)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"7d5c2e6bd1815428fcc9417abfb25000f1734dff","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"b1e3e49d_77890d25","updated":"2021-11-22 13:45:32.000000000","message":"ill try and review this properly this week just left some input on the None topic.\ni think None is correct in terms of python dict repsonce but in json that would be\nmodles ad the null object.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"6b832ab372178cd3eacbaad0ca1658b456d641a2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"c456b231_f712c5ee","updated":"2021-11-17 06:22:32.000000000","message":"it is reproposed to yoga, so I\u0027m dropping my procedural -2. I have to go back and review the content.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"73cfece5f27eb2e1549e328ea92b419bd9538dfb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"5f97e049_fcd28e77","updated":"2021-12-03 15:31:04.000000000","message":"Looks good to me after the recent changes, thanks gmann!","commit_id":"fa3654ff192c2e459c0e141e3b45c9b98ea8761e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"58623601f61934c8cfb7109cafc0ccbf8e5104a3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"d6c943bd_bd9cf734","updated":"2021-12-08 15:08:00.000000000","message":"Looks good to me too","commit_id":"fa3654ff192c2e459c0e141e3b45c9b98ea8761e"}],"specs/xena/approved/allow-project-admin-list-hypervisors.rst":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":15,"context_line":"Problem description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Project admin can currently create a server on a specific hypervisor (via host in availability_zone field). But project"},{"line_number":19,"context_line":"admin is not allowed to `list the hypervisors`__ On the other hand, only system admins or system readers can list hypervisors"},{"line_number":20,"context_line":"but they cannot create a server on the project\u0027s behalf because there is no way to pass the `project_id in POST /servers API`__."},{"line_number":21,"context_line":"This way we make \u0027POST /servers with specific host\u0027 unusable unless the user gives extra token permission to the project admin"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1c486bc4_8ae941ae","line":18,"updated":"2021-05-25 17:17:12.000000000","message":"Could you wrap the whole file here at 79 columns so it\u0027s easier to read in gerrit?","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Problem description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Project admin can currently create a server on a specific hypervisor (via host in availability_zone field). But project"},{"line_number":19,"context_line":"admin is not allowed to `list the hypervisors`__ On the other hand, only system admins or system readers can list hypervisors"},{"line_number":20,"context_line":"but they cannot create a server on the project\u0027s behalf because there is no way to pass the `project_id in POST /servers API`__."},{"line_number":21,"context_line":"This way we make \u0027POST /servers with specific host\u0027 unusable unless the user gives extra token permission to the project admin"}],"source_content_type":"text/x-rst","patch_set":1,"id":"29626382_86932cf4","line":18,"in_reply_to":"1c486bc4_8ae941ae","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"5cf5c5ae267b57961e80db1f3dcafcb3c14e1f28","unresolved":true,"context_lines":[{"line_number":19,"context_line":"admin is not allowed to `list the hypervisors`__ On the other hand, only system admins or system readers can list hypervisors"},{"line_number":20,"context_line":"but they cannot create a server on the project\u0027s behalf because there is no way to pass the `project_id in POST /servers API`__."},{"line_number":21,"context_line":"This way we make \u0027POST /servers with specific host\u0027 unusable unless the user gives extra token permission to the project admin"},{"line_number":22,"context_line":"or system users."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/hypervisors.py#L37"},{"line_number":25,"context_line":"__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/api/openstack/compute/schemas/servers.py#L149"}],"source_content_type":"text/x-rst","patch_set":1,"id":"f7357101_0583416a","line":22,"updated":"2021-05-25 17:09:24.000000000","message":"Can you wrap this at ~80 characters?","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":19,"context_line":"admin is not allowed to `list the hypervisors`__ On the other hand, only system admins or system readers can list hypervisors"},{"line_number":20,"context_line":"but they cannot create a server on the project\u0027s behalf because there is no way to pass the `project_id in POST /servers API`__."},{"line_number":21,"context_line":"This way we make \u0027POST /servers with specific host\u0027 unusable unless the user gives extra token permission to the project admin"},{"line_number":22,"context_line":"or system users."