)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"8fbdb9c440a5a574eb46a0386ff1a3294425c720","unresolved":false,"context_lines":[{"line_number":11,"context_line":"are an input parameter at VM creation available to any user and it is an"},{"line_number":12,"context_line":"important notion for cloud usage, it should be easy for anyone to filter"},{"line_number":13,"context_line":"resources on it."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Change-Id: I288e4a2bd12702a1e7f7ebed544c95eb4a40e641"},{"line_number":16,"context_line":"Implements: blueprint non-admin-filter-instance-by-az"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"3fa7e38b_f6cd3a92","line":14,"updated":"2020-01-20 14:15:29.000000000","message":"Missing \"APIImpact\" tag.","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"}],"specs/ussuri/approved/non-admin-filter-instance-by-az.rst":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"550c28ab0d8e64796821d4a0599dbb7d0d7d7a51","unresolved":false,"context_lines":[{"line_number":36,"context_line":""},{"line_number":37,"context_line":"Proposed change"},{"line_number":38,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_718f142f","line":40,"range":{"start_line":39,"start_character":54,"end_line":40,"end_character":20},"updated":"2020-01-20 14:45:06.000000000","message":"do we have any other such filter which should be non-admin accessible? I think we should audit all those first and bump microversion together to avoid multiple mivroversion changes for filter change in furute.","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"ab37c2e6d31b2047e64a785842746f93adcfd1b7","unresolved":false,"context_lines":[{"line_number":36,"context_line":""},{"line_number":37,"context_line":"Proposed change"},{"line_number":38,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_f10ea48d","line":40,"range":{"start_line":39,"start_character":54,"end_line":40,"end_character":20},"in_reply_to":"3fa7e38b_718f142f","updated":"2020-01-20 14:52:42.000000000","message":"good question","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"8fbdb9c440a5a574eb46a0386ff1a3294425c720","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":44,"context_line":"``availability_zone`` in that list for the given microversion."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_361c32c1","line":42,"range":{"start_line":42,"start_character":3,"end_line":42,"end_character":12},"updated":"2020-01-20 14:15:29.000000000","message":"Do we need to be clear about non admin policy choices here? I think it makes sense.\n\nsee:https://github.com/openstack/nova/blob/master/nova/policies/base.py#L34-L37","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"28b0378207af7b3524f7d53d3b92693b78c7c94f","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":44,"context_line":"``availability_zone`` in that list for the given microversion."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_f12b0498","line":42,"range":{"start_line":42,"start_character":3,"end_line":42,"end_character":12},"in_reply_to":"3fa7e38b_3143dcb2","updated":"2020-01-20 15:07:06.000000000","message":"Agree.","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"28a16ecc89f81b8591f9d48076be7b250ea8ca39","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":44,"context_line":"``availability_zone`` in that list for the given microversion."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_b63582f8","line":42,"range":{"start_line":42,"start_character":3,"end_line":42,"end_character":12},"in_reply_to":"3fa7e38b_361c32c1","updated":"2020-01-20 14:20:04.000000000","message":"Is it \"rule:project_reader_api\" then?","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"550c28ab0d8e64796821d4a0599dbb7d0d7d7a51","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":44,"context_line":"``availability_zone`` in that list for the given microversion."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_d18128fc","line":42,"range":{"start_line":42,"start_character":3,"end_line":42,"end_character":12},"in_reply_to":"3fa7e38b_b63582f8","updated":"2020-01-20 14:45:06.000000000","message":"I think we do not need policy here. we already have policy to allow admin filters to access by non-admin[1]. I think this case is when operator do not want to change that policy and enable AZ for non-admin always.\n\n[1] \u0027os_compute_api:servers:allow_all_filters\u0027","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"81dba2f42a82c5c5852d709155a3e3cdf92aa234","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":44,"context_line":"``availability_zone`` in that list for the given microversion."