000000","message":"done. looks more clear. I was thinking to add the deprecation plan for item #4 but that is something we will be explaining more in next sections.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":135,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"New Roles and check_str::"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"  READER \u003d \u0027role:reader\u0027"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_f5f25a06","line":138,"updated":"2019-06-04 15:05:41.000000000","message":"I think we need to mention implied roles here. I believe Member implies Reader and Admin implies Member.\n\nIt means if we make something like SYSTEM_READER_OR_PROJECT_READER it implies the project scoped member and system scoped admin also get access.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":135,"context_line":"Note: the Nova use of user_id and project_id are orthogonal, when checking the"},{"line_number":136,"context_line":"user_id we have no concept of project, and when checking project_id we care"},{"line_number":137,"context_line":"little about the user_id."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"New Roles and check_str::"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"  READER \u003d \u0027role:reader\u0027"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_a625485e","line":138,"in_reply_to":"9fb8cfa7_f5f25a06","updated":"2019-06-09 06:24:12.000000000","message":"+1. done. yes implies hierarchy is like admin-\u003emember-\u003ereader and user with their customize role can also add the same to avoid the impact of new default roles.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":140,"context_line":""},{"line_number":141,"context_line":"  READER \u003d \u0027role:reader\u0027"},{"line_number":142,"context_line":"  MEMBER \u003d \u0027role:member\u0027"},{"line_number":143,"context_line":"  OWNER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":144,"context_line":"  SYSTEM_ADMIN \u003d \u0027rule:admin_api and system_scope:all\u0027"},{"line_number":145,"context_line":"  SYSTEM_ADMIN_OR_OWNER \u003d SYSTEM_ADMIN + \u0027or\u0027 + OWNER"},{"line_number":146,"context_line":"  SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_f5981a6b","line":143,"range":{"start_line":143,"start_character":2,"end_line":143,"end_character":7},"updated":"2019-06-04 15:05:41.000000000","message":"I call this PROJECT_MEMBER myself.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":140,"context_line":""},{"line_number":141,"context_line":"  READER \u003d \u0027role:reader\u0027"},{"line_number":142,"context_line":"  MEMBER \u003d \u0027role:member\u0027"},{"line_number":143,"context_line":"  OWNER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":144,"context_line":"  SYSTEM_ADMIN \u003d \u0027rule:admin_api and system_scope:all\u0027"},{"line_number":145,"context_line":"  SYSTEM_ADMIN_OR_OWNER \u003d SYSTEM_ADMIN + \u0027or\u0027 + OWNER"},{"line_number":146,"context_line":"  SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_e6d4a022","line":143,"range":{"start_line":143,"start_character":2,"end_line":143,"end_character":7},"in_reply_to":"9fb8cfa7_f5981a6b","updated":"2019-06-09 06:24:12.000000000","message":"I was thinking project_member might sound like \u0027member\u0027 role of any project (like current \u0027member\u0027). \u0027owner\u0027 define the role \u0027with-in-that-project\u0027. \n\nBut on rethinking project_* itself make it clear about role within that project.\n\ndone","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":144,"context_line":"  SYSTEM_ADMIN \u003d \u0027rule:admin_api and system_scope:all\u0027"},{"line_number":145,"context_line":"  SYSTEM_ADMIN_OR_OWNER \u003d SYSTEM_ADMIN + \u0027or\u0027 + OWNER"},{"line_number":146,"context_line":"  SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":147,"context_line":"  PROJECT_MEMBER \u003d \u0027role:member\u0027"},{"line_number":148,"context_line":"  PROJECT_READER \u003d \u0027role:reader\u0027"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Below is the mapping of new roles and scope_types with legacy roles::"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_b5cb8251","line":147,"range":{"start_line":147,"start_character":0,"end_line":147,"end_character":32},"updated":"2019-06-04 15:05:41.000000000","message":"You have OWNER for what I think PROJECT_MEMBER should be.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":144,"context_line":"  SYSTEM_ADMIN \u003d \u0027rule:admin_api and system_scope:all\u0027"},{"line_number":145,"context_line":"  SYSTEM_ADMIN_OR_OWNER \u003d SYSTEM_ADMIN + \u0027or\u0027 + OWNER"},{"line_number":146,"context_line":"  SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":147,"context_line":"  PROJECT_MEMBER \u003d \u0027role:member\u0027"},{"line_number":148,"context_line":"  PROJECT_READER \u003d \u0027role:reader\u0027"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Below is the mapping of new roles and scope_types with legacy roles::"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_a6da2848","line":147,"range":{"start_line":147,"start_character":0,"end_line":147,"end_character":32},"in_reply_to":"9fb8cfa7_b5cb8251","updated":"2019-06-09 06:24:12.000000000","message":"+1. we would not use pure \u0027member\u0027 role anywhere.