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/policies/hypervisors.py#L37"},{"line_number":25,"context_line":"__ https://github.com/openstack/nova/blob/b0cd985f0c09088098f74cc0cb1df616cc0ef12b/nova/api/openstack/compute/schemas/servers.py#L149"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b64d3d04_0dd705df","line":22,"in_reply_to":"f7357101_0583416a","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Proposed change"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "}],"source_content_type":"text/x-rst","patch_set":1,"id":"707656c8_d49ebc33","line":36,"range":{"start_line":36,"start_character":36,"end_line":36,"end_character":46},"updated":"2021-05-25 17:17:12.000000000","message":"hypervisors","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"5cf5c5ae267b57961e80db1f3dcafcb3c14e1f28","unresolved":true,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Proposed change"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "}],"source_content_type":"text/x-rst","patch_set":1,"id":"98d08740_4e22899b","line":36,"range":{"start_line":36,"start_character":36,"end_line":36,"end_character":46},"updated":"2021-05-25 17:09:24.000000000","message":"hypervisors","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Proposed change"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "}],"source_content_type":"text/x-rst","patch_set":1,"id":"cd94d0a1_cf5e546a","line":36,"range":{"start_line":36,"start_character":79,"end_line":36,"end_character":82},"updated":"2021-05-25 17:17:12.000000000","message":"retrieved","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Proposed change"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "}],"source_content_type":"text/x-rst","patch_set":1,"id":"51402c9e_183c508f","line":36,"range":{"start_line":36,"start_character":36,"end_line":36,"end_character":46},"in_reply_to":"98d08740_4e22899b","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Proposed change"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "}],"source_content_type":"text/x-rst","patch_set":1,"id":"d1e6d474_498075e5","line":36,"range":{"start_line":36,"start_character":79,"end_line":36,"end_character":82},"in_reply_to":"cd94d0a1_cf5e546a","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":34,"context_line":"Proposed change"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"201925a3_40dca331","line":37,"range":{"start_line":37,"start_character":51,"end_line":37,"end_character":53},"updated":"2021-05-25 17:17:12.000000000","message":"If the","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":34,"context_line":"Proposed change"},{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"a1573889_6500f7f2","line":37,"range":{"start_line":37,"start_character":51,"end_line":37,"end_character":53},"in_reply_to":"201925a3_40dca331","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":35,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"}],"source_content_type":"text/x-rst","patch_set":1,"id":"4c532c49_cc7641b4","line":38,"range":{"start_line":38,"start_character":48,"end_line":38,"end_character":54},"updated":"2021-05-25 17:17:12.000000000","message":"Alternatively, if","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"5cf5c5ae267b57961e80db1f3dcafcb3c14e1f28","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2d02d285_b7a63c43","line":39,"range":{"start_line":39,"start_character":0,"end_line":39,"end_character":47},"updated":"2021-05-25 17:09:24.000000000","message":"Are you saying that if this metadata is not configured, then an admin would be able to see *all* hypervisors? If so, I thought we said this wasn\u0027t an option since it was a massive security hole. If not, could you reword this to make it clearer?","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b7d481da_7469b3bc","line":39,"updated":"2021-05-25 17:17:12.000000000","message":"Whitesapce... but also: is this what we want as a default? Just thinking about large clouds today that do not segregate hosts per project, project-admins, which will soon not be system-admins, will suddenly be able to see all the hypervisors?\n\nI\u0027m not sure if this should be a config toggle or something else, but.. it seems like maybe we want to not just expose that to project-admin people unconditionally. Will there be a policy knob to turn that off?","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3420f4b4_a02091d7","line":39,"range":{"start_line":39,"start_character":0,"end_line":39,"end_character":47},"in_reply_to":"2d02d285_b7a63c43","updated":"2021-05-25 17:41:02.000000000","message":"I remember now, I went with the multitenancy filter logic. Agree on not to show all.","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Allow project admin to list all the hyperviros they are assigned. That will be get"},{"line_number":37,"context_line":"from aggregate metadata info (\u0027filter_tenant_id\u0027). if requested project is in \u0027filter_tenant_id\u0027"},{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8b5a7e6b_5c7068ea","line":39,"in_reply_to":"b7d481da_7469b3bc","updated":"2021-05-25 17:41:02.000000000","message":"Agree on not to list all hypervisors for non isolated cloud. In that case we do not need separate policy as such and use existing policy to list hyperviors.","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"5cf5c5ae267b57961e80db1f3dcafcb3c14e1f28","unresolved":true,"context_lines":[{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"},{"line_number":43,"context_line":"then request will be rejected with 404 return code."