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_31c43c60","line":42,"range":{"start_line":42,"start_character":3,"end_line":42,"end_character":12},"in_reply_to":"3fa7e38b_b63582f8","updated":"2020-01-20 14:42:08.000000000","message":"brinzhang__\u003e gmann: \u0027rule:project_reader_api\u0027 and \u0027rule:project_member_api\u0027 which different from \u0027rule:system_admin_or_owner\u0027 and \u0027rule:system_or_project_reader\u0027? I am not sure \n\u003cgmann\u003e brinzhang__: did not get completely.\n\u003cbrinzhang__\u003e gmann: which scope?\n\u003cgmann\u003e brinzhang__: \u0027system_*\u0027 rules are with system level scope and project only rules are project scopped.\n\u003cgmann\u003e brinzhang__: \u0027rule:system_admin_or_owner\u0027 and  \u0027rule:system_or_project_reader\u0027 are [system, project] both scoped.\n\u003cbrinzhang__\u003e gmann: other words, if we are *system_* role, we can get all projects resource. and if we are *project_* role, we just can get his own project\u0027s resource, right?\n\u003cgmann\u003e brinzhang__: right.\n\u003cbrinzhang__\u003e gmann: Thanks :)\n\u003cgmann\u003e in addition to that, new default roles also considered like reader etc. so admin can get member,reader but not vice versa (on both scope case)","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"ab37c2e6d31b2047e64a785842746f93adcfd1b7","unresolved":false,"context_lines":[{"line_number":39,"context_line":"Add a new microversion to servers list APIs to enable availability_zone filter"},{"line_number":40,"context_line":"for non admin users."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":43,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":44,"context_line":"``availability_zone`` in that list for the given microversion."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_3143dcb2","line":42,"range":{"start_line":42,"start_character":3,"end_line":42,"end_character":12},"in_reply_to":"3fa7e38b_d18128fc","updated":"2020-01-20 14:52:42.000000000","message":"15:48 \u003c gibi\u003e gmann: does os_compute_api:servers:allow_all_filters makes every filtering \n              available for the user?\n15:48 \u003c gmann\u003e gibi: yes, but that allow all admin filters.\n15:48 \u003c gibi\u003e gmann: so that cannot be used to selectively enable AZ filtering for \n              non-admin\n15:49 \u003c gmann\u003e as per discussion with author on IRC, this policy is not they want to use \n               for making AZ for non-admin and wanted AZ to be available by default\n15:49 \u003c gmann\u003e gibi: yeah, i mean if we default any filter for non-admin then we do not \n               need policy for that.\n15:50 \u003c gibi\u003e gmann: so simply adding availiability_zone to \nnova.api.openstack.compute.servers.serverscontroller._get_server_search_options would make \n              the AZ filter available to non-admin by default\n15:50 \u003c gmann\u003e if we think AZ is for non-admin then we should not add config way to \n               disallow for non-admin.\n15:51 \u003c gmann\u003e gibi: yes\n15:51 \u003c gibi\u003e gmann: I got it, thanks\n\n\nNow I got it. I agree with Gmann that we don\u0027t need an extra policy here.","commit_id":"a6572a0334f24e7f1a203b5c8db18a3c5c9f7d40"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9421c26b0454fa40df23a812efe7c57bbe05ee5","unresolved":false,"context_lines":[{"line_number":13,"context_line":"Many instances filter are restricted to admin-only users, while the related"},{"line_number":14,"context_line":"attribute are readable when showing instance detail for non admin users."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"In order to stay coherent, all existing instance filters who are related to a"},{"line_number":17,"context_line":"field readable by default to non admin users when showing instance details,"},{"line_number":18,"context_line":"should be allowed by default without policy modification."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_68bef064","line":16,"range":{"start_line":16,"start_character":57,"end_line":16,"end_character":60},"updated":"2020-01-27 12:22:05.000000000","message":"that","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"3cbc3f1fafd77700af8addb386dcef5613c999b6","unresolved":false,"context_lines":[{"line_number":13,"context_line":"Many instances filter are restricted to admin-only users, while the related"},{"line_number":14,"context_line":"attribute are readable when showing instance detail for non admin users."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"In order to stay coherent, all existing instance filters who are related to a"},{"line_number":17,"context_line":"field readable by default to non admin users when showing instance details,"},{"line_number":18,"context_line":"should be allowed by default without policy modification."