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":145,"context_line":"  SYSTEM_ADMIN_OR_OWNER \u003d SYSTEM_ADMIN + \u0027or\u0027 + OWNER"},{"line_number":146,"context_line":"  SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":147,"context_line":"  PROJECT_MEMBER \u003d \u0027role:member\u0027"},{"line_number":148,"context_line":"  PROJECT_READER \u003d \u0027role:reader\u0027"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Below is the mapping of new roles and scope_types with legacy roles::"},{"line_number":151,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_75ac2a8c","line":148,"range":{"start_line":148,"start_character":0,"end_line":148,"end_character":31},"updated":"2019-06-04 15:05:41.000000000","message":"I think this needs to be:\n\nPROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":145,"context_line":"  SYSTEM_ADMIN_OR_OWNER \u003d SYSTEM_ADMIN + \u0027or\u0027 + OWNER"},{"line_number":146,"context_line":"  SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":147,"context_line":"  PROJECT_MEMBER \u003d \u0027role:member\u0027"},{"line_number":148,"context_line":"  PROJECT_READER \u003d \u0027role:reader\u0027"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Below is the mapping of new roles and scope_types with legacy roles::"},{"line_number":151,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_c6df1c38","line":148,"range":{"start_line":148,"start_character":0,"end_line":148,"end_character":31},"in_reply_to":"9fb8cfa7_75ac2a8c","updated":"2019-06-09 06:24:12.000000000","message":"oops, yes it has to be within project. done","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Below is the mapping of new roles and scope_types with legacy roles::"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":" New Rule              |    Legacy Rule     | Operation  s   | scope_type|"},{"line_number":153,"context_line":" ----------------------+--------------------+----------------+------------"},{"line_number":154,"context_line":" SYSTEM_ADMIN          | RULE_ADMIN_API     | Global write   | [system]"},{"line_number":155,"context_line":" SYSTEM_READER         | RULE_ADMIN_API     | Global GET     | [system]"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_15b04ef4","line":152,"range":{"start_line":152,"start_character":0,"end_line":152,"end_character":40},"updated":"2019-06-04 15:05:41.000000000","message":"Nit: I would swap the order here.\n\nWe want to show what options there are for each Legacy rule.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Below is the mapping of new roles and scope_types with legacy roles::"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":" New Rule              |    Legacy Rule     | Operation  s   | scope_type|"},{"line_number":153,"context_line":" ----------------------+--------------------+----------------+------------"},{"line_number":154,"context_line":" SYSTEM_ADMIN          | RULE_ADMIN_API     | Global write   | [system]"},{"line_number":155,"context_line":" SYSTEM_READER         | RULE_ADMIN_API     | Global GET     | [system]"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_66e8b0e1","line":152,"range":{"start_line":152,"start_character":0,"end_line":152,"end_character":40},"in_reply_to":"9fb8cfa7_15b04ef4","updated":"2019-06-09 06:24:12.000000000","message":"done","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":153,"context_line":" ----------------------+--------------------+----------------+------------"},{"line_number":154,"context_line":" SYSTEM_ADMIN          | RULE_ADMIN_API     | Global write   | [system]"},{"line_number":155,"context_line":" SYSTEM_READER         | RULE_ADMIN_API     | Global GET     | [system]"},{"line_number":156,"context_line":" SYSTEM_ADMIN_OR_OWNER | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":157,"context_line":"                                              and need access"},{"line_number":158,"context_line":"                                              for system admin"},{"line_number":159,"context_line":"                                              too"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_35dd5214","line":156,"range":{"start_line":156,"start_character":1,"end_line":156,"end_character":22},"updated":"2019-06-04 15:05:41.000000000","message":"I prefer PROJECT_MEMBER_OR_SYSTEM_ADMIN","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":153,"context_line":" ----------------------+--------------------+----------------+------------"},{"line_number":154,"context_line":" SYSTEM_ADMIN          | RULE_ADMIN_API     | Global write   | [system]"},{"line_number":155,"context_line":" SYSTEM_READER         | RULE_ADMIN_API     | Global GET     | [system]"},{"line_number":156,"context_line":" SYSTEM_ADMIN_OR_OWNER | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":157,"context_line":"                                              and need access"},{"line_number":158,"context_line":"                                              for system admin"},{"line_number":159,"context_line":"                                              