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7d490913_f6f8663a","line":41,"range":{"start_line":41,"start_character":40,"end_line":41,"end_character":53},"updated":"2021-05-25 17:09:24.000000000","message":"``POST /servers`` (here and elsewhere)","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"},{"line_number":43,"context_line":"then request will be rejected with 404 return code."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"4176626b_1e31eb3b","line":41,"range":{"start_line":41,"start_character":72,"end_line":41,"end_character":77},"updated":"2021-05-25 17:17:12.000000000","message":"meaning","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"},{"line_number":43,"context_line":"then request will be rejected with 404 return code."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"17c830aa_c4505b8c","line":41,"range":{"start_line":41,"start_character":54,"end_line":41,"end_character":57},"updated":"2021-05-25 17:17:12.000000000","message":"requesting a","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"},{"line_number":43,"context_line":"then request will be rejected with 404 return code."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"8ed6780d_7085e24e","line":41,"range":{"start_line":41,"start_character":54,"end_line":41,"end_character":57},"in_reply_to":"17c830aa_c4505b8c","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"},{"line_number":43,"context_line":"then request will be rejected with 404 return code."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"6a1f88fb_8cd6e0f2","line":41,"range":{"start_line":41,"start_character":72,"end_line":41,"end_character":77},"in_reply_to":"4176626b_1e31eb3b","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":false,"context_lines":[{"line_number":38,"context_line":"then that host will be listed for project admin. Or if no project listed in \u0027filter_tenant_id\u0027"},{"line_number":39,"context_line":"then allow all hosts to list for project admin. "},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The same restriction will be applied in POST /servers on specific host, means if requested"},{"line_number":42,"context_line":"the host is not assigned to that project (project_id not in aggregate metadata info (\u0027filter_tenant_id\u0027).)"},{"line_number":43,"context_line":"then request will be rejected with 404 return code."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"0b676fd5_185fedbb","line":41,"range":{"start_line":41,"start_character":40,"end_line":41,"end_character":53},"in_reply_to":"7d490913_f6f8663a","updated":"2021-05-25 17:41:02.000000000","message":"Done","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"744903f486c0d70033f4864b630b6f9d7398ec5f","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"GET /os-hypervisors "},{"line_number":65,"context_line":"- Allow policy \u0027os_compute_api:os-hypervisors:list\u0027 to project admin also"},{"line_number":66,"context_line":"- if policy pass then return the hosts which are assigned to project in response body"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"POST /servers"},{"line_number":69,"context_line":"- Check if requested host is assigned to project or not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"f9fbdbf1_2c41f06a","line":66,"updated":"2021-05-25 17:17:12.000000000","message":"Right now, this exposes all hypervisors for the whole deployment, but after the change, it will only ever list them for $project, is that right? Don\u0027t we need to retain the existing list-everything for full admins? Or are you going to determine what to do based on policy?\n\nAlso, you didn\u0027t mention it, but I think we discussed... won\u0027t we be exposing the obfuscated host id from this if they\u0027re just project admin? Won\u0027t that be an API change? I forget how this currently works...","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f40b62233c1bd0dbeb9d94d87e90731c3b325eda","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"GET /os-hypervisors "},{"line_number":65,"context_line":"- Allow policy \u0027os_compute_api:os-hypervisors:list\u0027 to project admin also"},{"line_number":66,"context_line":"- if policy pass then return the hosts which are assigned to project in response body"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"POST /servers"},{"line_number":69,"context_line":"- Check if requested host is assigned to project or not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"036f41a5_6de6ab94","line":66,"in_reply_to":"1c011451_8a69b396","updated":"2021-05-27 18:08:22.000000000","message":"yeah, we discussed this in IRC and agreed to return the uuid instead of hypervisor name.