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_78e6894c","line":16,"range":{"start_line":16,"start_character":57,"end_line":16,"end_character":60},"in_reply_to":"3fa7e38b_68bef064","updated":"2020-01-30 07:55:01.000000000","message":"Done","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9421c26b0454fa40df23a812efe7c57bbe05ee5","unresolved":false,"context_lines":[{"line_number":23,"context_line":"ignored if provided by non admin), but the related attribute in server payload"},{"line_number":24,"context_line":"are by default visible when displaying server informations:"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"- availability_zone"},{"line_number":27,"context_line":"- config_drive"},{"line_number":28,"context_line":"- key_name"},{"line_number":29,"context_line":"- created_at"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_c8ae042e","line":26,"range":{"start_line":26,"start_character":2,"end_line":26,"end_character":19},"updated":"2020-01-27 12:22:05.000000000","message":"nit: ``availability_zone`` (below too)","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"3cbc3f1fafd77700af8addb386dcef5613c999b6","unresolved":false,"context_lines":[{"line_number":23,"context_line":"ignored if provided by non admin), but the related attribute in server payload"},{"line_number":24,"context_line":"are by default visible when displaying server informations:"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"- availability_zone"},{"line_number":27,"context_line":"- config_drive"},{"line_number":28,"context_line":"- key_name"},{"line_number":29,"context_line":"- created_at"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_18ebd511","line":26,"range":{"start_line":26,"start_character":2,"end_line":26,"end_character":19},"in_reply_to":"3fa7e38b_c8ae042e","updated":"2020-01-30 07:55:01.000000000","message":"Done","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"ec4f4de7c79fb2c4715e9387c44068be7ea25703","unresolved":false,"context_lines":[{"line_number":30,"context_line":"- launched_at"},{"line_number":31,"context_line":"- terminated_at"},{"line_number":32,"context_line":"- power_state"},{"line_number":33,"context_line":"- task_state"},{"line_number":34,"context_line":"- vm_state"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This list was made by listing all existing admin-only instance filters [1]_,"},{"line_number":37,"context_line":"extracting those where the related attribute is readable by default for"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_ce092d83","line":34,"range":{"start_line":33,"start_character":0,"end_line":34,"end_character":10},"updated":"2020-01-27 13:35:27.000000000","message":"Interestingly when the user filter for status it is translated to task_state and vm_state filters.","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"339b457c1a160df2f462f1eee3601948dffd13c8","unresolved":false,"context_lines":[{"line_number":32,"context_line":"- power_state"},{"line_number":33,"context_line":"- task_state"},{"line_number":34,"context_line":"- vm_state"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This list was made by listing all existing admin-only instance filters [1]_,"},{"line_number":37,"context_line":"extracting those where the related attribute is readable by default for"},{"line_number":38,"context_line":"non-admin users in the nova server show API [2]_."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_1d00d502","line":35,"range":{"start_line":35,"start_character":0,"end_line":35,"end_character":0},"updated":"2020-01-27 18:22:03.000000000","message":"Compared to the list of admin filters[1] and user shown attribute[2], I found few more which we can allow for non-admin.\n\n  - progress: progress_query_server\n  - user_id: user_id_query_server\n\n  - below one are shown as per policy[3] so we can add these also allowed for non-admin if existing policy allow.\n    - host: host_query_server\n    - hostname: hostname_query_server\n    - kernel_id: kernel_id_query_server\n    - launch_index: launch_index_query_server\n    - ramdisk_id: ramdisk_id_query_server\n    - root_device_name: server_root_device_name_query\n\n\n\n\n[1] https://docs.openstack.org/api-ref/compute/?expanded\u003dshow-server-details-detail,list-servers-detail#list-server-request\n\n[2] https://docs.openstack.org/api-ref/compute/?expanded\u003dshow-server-details-detail#id30\n\n[3] https://github.com/openstack/nova/blob/80539a5e849bf8ec1239f0ed01433a7f8a54015b/nova/policies/extended_server_attributes.py","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"3cbc3f1fafd77700af8addb386dcef5613c999b6","unresolved":false,"context_lines":[{"line_number":32,"context_line":"- power_state"},{"line_number":33,"context_line":"- task_state"},{"line_number":34,"context_line":"- vm_state"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"This list was made by listing all existing admin-only instance filters [1]_,"},{"line_number":37,"context_line":"extracting those where the related attribute is readable by default for"},{"line_number":38,"context_line":"non-admin users in the nova server show API [2]_."