)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"45a89ff49802facd4c4a59f7ee0cdca179aa814a","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Peter Hamilton \u003cpeter.hamilton@jhuapl.edu\u003e"},{"line_number":5,"context_line":"CommitDate: 2018-05-24 09:48:53 -0400"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Add support for certificate validation"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This spec describes changes that would allow Nova to perform"},{"line_number":10,"context_line":"certificate validation when verifying Glance image signatures."},{"line_number":11,"context_line":"While image signing ensures that image data is obtained"},{"line_number":12,"context_line":"unmodified from Glance, it does not prevent an attacker from"},{"line_number":13,"context_line":"uploading and signing a malicious image. The addition of Nova"},{"line_number":14,"context_line":"API changes allows Nova users to control the certificates"},{"line_number":15,"context_line":"which are allowed to sign images."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This spec describes work related to image verification. For"},{"line_number":18,"context_line":"more information, see: https://review.openstack.org/#/c/343654"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"APIImpact"},{"line_number":21,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"5f7c97a3_6895cb86","line":18,"range":{"start_line":7,"start_character":0,"end_line":18,"end_character":62},"updated":"2018-05-24 21:26:03.000000000","message":"nit: this is fine, but it would have been better to just say this is amendment to the original spec based on discussion that came up during review of the REST API changes.","commit_id":"3fed14c48393c7d649bc48b718890625a1d3df81"}],"specs/rocky/approved/nova-validate-certificates.rst":[{"author":{"_account_id":7012,"name":"Brianna Poulos","email":"Brianna.Poulos@jhuapl.edu","username":"brianna-poulos"},"change_message_id":"9c97f663a1b63892d5b2f99528057654168285ef","unresolved":false,"context_lines":[{"line_number":198,"context_line":"See [11] and [12] for more information."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"The seventh change updates the InstancePayload notification base, adding in"},{"line_number":201,"context_line":"trusted certificate IDs to every instance notification. This will help users"},{"line_number":202,"context_line":"and administrators identify when their instances are leveraging certificate"},{"line_number":203,"context_line":"validation and can assist in diagnosing validation failures when they occur."},{"line_number":204,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_31e66946","line":201,"range":{"start_line":201,"start_character":27,"end_line":201,"end_character":54},"updated":"2018-05-24 13:40:22.000000000","message":"This has changed to be rebuild and create notifications (instead of every).","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7764,"name":"Peter Hamilton","email":"peter.hamilton@jhuapl.edu","username":"Peter"},"change_message_id":"b39ced0585f943c96933682eb0675d736d3971a8","unresolved":false,"context_lines":[{"line_number":198,"context_line":"See [11] and [12] for more information."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"The seventh change updates the InstancePayload notification base, adding in"},{"line_number":201,"context_line":"trusted certificate IDs to every instance notification. This will help users"},{"line_number":202,"context_line":"and administrators identify when their instances are leveraging certificate"},{"line_number":203,"context_line":"validation and can assist in diagnosing validation failures when they occur."},{"line_number":204,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_911c1d14","line":201,"range":{"start_line":201,"start_character":27,"end_line":201,"end_character":54},"in_reply_to":"5f7c97a3_31e66946","updated":"2018-05-24 13:49:21.000000000","message":"Done","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7012,"name":"Brianna Poulos","email":"Brianna.Poulos@jhuapl.edu","username":"brianna-poulos"},"change_message_id":"9c97f663a1b63892d5b2f99528057654168285ef","unresolved":false,"context_lines":[{"line_number":388,"context_line":"--------------------"},{"line_number":389,"context_line":""},{"line_number":390,"context_line":"With the addition of trusted certificate information to the InstanceExtra data"},{"line_number":391,"context_line":"model, all instance