\n\nDetail discussion: http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2021-05-27.log.html#t2021-05-27T16:48:11","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5a999d16f9620da9c5539e830eacadb3d6dbb42e","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"GET /os-hypervisors "},{"line_number":65,"context_line":"- Allow policy \u0027os_compute_api:os-hypervisors:list\u0027 to project admin also"},{"line_number":66,"context_line":"- if policy pass then return the hosts which are assigned to project in response body"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"POST /servers"},{"line_number":69,"context_line":"- Check if requested host is assigned to project or not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"de79a4d2_ade0c332","line":66,"in_reply_to":"2472968e_7c95f0b9","updated":"2021-05-27 16:52:44.000000000","message":"Well, that\u0027s why I was asking - because I\u0027d want to know how we were going to do the hashing.\n\nRight now, admin is admin, so it makes sense that admins know about hostnames, since they have total control anyway, right? But if we\u0027re going to separate the notion of system-admin (can see hostnames and other infra details) from project-admin (can have more control over resources in the project than member) then I would think it\u0027s proper to hide actual hostnames from project admins.\n\nIf I\u0027m a public cloud and I want to be able to delegate some more project-admin\u0027y stuff to customers like controlling where in their allotted hosts they boot stuff, I don\u0027t necessarily want to expose the hostnames which may expose more network or hardware details to them than they really need.\n\nIsn\u0027t the point of project admin to be \"trusted to do more stuff but not trusted with keys to the castle\"?","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"03c4ce73aa480cdfd95d1d1f15b27411f7b7d5d1","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"GET /os-hypervisors "},{"line_number":65,"context_line":"- Allow policy \u0027os_compute_api:os-hypervisors:list\u0027 to project admin also"},{"line_number":66,"context_line":"- if policy pass then return the hosts which are assigned to project in response body"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"POST /servers"},{"line_number":69,"context_line":"- Check if requested host is assigned to project or not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2472968e_7c95f0b9","line":66,"in_reply_to":"36260055_fa375090","updated":"2021-05-26 00:23:53.000000000","message":"If we return obfuscated hosts to project admin then how they are going to use it in POST /servers request which expect actual host (in force_host or requested_destination request) ? use case here is that project admin can pass actual host name in boot server force_host or requested_destination request.","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0a1a0abce7f8faa889a6505161059a46c1ff39ed","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"GET /os-hypervisors "},{"line_number":65,"context_line":"- Allow policy \u0027os_compute_api:os-hypervisors:list\u0027 to project admin also"},{"line_number":66,"context_line":"- if policy pass then return the hosts which are assigned to project in response body"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"POST /servers"},{"line_number":69,"context_line":"- Check if requested host is assigned to project or not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"36260055_fa375090","line":66,"in_reply_to":"9e89fb66_4b8759c6","updated":"2021-05-25 17:45:19.000000000","message":"\u003e we will checking if requester is system token or project admin (we can check it from request context.system_scope) and if it is system then no change in what we have currently which means return full list. If project admin then we check the host aggregate metadata and return only host assigned to that project.\n\nOkay, that\u0027s cool, although it\u0027s a change people may not be ready for immediately. But, probably not something that we should hide behind a microversion I guess.\n\n\u003e on 2nd question, I am not so clear. are you saying instead of returning full list [1] which has status and name also we should just return id for project admin case? if so I might have missed this in discussion, but if we do that then yes it is API change and so might need microversion. I think we can just return all the field we return to system admin too but only for host assigned to that project. is that fine?\n\nWhen you show the details of a server, if you are not admin you are not able to see the _actual_ hostname of the hypervisor you\u0027re on. You see an obfuscated one which is a hash of the actual name and your project, to avoid leaking details of the infrastructure to non-admins. I would expect that a project admin should see a list of these obfuscated hosts, and not the actual hostnames. Only system admins should be able to see the real hostname.","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"35036be0745bfab82e42b48f60379c9c822b2943","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"GET /os-hypervisors "},{"line_number":65,"context_line":"- Allow policy \u0027os_compute_api:os-hypervisors:list\u0027 to project admin also"},{"line_number":66,"context_line":"- if policy pass then return the hosts which are assigned to project in response body"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"POST /servers"},{"line_number":69,"context_line":"- Check if requested host is assigned to project or