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_783449ac","line":35,"range":{"start_line":35,"start_character":0,"end_line":35,"end_character":0},"in_reply_to":"3fa7e38b_1d00d502","updated":"2020-01-30 07:55:01.000000000","message":"I add the progress and user_id filter, for the others it is by default admin-only fields (os_compute_api:os-extended-server-attributes policy if I understand well), and this spec is to give to users filters they can see the related field without editing the policy, which is not the case for these one.","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9421c26b0454fa40df23a812efe7c57bbe05ee5","unresolved":false,"context_lines":[{"line_number":45,"context_line":"It can be disturbing for a regular user who make some automation againt nova"},{"line_number":46,"context_line":"API not to be able to filter its instances againt field he can consult without"},{"line_number":47,"context_line":"any policy modification from operators, especially if the filter exist but is"},{"line_number":48,"context_line":"qualified as admin-only."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"By example, in a multiple availability zone deployment, it is a commonly"},{"line_number":51,"context_line":"shared cloud pattern that users create their resources in multiple AZs in"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_6863501a","line":48,"updated":"2020-01-27 12:22:05.000000000","message":"Question: why were things initially implemented this way, and why is it okay to do this now? We don\u0027t hate our users (most of the time) so I imagine there was a good reason for doing this the first day","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"ec4f4de7c79fb2c4715e9387c44068be7ea25703","unresolved":false,"context_lines":[{"line_number":45,"context_line":"It can be disturbing for a regular user who make some automation againt nova"},{"line_number":46,"context_line":"API not to be able to filter its instances againt field he can consult without"},{"line_number":47,"context_line":"any policy modification from operators, especially if the filter exist but is"},{"line_number":48,"context_line":"qualified as admin-only."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"By example, in a multiple availability zone deployment, it is a commonly"},{"line_number":51,"context_line":"shared cloud pattern that users create their resources in multiple AZs in"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_ee02e971","line":48,"in_reply_to":"3fa7e38b_6863501a","updated":"2020-01-27 13:35:27.000000000","message":"do we have historians? :) I looked at the code but I only see that we have a split between admin and non admin filters for a very long time. I was able to trace back the split til https://review.opendev.org/#/c/3629/","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"339b457c1a160df2f462f1eee3601948dffd13c8","unresolved":false,"context_lines":[{"line_number":45,"context_line":"It can be disturbing for a regular user who make some automation againt nova"},{"line_number":46,"context_line":"API not to be able to filter its instances againt field he can consult without"},{"line_number":47,"context_line":"any policy modification from operators, especially if the filter exist but is"},{"line_number":48,"context_line":"qualified as admin-only."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"By example, in a multiple availability zone deployment, it is a commonly"},{"line_number":51,"context_line":"shared cloud pattern that users create their resources in multiple AZs in"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_883325f7","line":48,"in_reply_to":"3fa7e38b_ee02e971","updated":"2020-01-27 18:22:03.000000000","message":"do not know the actual reason or history for this but I think we did not get user request for this or fixed it in advance as it is API change. \n\nIMO, it is no harm to allow users to use their scope fields for filtering.","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9421c26b0454fa40df23a812efe7c57bbe05ee5","unresolved":false,"context_lines":[{"line_number":63,"context_line":"Add a new microversion to servers list APIs to enable these filters"},{"line_number":64,"context_line":"for non admin users."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":67,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":68,"context_line":"previously described values in that list for the given microversion."