notifications should be updated to include the trusted"},{"line_number":392,"context_line":"certificate IDs for a specific instance. Specifically, the InstancePayload"},{"line_number":393,"context_line":"notification base should be updated to include a \u0027trusted_certificate_ids\u0027"},{"line_number":394,"context_line":"field that will contain the list of trusted certificate IDs obtained from the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_51e1a529","line":391,"range":{"start_line":391,"start_character":7,"end_line":391,"end_character":10},"updated":"2018-05-24 13:40:22.000000000","message":"Instead of all, only create and rebuild.","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7764,"name":"Peter Hamilton","email":"peter.hamilton@jhuapl.edu","username":"Peter"},"change_message_id":"b39ced0585f943c96933682eb0675d736d3971a8","unresolved":false,"context_lines":[{"line_number":388,"context_line":"--------------------"},{"line_number":389,"context_line":""},{"line_number":390,"context_line":"With the addition of trusted certificate information to the InstanceExtra data"},{"line_number":391,"context_line":"model, all instance notifications should be updated to include the trusted"},{"line_number":392,"context_line":"certificate IDs for a specific instance. Specifically, the InstancePayload"},{"line_number":393,"context_line":"notification base should be updated to include a \u0027trusted_certificate_ids\u0027"},{"line_number":394,"context_line":"field that will contain the list of trusted certificate IDs obtained from the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_311bc91b","line":391,"range":{"start_line":391,"start_character":7,"end_line":391,"end_character":10},"in_reply_to":"5f7c97a3_51e1a529","updated":"2018-05-24 13:49:21.000000000","message":"Done","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7012,"name":"Brianna Poulos","email":"Brianna.Poulos@jhuapl.edu","username":"brianna-poulos"},"change_message_id":"9c97f663a1b63892d5b2f99528057654168285ef","unresolved":false,"context_lines":[{"line_number":389,"context_line":""},{"line_number":390,"context_line":"With the addition of trusted certificate information to the InstanceExtra data"},{"line_number":391,"context_line":"model, all instance notifications should be updated to include the trusted"},{"line_number":392,"context_line":"certificate IDs for a specific instance. Specifically, the InstancePayload"},{"line_number":393,"context_line":"notification base should be updated to include a \u0027trusted_certificate_ids\u0027"},{"line_number":394,"context_line":"field that will contain the list of trusted certificate IDs obtained from the"},{"line_number":395,"context_line":"instance associated with the notification."}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_f1d1d158","line":392,"range":{"start_line":392,"start_character":59,"end_line":392,"end_character":74},"updated":"2018-05-24 13:40:22.000000000","message":"InstanceCreatePayload and InstanceActionRebuildPayload","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7764,"name":"Peter Hamilton","email":"peter.hamilton@jhuapl.edu","username":"Peter"},"change_message_id":"b39ced0585f943c96933682eb0675d736d3971a8","unresolved":false,"context_lines":[{"line_number":389,"context_line":""},{"line_number":390,"context_line":"With the addition of trusted certificate information to the InstanceExtra data"},{"line_number":391,"context_line":"model, all instance notifications should be updated to include the trusted"},{"line_number":392,"context_line":"certificate IDs for a specific instance. Specifically, the InstancePayload"},{"line_number":393,"context_line":"notification base should be updated to include a \u0027trusted_certificate_ids\u0027"},{"line_number":394,"context_line":"field that will contain the list of trusted certificate IDs obtained from the"},{"line_number":395,"context_line":"instance associated with the notification."}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_f1d23134","line":392,"range":{"start_line":392,"start_character":59,"end_line":392,"end_character":74},"in_reply_to":"5f7c97a3_f1d1d158","updated":"2018-05-24 13:49:21.000000000","message":"Done","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7012,"name":"Brianna Poulos","email":"Brianna.Poulos@jhuapl.edu","username":"brianna-poulos"},"change_message_id":"9c97f663a1b63892d5b2f99528057654168285ef","unresolved":false,"context_lines":[{"line_number":500,"context_line":"  passed through to the signature verification step when downloading the image"},{"line_number":501,"context_line":"  from glance. See [14]."