not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1c011451_8a69b396","line":66,"in_reply_to":"de79a4d2_ade0c332","updated":"2021-05-27 17:01:11.000000000","message":"Note that as of 2.53 we expose the server uuid in the hypervisor list. We could just make it so that the requested_destination will look up the host by uuid if the provided destination doesn\u0027t match any hostname. That\u0027s not scoped per project the way the obfuscated host id is, but it\u0027s a lot better than exposing the hostname I think.","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82e8bb32dfd9b33d56225be6ecdeeebc706c6b8e","unresolved":true,"context_lines":[{"line_number":63,"context_line":""},{"line_number":64,"context_line":"GET /os-hypervisors "},{"line_number":65,"context_line":"- Allow policy \u0027os_compute_api:os-hypervisors:list\u0027 to project admin also"},{"line_number":66,"context_line":"- if policy pass then return the hosts which are assigned to project in response body"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"POST /servers"},{"line_number":69,"context_line":"- Check if requested host is assigned to project or not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9e89fb66_4b8759c6","line":66,"in_reply_to":"f9fbdbf1_2c41f06a","updated":"2021-05-25 17:41:02.000000000","message":"we will checking if requester is system token or project admin (we can check it from request context.system_scope) and if it is system then no change in what we have currently which means return full list. If project admin then we check the host aggregate metadata and return only host assigned to that project.\n\non 2nd question, I am not so clear. are you saying instead of returning full list [1] which has status and name also we should just return id for project admin case? if so I might have missed this in discussion, but if we do that then yes it is API change and so might need microversion. I think we can just return all the field we return to system admin too but only for host assigned to that project. is that fine?\n\n[1]https://github.com/openstack/nova/blob/master/doc/api_samples/os-hypervisors/hypervisors-list-resp.json","commit_id":"51d16e16fcd5853e10bece042286b1cee8c3ab1f"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"011a5f6e9e7fea2e6a6758d0bdbc943fc5bdfeab","unresolved":true,"context_lines":[{"line_number":10,"context_line":"https://blueprints.launchpad.net/nova/+spec/allow-project-admin-list-hypervisors"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Allow Project admin to list the allowed hypervisors for that project so that"},{"line_number":13,"context_line":"they can create a server to specify the host in POST /servers API."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Problem description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"78af8011_992e9f8e","line":13,"range":{"start_line":13,"start_character":48,"end_line":13,"end_character":61},"updated":"2021-05-26 16:15:51.000000000","message":"nit: ``POST /servers``","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":false,"context_lines":[{"line_number":10,"context_line":"https://blueprints.launchpad.net/nova/+spec/allow-project-admin-list-hypervisors"},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Allow Project admin to list the allowed hypervisors for that project so that"},{"line_number":13,"context_line":"they can create a server to specify the host in POST /servers API."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Problem description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6cd70a17_03c5b09c","line":13,"range":{"start_line":13,"start_character":48,"end_line":13,"end_character":61},"in_reply_to":"78af8011_992e9f8e","updated":"2021-05-27 16:47:28.000000000","message":"Done","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d8662bc40892fec720477d7bd754facf47fa90e","unresolved":true,"context_lines":[{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Project admin can currently create a server on a specific hypervisor (via host"},{"line_number":19,"context_line":"inavailability_zone field). But project admin is not allowed to"},{"line_number":20,"context_line":"`list the hypervisors`__ On the other hand, only system admins or system"},{"line_number":21,"context_line":"readers can list hypervisors but they cannot create a server on the project\u0027s"},{"line_number":22,"context_line":"behalf because there is no way to pass the `project_id in POST /servers API`__."}],"source_content_type":"text/x-rst","patch_set":2,"id":"fd2c7898_f0527a85","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":19},"updated":"2021-05-26 11:29:09.000000000","message":"nit: in the availability_zone","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":false,"context_lines":[{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Project admin can currently create a server on a specific hypervisor (via host"},{"line_number":19,"context_line":"inavailability_zone field). But project admin is not allowed to"},{"line_number":20,"context_line":"`list the hypervisors`__ On the other hand, only system admins or system"},{"line_number":21,"context_line":"readers can list hypervisors but they cannot create a server on the project\u0027s"},{"line_number":22,"context_line":"behalf because there is no way to pass the `project_id in POST /servers API`__."