},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_2869d8f5","line":66,"range":{"start_line":66,"start_character":39,"end_line":66,"end_character":65},"updated":"2020-01-27 12:22:05.000000000","message":"``code``","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"3cbc3f1fafd77700af8addb386dcef5613c999b6","unresolved":false,"context_lines":[{"line_number":63,"context_line":"Add a new microversion to servers list APIs to enable these filters"},{"line_number":64,"context_line":"for non admin users."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"As non admin filters are listed in the _get_server_search_options function in"},{"line_number":67,"context_line":"``nova/api/openstack/compute/servers.py``, it will only require to add"},{"line_number":68,"context_line":"previously described values in that list for the given microversion."},{"line_number":69,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_38f011fd","line":66,"range":{"start_line":66,"start_character":39,"end_line":66,"end_character":65},"in_reply_to":"3fa7e38b_2869d8f5","updated":"2020-01-30 07:55:01.000000000","message":"Done","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9421c26b0454fa40df23a812efe7c57bbe05ee5","unresolved":false,"context_lines":[{"line_number":72,"context_line":"The mechanism for discovering that is by seeing whether a particular"},{"line_number":73,"context_line":"microversion is supported, especially in this case where prior to this fix,"},{"line_number":74,"context_line":"we\u0027ll silently ignore the AZ filter and the consumer would have no good way"},{"line_number":75,"context_line":"of knowing whether it worked or not."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_c87364e7","line":75,"updated":"2020-01-27 12:22:05.000000000","message":"Hence why this is a blueprint and not a bugfix. Cool","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"3cbc3f1fafd77700af8addb386dcef5613c999b6","unresolved":false,"context_lines":[{"line_number":72,"context_line":"The mechanism for discovering that is by seeing whether a particular"},{"line_number":73,"context_line":"microversion is supported, especially in this case where prior to this fix,"},{"line_number":74,"context_line":"we\u0027ll silently ignore the AZ filter and the consumer would have no good way"},{"line_number":75,"context_line":"of knowing whether it worked or not."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_d8d45d4f","line":75,"in_reply_to":"3fa7e38b_c87364e7","updated":"2020-01-30 07:55:01.000000000","message":"Done","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d056e5b9b80379bf8a5dce6f4c6503281bb79ca0","unresolved":false,"context_lines":[{"line_number":72,"context_line":"The mechanism for discovering that is by seeing whether a particular"},{"line_number":73,"context_line":"microversion is supported, especially in this case where prior to this fix,"},{"line_number":74,"context_line":"we\u0027ll silently ignore the AZ filter and the consumer would have no good way"},{"line_number":75,"context_line":"of knowing whether it worked or not."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_fea341fc","line":75,"in_reply_to":"3fa7e38b_d8d45d4f","updated":"2020-01-30 10:25:25.000000000","message":"Oh, sorry, this was just a comment. You didn\u0027t need to add anything :) Sorry for the confusion. We can keep what\u0027s there now that it\u0027s there though","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9421c26b0454fa40df23a812efe7c57bbe05ee5","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"},{"line_number":79,"context_line":"Currently the only way to allow non admin users to use these filters"},{"line_number":80,"context_line":"is to edit the nova policy ``os_compute_api:servers:allow_all_filters``,"},{"line_number":81,"context_line":"which can be really painful to maintain during upgrades and can cause security"},{"line_number":82,"context_line":"issue as you don\u0027t want regular user to use filters like the hypervisor or node"},{"line_number":83,"context_line":"one."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"Data model impact"},{"line_number":86,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_4849b48b","line":83,"range":{"start_line":79,"start_character":0,"end_line":83,"end_character":4},"updated":"2020-01-27 12:22:05.000000000","message":"Why can\u0027t we just change this default? This negates the need for an API microversion since it\u0027s just a policy change.","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9855f12bda80ec8c8bbefd3c030b1356c00e94ed","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"},{"line_number":79,"context_line":"Currently the only way to allow non admin users to use these filters"},{"line_number":80,"context_line":"is to edit the nova policy ``os_compute_api:servers:allow_all_filters``,"},{"line_number":81,"context_line":"which can be really painful to maintain during upgrades and can cause security"},{"line_number":82,"context_line":"issue as you don\u0027t want regular user to use filters like the hypervisor or node"},{"line_number":83,"context_line":"one."