too"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_86e5a40b","line":156,"range":{"start_line":156,"start_character":1,"end_line":156,"end_character":22},"in_reply_to":"9fb8cfa7_35dd5214","updated":"2019-06-09 06:24:12.000000000","message":"done","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":157,"context_line":"                                              and need access"},{"line_number":158,"context_line":"                                              for system admin"},{"line_number":159,"context_line":"                                              too"},{"line_number":160,"context_line":" PROJECT_MEMBER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":161,"context_line":"                                              write"},{"line_number":162,"context_line":" PROJECT_READER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":163,"context_line":"                                              GET"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_55e246d7","line":163,"range":{"start_line":160,"start_character":0,"end_line":163,"end_character":49},"updated":"2019-06-04 15:05:41.000000000","message":"I think here we should have, PROJECT_READER_OR_SYSTEM_READER","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"387a607a8dab3daec2d4177e630c3a7e51a8e02d","unresolved":false,"context_lines":[{"line_number":157,"context_line":"                                              and need access"},{"line_number":158,"context_line":"                                              for system admin"},{"line_number":159,"context_line":"                                              too"},{"line_number":160,"context_line":" PROJECT_MEMBER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":161,"context_line":"                                              write"},{"line_number":162,"context_line":" PROJECT_READER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":163,"context_line":"                                              GET"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_667f5015","line":163,"range":{"start_line":160,"start_character":0,"end_line":163,"end_character":49},"in_reply_to":"9fb8cfa7_26ee38ed","updated":"2019-06-09 07:05:46.000000000","message":"got it. project level write we are covering in L156 itself.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":157,"context_line":"                                              and need access"},{"line_number":158,"context_line":"                                              for system admin"},{"line_number":159,"context_line":"                                              too"},{"line_number":160,"context_line":" PROJECT_MEMBER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":161,"context_line":"                                              write"},{"line_number":162,"context_line":" PROJECT_READER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":163,"context_line":"                                              GET"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_26ee38ed","line":163,"range":{"start_line":160,"start_character":0,"end_line":163,"end_character":49},"in_reply_to":"9fb8cfa7_55e246d7","updated":"2019-06-09 06:24:12.000000000","message":"for project_reader (L162) yes, but for L160 which is write operation in project it needs to be PROJECT_MEMBER_OR_SYSTEM_ADMIN","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":162,"context_line":" PROJECT_READER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":163,"context_line":"                                              GET"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Role"},{"line_number":168,"context_line":"----"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_f5833a03","line":165,"updated":"2019-06-04 15:05:41.000000000","message":"Maybe we should note keypairs follows a \"similar\" pattern.\n\nI think things like create instance actually only make sense as a project scoped API, so we probably need to handle those differently... oh dear.\n\nSo we have a possible problem API, in the target a build at a specific host. There is no way to specify a project_id, other than having a token in that project. But you need to be admin to do it, so that is a project admin action... yuck. Really it should be system_admin passing in a project_id when creating the instance.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":162,"context_line":" PROJECT_READER        | RULE_ADMIN_OR_OWNER| Project level  | [system, project]"},{"line_number":163,"context_line":"                                              GET"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Role"},{"line_number":168,"context_line":"----"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_e6a260ae","line":165,"in_reply_to":"9fb8cfa7_f5833a03","updated":"2019-06-09 06:24:12.000000000","message":"If I get it correctly, you are concerning about boot instance with specifying the host? so in that case we will check the system scope token and do not need to check for project_id ?\n\nBut i might not be getting your comment. I will leave this as of now and after catching you on IRC, I will update this section.