}],"source_content_type":"text/x-rst","patch_set":2,"id":"f63c8646_a6b52fae","line":19,"range":{"start_line":19,"start_character":0,"end_line":19,"end_character":19},"in_reply_to":"fd2c7898_f0527a85","updated":"2021-05-27 16:47:28.000000000","message":":), sorry. done","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"011a5f6e9e7fea2e6a6758d0bdbc943fc5bdfeab","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":"Allow project admin to list all the hypervisors they are assigned. That will be"},{"line_number":39,"context_line":"retrieved from aggregate metadata info (``filter_tenant_id``). If the requested"},{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"c408bbe0_e95dc22e","line":39,"range":{"start_line":39,"start_character":15,"end_line":39,"end_character":62},"updated":"2021-05-26 16:15:51.000000000","message":"Rather than doing this, could we simply add a new attribute to ComputeNode that stores a project or projects to which it is assigned? I\u0027m not sure if there are significant advantages to this but it does seem more obvious","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"b1e0cf8c557d8fc1cb591536c300d775c46ac94e","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":"Allow project admin to list all the hypervisors they are assigned. That will be"},{"line_number":39,"context_line":"retrieved from aggregate metadata info (``filter_tenant_id``). If the requested"},{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"cac430f3_9504ea3e","line":39,"range":{"start_line":39,"start_character":15,"end_line":39,"end_character":62},"in_reply_to":"c408bbe0_e95dc22e","updated":"2021-05-26 16:36:46.000000000","message":"This is how people currently segregate computes by tenant, as honored by our filter and placement pre-filter. Adding something else means we have to keep those in sync. Also, since aggregates can overlap, we\u0027d need to do set math to keep that list correct.\n\nI think what gmann has here is the right way to do it.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":"Allow project admin to list all the hypervisors they are assigned. That will be"},{"line_number":39,"context_line":"retrieved from aggregate metadata info (``filter_tenant_id``). If the requested"},{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f74eee13_d2cd013e","line":39,"range":{"start_line":39,"start_character":15,"end_line":39,"end_character":62},"in_reply_to":"cac430f3_9504ea3e","updated":"2021-05-27 16:47:28.000000000","message":"ack","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d8662bc40892fec720477d7bd754facf47fa90e","unresolved":true,"context_lines":[{"line_number":38,"context_line":"Allow project admin to list all the hypervisors they are assigned. That will be"},{"line_number":39,"context_line":"retrieved from aggregate metadata info (``filter_tenant_id``). If the requested"},{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The same restriction will be applied in ``POST /servers`` on specific host,"},{"line_number":44,"context_line":"meaning if requesting a host is not assigned to that project (project_id not"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f0dab006_8c6987c6","line":41,"updated":"2021-05-26 11:29:09.000000000","message":"Today nothing is listed as the project admin gets 403 forbidden. But after it without any aggregate configuration the same user will get an empty list. I think this is a good step forward. \n\nI\u0027m just wondering if the deployer changed the API policy to allow arbitrary user querying hypervisors in its cloud then when this deployer upgrades then this new implementation potentially breaks the user who got the full list before the upgrade. Can we make this behavior depending on the policy configuration as well? If not then at least an upgrade check should be added that warns the deployer that his customized policy might conflict with our newly introduced behavior and they should consider the custom policy to be removed in favor of this new feature.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":true,"context_lines":[{"line_number":38,"context_line":"Allow project admin to list all the hypervisors they are assigned. That will be"},{"line_number":39,"context_line":"retrieved from aggregate metadata info (``filter_tenant_id``). If the requested"},{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The same restriction will be applied in ``POST /servers`` on specific host,"},{"line_number":44,"context_line":"meaning if requesting a host is not assigned to that project (project_id not"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6759febd_915006d4","line":41,"in_reply_to":"f0dab006_8c6987c6","updated":"2021-05-27 16:47:28.000000000","message":"I see, this is good point. With the existing policy we would not be able to do this unless we check if policy is overridden to non-default (this is not good check i think)/\n\nWe can add a new policy here something like \u0027os_compute_api:os-hypervisors:list:allow_full_list\u0027","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"03c4ce73aa480cdfd95d1d1f15b27411f7b7d5d1","unresolved":true,"context_lines":[{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The same restriction will be applied in ``POST /servers`` on specific host,"},{"line_number":44,"context_line":"meaning if requesting a host is not assigned to that project (project_id not"},{"line_number":45,"context_line":"in aggregate metadata info (``filter_tenant_id``).) then request will be"},{"line_number":46,"context_line":"rejected with 404 return code."