},{"line_number":502,"context_line":"* Add a new notification field, \u0027trusted_certificate_ids\u0027, to the"},{"line_number":503,"context_line":"  InstancePayload notification base."},{"line_number":504,"context_line":"* Modify the control flow for booting an instance from a volume to generate"},{"line_number":505,"context_line":"  a build error when certificate validation is enabled."},{"line_number":506,"context_line":"* Add new policy rules to allow simple enable/disable control for certificate"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_d1ce15b3","line":503,"range":{"start_line":503,"start_character":2,"end_line":503,"end_character":17},"updated":"2018-05-24 13:40:22.000000000","message":"InstanceCreatePayload and InstanceActionRebuildPayload","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7764,"name":"Peter Hamilton","email":"peter.hamilton@jhuapl.edu","username":"Peter"},"change_message_id":"b39ced0585f943c96933682eb0675d736d3971a8","unresolved":false,"context_lines":[{"line_number":500,"context_line":"  passed through to the signature verification step when downloading the image"},{"line_number":501,"context_line":"  from glance. See [14]."},{"line_number":502,"context_line":"* Add a new notification field, \u0027trusted_certificate_ids\u0027, to the"},{"line_number":503,"context_line":"  InstancePayload notification base."},{"line_number":504,"context_line":"* Modify the control flow for booting an instance from a volume to generate"},{"line_number":505,"context_line":"  a build error when certificate validation is enabled."},{"line_number":506,"context_line":"* Add new policy rules to allow simple enable/disable control for certificate"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_11d6cd28","line":503,"range":{"start_line":503,"start_character":2,"end_line":503,"end_character":17},"in_reply_to":"5f7c97a3_d1ce15b3","updated":"2018-05-24 13:49:21.000000000","message":"Done","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7012,"name":"Brianna Poulos","email":"Brianna.Poulos@jhuapl.edu","username":"brianna-poulos"},"change_message_id":"9c97f663a1b63892d5b2f99528057654168285ef","unresolved":false,"context_lines":[{"line_number":580,"context_line":"[18] \"Add certificate validation scenario tests.\" https://review.openstack.org/#/c/515210/"},{"line_number":581,"context_line":""},{"line_number":582,"context_line":"[19] \"Support image signature verification.\" https://review.openstack.org/#/c/384143/"},{"line_number":583,"context_line":""},{"line_number":584,"context_line":"History"},{"line_number":585,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":586,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_31bf49fc","line":583,"updated":"2018-05-24 13:40:22.000000000","message":"The notification support patch is at: https://review.openstack.org/#/c/563269/","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":7764,"name":"Peter Hamilton","email":"peter.hamilton@jhuapl.edu","username":"Peter"},"change_message_id":"b39ced0585f943c96933682eb0675d736d3971a8","unresolved":false,"context_lines":[{"line_number":580,"context_line":"[18] \"Add certificate validation scenario tests.\" https://review.openstack.org/#/c/515210/"},{"line_number":581,"context_line":""},{"line_number":582,"context_line":"[19] \"Support image signature verification.\" https://review.openstack.org/#/c/384143/"},{"line_number":583,"context_line":""},{"line_number":584,"context_line":"History"},{"line_number":585,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":586,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"5f7c97a3_b1dcb946","line":583,"in_reply_to":"5f7c97a3_31bf49fc","updated":"2018-05-24 13:49:21.000000000","message":"Done","commit_id":"8c6206fe7edf66dfe7db915db9769a817af36f3a"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"45a89ff49802facd4c4a59f7ee0cdca179aa814a","unresolved":false,"context_lines":[{"line_number":212,"context_line":"The ninth change adds new policy rules around the use of trusted"},{"line_number":213,"context_line":"certificates, allowing nova administrators to easily enable/disable"},{"line_number":214,"context_line":"certificate validation if their deployments can/cannot support the feature."