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Role"},{"line_number":168,"context_line":"----"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Once the scope has checked, we need to ensure what role the user has for their"},{"line_number":171,"context_line":"given scope, and if that matches what the operator has allowed."}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_550b268d","line":168,"range":{"start_line":167,"start_character":0,"end_line":168,"end_character":4},"updated":"2019-06-04 15:05:41.000000000","message":"Sorry, this scope/role split is my probably fault... but I am not sure we can separate the two issues.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Role"},{"line_number":168,"context_line":"----"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Once the scope has checked, we need to ensure what role the user has for their"},{"line_number":171,"context_line":"given scope, and if that matches what the operator has allowed."}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_66d19023","line":168,"range":{"start_line":167,"start_character":0,"end_line":168,"end_character":4},"in_reply_to":"9fb8cfa7_550b268d","updated":"2019-06-09 06:24:12.000000000","message":"yea, with shipping the scope capability I feel new default roles solve the good and widly use case. \n\nI do not have direct customer requirement here but IMO, with READER capability and defining the scope of each operation is the complete set of things what user expect in policy changes.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":191,"context_line":"scope_type\u003d[\u0027system\u0027] so check_str will be kept as \u0027role:reader and"},{"line_number":192,"context_line":"system_scope:all\u0027 where system_scope:all is special check so that token of"},{"line_number":193,"context_line":"reader role and project scope cannot access this API. Once nova default the"},{"line_number":194,"context_line":"[oslo_policy].enforce_scope to True then, system_scope:all can be removed"},{"line_number":195,"context_line":"from check_str."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"PoC: https://review.openstack.org/#/c/648480/"},{"line_number":198,"context_line":""}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_9573de15","line":195,"range":{"start_line":194,"start_character":0,"end_line":195,"end_character":15},"updated":"2019-06-04 15:05:41.000000000","message":"I guess... hmm.","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e2da4d8b6642692ebc2c882c8fe3be5787633744","unresolved":false,"context_lines":[{"line_number":210,"context_line":"To implement the reader role, some of the APIs do not have a granular enough"},{"line_number":211,"context_line":"policy. We will add additional policy checks for these APIs:"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"* \u0027os_compute_api:os-agents\u0027:"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"  * File: nova/policies/agents.py"},{"line_number":216,"context_line":"  * APIs Operation it control:"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_58527b15","line":213,"updated":"2019-06-04 15:05:41.000000000","message":"We should be clearer on the pattern here... I guess we deprecate os_compute_api:os-agents, but we add os_compute_api:os-agents:delete, os_compute_api:os-agents:get, os_compute_api:os-agents:create, os_compute_api:os-agents:update ??","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a92da233f615d254e090e9edea4e3413eee56b74","unresolved":false,"context_lines":[{"line_number":210,"context_line":"To implement the reader role, some of the APIs do not have a granular enough"},{"line_number":211,"context_line":"policy. We will add additional policy checks for these APIs:"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"* \u0027os_compute_api:os-agents\u0027:"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"  * File: nova/policies/agents.py"},{"line_number":216,"context_line":"  * APIs Operation it control:"}],"source_content_type":"text/x-rst","patch_set":21,"id":"9fb8cfa7_26c71867","line":213,"in_reply_to":"9fb8cfa7_58527b15","updated":"2019-06-09 06:24:12.000000000","message":"yes. I added in PoC patch [1] but will add that in spec too.\n\n[1] https://review.opendev.org/#/c/645427/7/nova/policies/services.py","commit_id":"e66766e1ba7ba71d44208cb103c0ef46abe2b335"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":29,"context_line":"Firstly \"admin_only\" is used for the global admin that is able to make almost"},{"line_number":30,"context_line":"any change to Nova, and see all details of the Nova system."},{"line_number":31,"context_line":"The rule actually passes for any user with an admin role, it doesn\u0027t matter"},{"line_number":32,"context_line":"which project is used, any user with the admin role gets this global access."