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"Data model impact"},{"line_number":86,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_9d6845bc","line":83,"range":{"start_line":79,"start_character":0,"end_line":83,"end_character":4},"in_reply_to":"3fa7e38b_0ebe6563","updated":"2020-01-27 17:26:38.000000000","message":"Oh, so it\u0027s not actually possible to change the policy to allow any user to do this?","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"ec4f4de7c79fb2c4715e9387c44068be7ea25703","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"},{"line_number":79,"context_line":"Currently the only way to allow non admin users to use these filters"},{"line_number":80,"context_line":"is to edit the nova policy ``os_compute_api:servers:allow_all_filters``,"},{"line_number":81,"context_line":"which can be really painful to maintain during upgrades and can cause security"},{"line_number":82,"context_line":"issue as you don\u0027t want regular user to use filters like the hypervisor or node"},{"line_number":83,"context_line":"one."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"Data model impact"},{"line_number":86,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_0ebe6563","line":83,"range":{"start_line":79,"start_character":0,"end_line":83,"end_character":4},"in_reply_to":"3fa7e38b_4849b48b","updated":"2020-01-27 13:35:27.000000000","message":"I think this helps answering it https://review.opendev.org/#/c/701763/2/specs/ussuri/approved/non-admin-filter-instance-by-az.rst@42","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"062084880cc0a42265e16ce77478c3a2359a907a","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"},{"line_number":79,"context_line":"Currently the only way to allow non admin users to use these filters"},{"line_number":80,"context_line":"is to edit the nova policy ``os_compute_api:servers:allow_all_filters``,"},{"line_number":81,"context_line":"which can be really painful to maintain during upgrades and can cause security"},{"line_number":82,"context_line":"issue as you don\u0027t want regular user to use filters like the hypervisor or node"},{"line_number":83,"context_line":"one."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"Data model impact"},{"line_number":86,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_1da535a0","line":83,"range":{"start_line":79,"start_character":0,"end_line":83,"end_character":4},"in_reply_to":"3fa7e38b_9d6845bc","updated":"2020-01-27 17:47:00.000000000","message":"Yes it is possible, but it will allow all the filters for non admin, even the node or hostname, that is not the behaviour we want.","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"339b457c1a160df2f462f1eee3601948dffd13c8","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"Alternatives"},{"line_number":78,"context_line":"------------"},{"line_number":79,"context_line":"Currently the only way to allow non admin users to use these filters"},{"line_number":80,"context_line":"is to edit the nova policy ``os_compute_api:servers:allow_all_filters``,"},{"line_number":81,"context_line":"which can be really painful to maintain during upgrades and can cause security"},{"line_number":82,"context_line":"issue as you don\u0027t want regular user to use filters like the hypervisor or node"},{"line_number":83,"context_line":"one."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"Data model impact"},{"line_number":86,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_a86861bb","line":83,"range":{"start_line":79,"start_character":0,"end_line":83,"end_character":4},"in_reply_to":"3fa7e38b_9d6845bc","updated":"2020-01-27 18:22:03.000000000","message":"current policy allow all filters to allow or disallow for any users. Request here is not to expose the admin-only filters (fields which admin only can see in GET /servers) to non-admin users.\n\nWe do not have field-based policy here.","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9421c26b0454fa40df23a812efe7c57bbe05ee5","unresolved":false,"context_lines":[{"line_number":104,"context_line":"- task_state"},{"line_number":105,"context_line":"- vm_state"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"GET /servers?availability_zone\u003daz2"},{"line_number":108,"context_line":"GET /servers/detail?availability_zone\u003daz1"},{"line_number":109,"context_line":"GET /servers/detail?key_name\u003dmy_key\u0026config_drive\u003dTrue"},{"line_number":110,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_c85cc44d","line":107,"updated":"2020-01-27 12:22:05.000000000","message":"Can you indent this?