},{"line_number":215,"context_line":"Specifically, new policy rules will be added for the server create and build"},{"line_number":216,"context_line":"requests. If either request is made and trusted certificates are provided,"},{"line_number":217,"context_line":"the policy checker will verify that the operation is allowed. If not, a"},{"line_number":218,"context_line":"PolicyNotAuthorized exception will be raised to fail the request. This is"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5f7c97a3_486a4fb3","line":215,"range":{"start_line":215,"start_character":71,"end_line":215,"end_character":76},"updated":"2018-05-24 21:26:03.000000000","message":"rebuild","commit_id":"3fed14c48393c7d649bc48b718890625a1d3df81"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"45a89ff49802facd4c4a59f7ee0cdca179aa814a","unresolved":false,"context_lines":[{"line_number":392,"context_line":"model, create and rebuild instance notifications should be updated to include"},{"line_number":393,"context_line":"the trusted certificate IDs for a specific instance. Specifically, the"},{"line_number":394,"context_line":"InstanceCreatePayload and InstanceActionRebuildPayload should be updated to"},{"line_number":395,"context_line":"include a \u0027trusted_certificate_ids\u0027 field that will contain the list of"},{"line_number":396,"context_line":"trusted certificate IDs obtained from the instance associated with the"},{"line_number":397,"context_line":"notification."},{"line_number":398,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5f7c97a3_e889db74","line":395,"range":{"start_line":395,"start_character":11,"end_line":395,"end_character":34},"updated":"2018-05-24 21:26:03.000000000","message":"nit: let\u0027s call it trusted_certs to match the Instance object field, from which this field will be derived. I\u0027ve asked why there is a different name in the notification patch as well (note that what is here in the spec now is different from what\u0027s in the patch anyway).\n\nhttps://review.openstack.org/#/c/563269/","commit_id":"3fed14c48393c7d649bc48b718890625a1d3df81"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"6ac6f4d013987ea321078df4a9230e508ca339a9","unresolved":false,"context_lines":[{"line_number":392,"context_line":"model, create and rebuild instance notifications should be updated to include"},{"line_number":393,"context_line":"the trusted certificate IDs for a specific instance. Specifically, the"},{"line_number":394,"context_line":"InstanceCreatePayload and InstanceActionRebuildPayload should be updated to"},{"line_number":395,"context_line":"include a \u0027trusted_certificate_ids\u0027 field that will contain the list of"},{"line_number":396,"context_line":"trusted certificate IDs obtained from the instance associated with the"},{"line_number":397,"context_line":"notification."},{"line_number":398,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"5f7c97a3_68486b2c","line":395,"range":{"start_line":395,"start_character":11,"end_line":395,"end_character":34},"in_reply_to":"5f7c97a3_e889db74","updated":"2018-05-24 21:28:42.000000000","message":"Nevermind, I see that the notification is using the same field name from the server resource response body:\n\nhttps://review.openstack.org/#/c/486204/100/nova/api/openstack/compute/views/servers.py\n\nSo this just needs to match that (trusted_image_certificates).","commit_id":"3fed14c48393c7d649bc48b718890625a1d3df81"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"45a89ff49802facd4c4a59f7ee0cdca179aa814a","unresolved":false,"context_lines":[{"line_number":501,"context_line":"  create and rebuild commands. The value of this parameter will need to be"},{"line_number":502,"context_line":"  passed through to the signature verification step when downloading the image"},{"line_number":503,"context_line":"  from glance. See [14]."},{"line_number":504,"context_line":"* Add a new notification field, \u0027trusted_certificate_ids\u0027, to the"},{"line_number":505,"context_line":"  InstanceCreatePayload and InstanceActionRebuildPayload. See [20]."},{"line_number":506,"context_line":"* Modify the control flow for booting an instance from a volume to generate"},{"line_number":507,"context_line":"  a build error when certificate validation is enabled."}],"source_content_type":"text/x-rst","patch_set":2,"id":"5f7c97a3_088e9778","line":504,"range":{"start_line":504,"start_character":33,"end_line":504,"end_character":56},"updated":"2018-05-24 21:26:03.000000000","message":"trusted_certs","commit_id":"3fed14c48393c7d649bc48b718890625a1d3df81"}]}