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Secondly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":35,"context_line":"project. However, for most APIs we use the default target which means this"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_1092c5a0","line":32,"range":{"start_line":32,"start_character":37,"end_line":32,"end_character":51},"updated":"2019-07-02 21:57:23.000000000","message":"Note: the admin role means a role with name \u0027admin\u0027, literally. See this code:\n\nhttps://github.com/openstack/nova/blob/d7c8924/nova/policies/base.py#L23-L26","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Secondly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":35,"context_line":"project. However, for most APIs we use the default target which means this"},{"line_number":36,"context_line":"rule will pass for any authenticated user. The database layer has a check"},{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_10d72552","line":36,"range":{"start_line":36,"start_character":47,"end_line":36,"end_character":73},"updated":"2019-07-02 21:57:23.000000000","message":"Note: this is the \u0027project_only\u0027 kwarg, seen in this code:\n\nhttps://github.com/openstack/nova/blob/9b98bb/nova/db/sqlalchemy/api.py#L270-L272","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"749f1db4ebc3d07b3dd6164306277c1999720e8a","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Secondly \"admin_or_owner\" sounds like it checks if the user is a member of a"},{"line_number":35,"context_line":"project. However, for most APIs we use the default target which means this"},{"line_number":36,"context_line":"rule will pass for any authenticated user. The database layer has a check"},{"line_number":37,"context_line":"for the admin role that ensures only users in the correct project can access"},{"line_number":38,"context_line":"instances in that project. For example, this database check means it is"},{"line_number":39,"context_line":"impossible to have a custom role that allows a user to perform live-migration"}],"source_content_type":"text/x-rst","patch_set":22,"id":"7faddb67_5d3a91e7","line":36,"range":{"start_line":36,"start_character":47,"end_line":36,"end_character":73},"in_reply_to":"9fb8cfa7_10d72552","updated":"2019-07-04 14:07:46.000000000","message":"yeah, I will add that for more clarity.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":85,"context_line":"#. Ensure all context.can calls specify a target, then make target a required"},{"line_number":86,"context_line":"   parameter and remove the default target. For example project_id."},{"line_number":87,"context_line":"   Currently we use context.project_id in many place which needs to be"},{"line_number":88,"context_line":"   replaced with actual target project_id."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. Change DB check from \"role:admin\" to \"scope:system\" if enforce_scope is"},{"line_number":91,"context_line":"   True. We can set system_scope on context for DB check."}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_b06ad97e","line":88,"range":{"start_line":88,"start_character":17,"end_line":88,"end_character":41},"updated":"2019-07-02 21:57:23.000000000","message":"Note: this means for a server action, we need to use the project_id of the actual server, not the project_id of the context which made the request.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"749f1db4ebc3d07b3dd6164306277c1999720e8a","unresolved":false,"context_lines":[{"line_number":85,"context_line":"#. Ensure all context.can calls specify a target, then make target a required"},{"line_number":86,"context_line":"   parameter and remove the default target. For example project_id."},{"line_number":87,"context_line":"   Currently we use context.project_id in many place which needs to be"},{"line_number":88,"context_line":"   replaced with actual target project_id."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. Change DB check from \"role:admin\" to \"scope:system\" if enforce_scope is"},{"line_number":91,"context_line":"   True. We can set system_scope on context for DB check."}],"source_content_type":"text/x-rst","patch_set":22,"id":"7faddb67_dd2d21a9","line":88,"range":{"start_line":88,"start_character":17,"end_line":88,"end_character":41},"in_reply_to":"9fb8cfa7_b06ad97e","updated":"2019-07-04 14:07:46.000000000","message":"yeah. I will that as an example for easy to understand.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"01ae45e01cf5f98775d52385c5688fa7afa3b831","unresolved":false,"context_lines":[{"line_number":88,"context_line":"   replaced with actual target project_id."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. Change DB check from \"role:admin\" to \"scope:system\" if enforce_scope is"},{"line_number":91,"context_line":"   True. We can set system_scope on context for DB check."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"#. Refresh each API endpoint picking from: SYSTEM_ADMIN, SYSTEM_READER,"},{"line_number":94,"context_line":"   PROJECT_MEMBER_OR_SYSTEM_ADMIN, PROJECT_READER_OR_SYSTEM_READER"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_eee437e2","line":91,"updated":"2019-06-27 18:24:15.000000000","message":"Is policy enforcement going to stay in the database layer or is the idea to eventually pull that up to the API?","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":88,"context_line":"   replaced with actual target project_id."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. Change DB check from \"role:admin\" to \"scope:system\" if enforce_scope is"},{"line_number":91,"context_line":"   True. We can set system_scope on context for DB check."