\n\n  .. code::\n\n     GET /servers?availability_zone\u003daz2\n     GET /servers/detail?availability_zone\u003daz1\n     GET /servers/detail?key_name\u003dmy_key\u0026config_drive\u003dTrue","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"3cbc3f1fafd77700af8addb386dcef5613c999b6","unresolved":false,"context_lines":[{"line_number":104,"context_line":"- task_state"},{"line_number":105,"context_line":"- vm_state"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"GET /servers?availability_zone\u003daz2"},{"line_number":108,"context_line":"GET /servers/detail?availability_zone\u003daz1"},{"line_number":109,"context_line":"GET /servers/detail?key_name\u003dmy_key\u0026config_drive\u003dTrue"},{"line_number":110,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_98dee569","line":107,"in_reply_to":"3fa7e38b_c85cc44d","updated":"2020-01-30 07:55:01.000000000","message":"Done","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"339b457c1a160df2f462f1eee3601948dffd13c8","unresolved":false,"context_lines":[{"line_number":150,"context_line":"---------------"},{"line_number":151,"context_line":"Feature liaison:"},{"line_number":152,"context_line":"  Balazs Gibizer"},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Work Items"},{"line_number":155,"context_line":"----------"},{"line_number":156,"context_line":"* Add filters to the non-admin whitelisted instance filters"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_8861e5d6","line":153,"range":{"start_line":153,"start_character":0,"end_line":153,"end_character":0},"updated":"2020-01-27 18:22:03.000000000","message":"thanks. I can also volunteer for liaison along with gibi.","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":28595,"name":"Victor Coutellier","email":"victor.coutellier@gmail.com","username":"alistarle"},"change_message_id":"3cbc3f1fafd77700af8addb386dcef5613c999b6","unresolved":false,"context_lines":[{"line_number":150,"context_line":"---------------"},{"line_number":151,"context_line":"Feature liaison:"},{"line_number":152,"context_line":"  Balazs Gibizer"},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Work Items"},{"line_number":155,"context_line":"----------"},{"line_number":156,"context_line":"* Add filters to the non-admin whitelisted instance filters"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3fa7e38b_b8dba178","line":153,"range":{"start_line":153,"start_character":0,"end_line":153,"end_character":0},"in_reply_to":"3fa7e38b_8861e5d6","updated":"2020-01-30 07:55:01.000000000","message":"Done","commit_id":"649afab26e0a14173e0760ee58775c60120477ab"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c5f89d8e9ac586535fb3bf2610e2c4e7a4e7347c","unresolved":false,"context_lines":[{"line_number":109,"context_line":"- ``progress``"},{"line_number":110,"context_line":"- ``user_id``"},{"line_number":111,"context_line":""},{"line_number":112,"context_line":".. code::"},{"line_number":113,"context_line":"  GET /servers?availability_zone\u003daz2"},{"line_number":114,"context_line":"  GET /servers/detail?availability_zone\u003daz1"},{"line_number":115,"context_line":"  GET /servers/detail?key_name\u003dmy_key\u0026config_drive\u003dTrue"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_f3305aed","line":112,"range":{"start_line":112,"start_character":0,"end_line":112,"end_character":9},"updated":"2020-01-30 09:26:32.000000000","message":"Currently it is a messy show sequence, adding this key word, it will look better than now, docs failed is that you need to add a blank line under this key word.\n\nhttps://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_561/701763/6/check/openstack-tox-docs/561d628/docs/specs/ussuri/approved/non-admin-filter-instance-by-az.html#rest-api-impact","commit_id":"d68dc2883877fd48afecd562fc525022ef66579e"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"c5f89d8e9ac586535fb3bf2610e2c4e7a4e7347c","unresolved":false,"context_lines":[{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Non-Admin user can filter their instance by availability zone"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"https://blueprints.launchpad.net/nova/+spec/non-admin-filter-instance-by-az"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_532fee56","line":8,"range":{"start_line":8,"start_character":44,"end_line":8,"end_character":61},"updated":"2020-01-30 09:26:32.000000000","message":"``availability_zone`` is just one of these fileds that you will be changed listed in the \"REST API impact\", so I think this title should have a more appropriate name.","commit_id":"033f9f01f403fc6f7c99a4de10f166693c1d558a"}]}