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"#. Refresh each API endpoint picking from: SYSTEM_ADMIN, SYSTEM_READER,"},{"line_number":94,"context_line":"   PROJECT_MEMBER_OR_SYSTEM_ADMIN, PROJECT_READER_OR_SYSTEM_READER"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_709ea16a","line":91,"in_reply_to":"9fb8cfa7_d1846a0d","updated":"2019-07-02 21:57:23.000000000","message":"Yes, the idea is to eventually pull the last bit (\u0027project_only\u0027) of policy enforcement out of the database layer. But as Ghanshyam said, it will take some pre-work to add all the needed by project filtering we\u0027d need at the API layer to replace what it\u0027s providing today.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"098d772d534f02db08cc1eecb2a1c00e29799ca1","unresolved":false,"context_lines":[{"line_number":88,"context_line":"   replaced with actual target project_id."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. Change DB check from \"role:admin\" to \"scope:system\" if enforce_scope is"},{"line_number":91,"context_line":"   True. We can set system_scope on context for DB check."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"#. Refresh each API endpoint picking from: SYSTEM_ADMIN, SYSTEM_READER,"},{"line_number":94,"context_line":"   PROJECT_MEMBER_OR_SYSTEM_ADMIN, PROJECT_READER_OR_SYSTEM_READER"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_d1846a0d","line":91,"in_reply_to":"9fb8cfa7_eee437e2","updated":"2019-06-28 10:29:24.000000000","message":"Good point.\nMost of the policy checks are in API side only but we use admin policy check (context.is_admin check in DB) to filter the DB data either with project_id or not. \n\nWe can move them on API side base on the token scope.\n- if token is project scope : get_*_by_project(..,project_id) \n- if the token is system scope: get_*() unless it is explicitly asked to filter by project_id.\n\nBut we need to implement a lot of get_*_by_project() method on compute.api.py, objects etc. I think this improvement can be considered later.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":134,"context_line":"the assignment of another. New defaults roles `reader`, `member` also has"},{"line_number":135,"context_line":"been added in bootstrap. If the bootstrap process is re-run, and a"},{"line_number":136,"context_line":"`reader`, `member`, or `admin` role already exists, a role implication"},{"line_number":137,"context_line":"chain will be created: `admin` implies `member` implies `reader`."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"It means if we make something like SYSTEM_READER_OR_PROJECT_READER it implies"},{"line_number":140,"context_line":"the PROJECT_MEMBER and SYSTEM_ADMIN also get access."}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_109de556","line":137,"updated":"2019-07-02 21:57:23.000000000","message":"Does this mean that we only get implied roles if the bootstrap process is run twice? Not if it\u0027s run once?","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"749f1db4ebc3d07b3dd6164306277c1999720e8a","unresolved":false,"context_lines":[{"line_number":134,"context_line":"the assignment of another. New defaults roles `reader`, `member` also has"},{"line_number":135,"context_line":"been added in bootstrap. If the bootstrap process is re-run, and a"},{"line_number":136,"context_line":"`reader`, `member`, or `admin` role already exists, a role implication"},{"line_number":137,"context_line":"chain will be created: `admin` implies `member` implies `reader`."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"It means if we make something like SYSTEM_READER_OR_PROJECT_READER it implies"},{"line_number":140,"context_line":"the PROJECT_MEMBER and SYSTEM_ADMIN also get access."}],"source_content_type":"text/x-rst","patch_set":22,"id":"7faddb67_bd1865d3","line":137,"in_reply_to":"9fb8cfa7_109de556","updated":"2019-07-04 14:07:46.000000000","message":"not twice. Once only after new policy defaults are adopted. It will create the new defaults roles if does not exist and create implies role admin-\u003emember-\u003ereader\n\n- https://opendev.org/openstack/keystone/src/branch/master/keystone/cmd/bootstrap.py#L117","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":161,"context_line":" RULE_ADMIN_OR_OWNER|                                  | Write     |  project]"},{"line_number":162,"context_line":"                    |-\u003e PROJECT_READER_OR_SYSTEM_READER| Project   | [system,"},{"line_number":163,"context_line":"                                                       | Read      |  project]"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"PoC: https://review.opendev.org/#/c/645452"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"Role"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_f0c85157","line":164,"updated":"2019-07-02 21:57:23.000000000","message":"Nice chart ++","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"7dbb55cdbcb55cc78487abf2978f198a08b52b59","unresolved":false,"context_lines":[{"line_number":191,"context_line":"scope_type\u003d[\u0027system\u0027] so check_str will be kept as \u0027role:reader and"},{"line_number":192,"context_line":"system_scope:all\u0027 where system_scope:all is special check so that token of"},{"line_number":193,"context_line":"reader role and project scope cannot access this API. Once nova default the"},{"line_number":194,"context_line":"[oslo_policy].enforce_scope to True then, system_scope:all can be removed"},{"line_number":195,"context_line":"from check_str."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"PoC: https://review.openstack.org/#/c/648480/"},{"line_number":198,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_0842e30f","line":195,"range":{"start_line":194,"start_character":42,"end_line":195,"end_character":15},"updated":"2019-06-27 16:35:54.000000000","message":"Nit: this only applies to APIs that only have the scope_type\u003d[\u0027system\u0027], but hey.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"01ae45e01cf5f98775d52385c5688fa7afa3b831","unresolved":false,"context_lines":[{"line_number":191,"context_line":"scope_type\u003d[\u0027system\u0027] so check_str will be kept as \u0027role:reader and"},{"line_number":192,"context_line":"system_scope:all\u0027 where system_scope:all is special check so that token of"},{"line_number":193,"context_line":"reader role and project scope cannot access this API. Once nova default the"},{"line_number":194,"context_line":"[oslo_policy].enforce_scope to True then, system_scope:all can be removed"},{"line_number":195,"context_line":"from check_str."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"PoC: https://review.openstack.org/#/c/648480/"},{"line_number":198,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_aecddf66","line":195,"range":{"start_line":194,"start_character":42,"end_line":195,"end_character":15},"in_reply_to":"9fb8cfa7_0842e30f","updated":"2019-06-27 18:24:15.000000000","message":"++ - if a policy is allowed to be called with system-scope and project-scoped token it\u0027ll need to support both.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"098d772d534f02db08cc1eecb2a1c00e29799ca1","unresolved":false,"context_lines":[{"line_number":191,"context_line":"scope_type\u003d[\u0027system\u0027] so check_str will be kept as \u0027role:reader and"},{"line_number":192,"context_line":"system_scope:all\u0027 where system_scope:all is special check so that token of"},{"line_number":193,"context_line":"reader role and project scope cannot access this API. Once nova default the"},{"line_number":194,"context_line":"[oslo_policy].enforce_scope to True then, system_scope:all can be removed"},{"line_number":195,"context_line":"from check_str."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"PoC: https://review.openstack.org/#/c/648480/"},{"line_number":198,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_b10c56ec","line":195,"range":{"start_line":194,"start_character":42,"end_line":195,"end_character":15},"in_reply_to":"9fb8cfa7_aecddf66","updated":"2019-06-28 10:29:24.000000000","message":"yeah, will make it clear in followup patch.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":191,"context_line":"scope_type\u003d[\u0027system\u0027] so check_str will be kept as \u0027role:reader and"},{"line_number":192,"context_line":"system_scope:all\u0027 where system_scope:all is special check so that token of"},{"line_number":193,"context_line":"reader role and project scope cannot access this API. Once nova default the"},{"line_number":194,"context_line":"[oslo_policy].enforce_scope to True then, system_scope:all can be removed"},{"line_number":195,"context_line":"from check_str."},{"line_number":196,"context_line":""},{"line_number":197,"context_line":"PoC: https://review.openstack.org/#/c/648480/"},{"line_number":198,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_9008f591","line":195,"range":{"start_line":194,"start_character":42,"end_line":195,"end_character":15},"in_reply_to":"9fb8cfa7_b10c56ec","updated":"2019-07-02 21:57:23.000000000","message":"+1 for clarifying.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":236,"context_line":"    * POST \u0027/servers/{server_id}/os-interface\u0027,"},{"line_number":237,"context_line":"    * DELETE \u0027/servers/{server_id}/os-interface/{port_id}\u0027"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* \u0027os_compute_api:os-cells\u0027:"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"  * File: nova/policies/cells.py"},{"line_number":242,"context_line":"  * APIs Operation it control:"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":"    * GET \u0027/os-cells\u0027,"},{"line_number":245,"context_line":"    * GET \u0027/os-cells/detail\u0027,"},{"line_number":246,"context_line":"    * GET \u0027/os-cells/info\u0027,"},{"line_number":247,"context_line":"    * GET \u0027/os-cells/capacities\u0027,"},{"line_number":248,"context_line":"    * GET \u0027/os-cells/{cell_id}\u0027"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"* \u0027os_compute_api:os-deferred-delete\u0027:"},{"line_number":251,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_b0f09993","line":248,"range":{"start_line":239,"start_character":0,"end_line":248,"end_character":31},"updated":"2019-07-02 21:57:23.000000000","message":"Note: this is now outdated, the os-cells API has been removed:\n\nhttps://github.com/openstack/nova/blob/9b98bbd/nova/api/openstack/compute/cells.py","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"749f1db4ebc3d07b3dd6164306277c1999720e8a","unresolved":false,"context_lines":[{"line_number":236,"context_line":"    * POST \u0027/servers/{server_id}/os-interface\u0027,"},{"line_number":237,"context_line":"    * DELETE \u0027/servers/{server_id}/os-interface/{port_id}\u0027"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* \u0027os_compute_api:os-cells\u0027:"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"  * File: nova/policies/cells.py"},{"line_number":242,"context_line":"  * APIs Operation it control:"},{"line_number":243,"context_line":""},{"line_number":244,"context_line":"    * GET \u0027/os-cells\u0027,"},{"line_number":245,"context_line":"    * GET \u0027/os-cells/detail\u0027,"},{"line_number":246,"context_line":"    * GET \u0027/os-cells/info\u0027,"},{"line_number":247,"context_line":"    * GET \u0027/os-cells/capacities\u0027,"},{"line_number":248,"context_line":"    * GET \u0027/os-cells/{cell_id}\u0027"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"* \u0027os_compute_api:os-deferred-delete\u0027:"},{"line_number":251,"context_line":""}],"source_content_type":"text/x-rst","patch_set":22,"id":"7faddb67_1d273915","line":248,"range":{"start_line":239,"start_character":0,"end_line":248,"end_character":31},"in_reply_to":"9fb8cfa7_b0f09993","updated":"2019-07-04 14:07:46.000000000","message":"+1. yeah. I will remove it in follow up","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"7dbb55cdbcb55cc78487abf2978f198a08b52b59","unresolved":false,"context_lines":[{"line_number":370,"context_line":"Backward Compatibility and Migration plan"},{"line_number":371,"context_line":"-----------------------------------------"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"Old rules are maintained as deprecated rule with same defaults"},{"line_number":374,"context_line":"so that existing deployement will keep working as it is."},{"line_number":375,"context_line":""},{"line_number":376,"context_line":"For two cycle (this is big updates so I think we should give two cycle"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_e86d0fcc","line":373,"range":{"start_line":373,"start_character":49,"end_line":373,"end_character":62},"updated":"2019-06-27 16:35:54.000000000","message":"Nit: Maybe \"same defaults as today\"","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6bad5c0c608d1f8a63a9cab0da3a26c89d270154","unresolved":false,"context_lines":[{"line_number":370,"context_line":"Backward Compatibility and Migration plan"},{"line_number":371,"context_line":"-----------------------------------------"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"Old rules are maintained as deprecated rule with same defaults"},{"line_number":374,"context_line":"so that existing deployement will keep working as it is."},{"line_number":375,"context_line":""},{"line_number":376,"context_line":"For two cycle (this is big updates so I think we should give two cycle"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_902d55ff","line":373,"range":{"start_line":373,"start_character":49,"end_line":373,"end_character":62},"in_reply_to":"9fb8cfa7_d10f8add","updated":"2019-07-02 21:57:23.000000000","message":"+1","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"098d772d534f02db08cc1eecb2a1c00e29799ca1","unresolved":false,"context_lines":[{"line_number":370,"context_line":"Backward Compatibility and Migration plan"},{"line_number":371,"context_line":"-----------------------------------------"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"Old rules are maintained as deprecated rule with same defaults"},{"line_number":374,"context_line":"so that existing deployement will keep working as it is."},{"line_number":375,"context_line":""},{"line_number":376,"context_line":"For two cycle (this is big updates so I think we should give two cycle"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_d10f8add","line":373,"range":{"start_line":373,"start_character":49,"end_line":373,"end_character":62},"in_reply_to":"9fb8cfa7_e86d0fcc","updated":"2019-06-28 10:29:24.000000000","message":"will fix it in followup.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"252e7ad148d4bf3b963738b88e94bbcd35c9c5ca","unresolved":false,"context_lines":[{"line_number":424,"context_line":""},{"line_number":425,"context_line":"Instead of deprecated rule, we can have a fallback mechanish of registering"},{"line_number":426,"context_line":"the either the new or old policy defaults in the base based on"},{"line_number":427,"context_line":"CONF.oslo_policy.enforce_scope."},{"line_number":428,"context_line":""},{"line_number":429,"context_line":"Data model impact"},{"line_number":430,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":22,"id":"9fb8cfa7_c8e36b04","line":427,"updated":"2019-06-27 16:38:40.000000000","message":"Extra context, I thought this was a good idea, but the approach we have the in spec better aligns with what keystone is doing already. The old real downside is that to make proper use of the Reader role, you need to override policy for the rules where we have the deprecated fallback stuff that you will need to turn off. I guess we could go into the details of that in the spec, but... its long enough already.","commit_id":"4c2e45430952a47643e58e829faf5c3bd5ae5e5d"}]}