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Basically, the same utility method can be used in both APIs to know the list"},{"line_number":49,"context_line":"of allowed hosts for the project."}],"source_content_type":"text/x-rst","patch_set":2,"id":"3c1b896f_aaef4ea8","line":46,"range":{"start_line":43,"start_character":0,"end_line":46,"end_character":30},"updated":"2021-05-26 00:23:53.000000000","message":"I think this part need microversion? This will restrict some of the request which are passing now and start failing for host not assigned to them in tenant isolated cloud ?\n\nI would like to get more opinion on this part.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"011a5f6e9e7fea2e6a6758d0bdbc943fc5bdfeab","unresolved":true,"context_lines":[{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The same restriction will be applied in ``POST /servers`` on specific host,"},{"line_number":44,"context_line":"meaning if requesting a host is not assigned to that project (project_id not"},{"line_number":45,"context_line":"in aggregate metadata info (``filter_tenant_id``).) then request will be"},{"line_number":46,"context_line":"rejected with 404 return code."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Basically, the same utility method can be used in both APIs to know the list"},{"line_number":49,"context_line":"of allowed hosts for the project."}],"source_content_type":"text/x-rst","patch_set":2,"id":"b55d8589_ec689f4d","line":46,"range":{"start_line":43,"start_character":0,"end_line":46,"end_character":30},"in_reply_to":"027a1660_fb69a232","updated":"2021-05-26 16:15:51.000000000","message":"Agreed that we shouldn\u0027t change this behavior. I would drop this paragraph","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d8662bc40892fec720477d7bd754facf47fa90e","unresolved":true,"context_lines":[{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The same restriction will be applied in ``POST /servers`` on specific host,"},{"line_number":44,"context_line":"meaning if requesting a host is not assigned to that project (project_id not"},{"line_number":45,"context_line":"in aggregate metadata info (``filter_tenant_id``).) then request will be"},{"line_number":46,"context_line":"rejected with 404 return code."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Basically, the same utility method can be used in both APIs to know the list"},{"line_number":49,"context_line":"of allowed hosts for the project."}],"source_content_type":"text/x-rst","patch_set":2,"id":"027a1660_fb69a232","line":46,"range":{"start_line":43,"start_character":0,"end_line":46,"end_character":30},"in_reply_to":"3c1b896f_aaef4ea8","updated":"2021-05-26 11:29:09.000000000","message":"You mean if the project admin today get to know some valid hypervisor_hostname in the system (e.g. via like an email from an system admin) then today such project admin can use POST /servers with that hostname and the VM will boot. I think this is a valid behavior. I would even say we should not remove this possibility. Keep the possibility for the system admin to decide \na) to either set up aggregates and let the project admin use the new API to query the hosts in them\nb) or not set up aggregates but share some hostnames with the project admin out of band\n\nI know that if we bump the microversion for it then the old microversion still can be used to implement b). But a later microversion extending POST /servers with an arbitrary but useful feature would make it impossible to use b) and the new useful feature together.\n\nbottom line: I would not change this behavior. But if we do change it as other reviewers agree on it, then please do it via a microversion bump.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":true,"context_lines":[{"line_number":40,"context_line":"project is in ``filter_tenant_id`` then that host will be listed for project"},{"line_number":41,"context_line":"admin. If no project listed in ``filter_tenant_id`` then return empty list."},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"The same restriction will be applied in ``POST /servers`` on specific host,"},{"line_number":44,"context_line":"meaning if requesting a host is not assigned to that project (project_id not"},{"line_number":45,"context_line":"in aggregate metadata info (``filter_tenant_id``).) then request will be"},{"line_number":46,"context_line":"rejected with 404 return code."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Basically, the same utility method can be used in both APIs to know the list"},{"line_number":49,"context_line":"of allowed hosts for the project."}],"source_content_type":"text/x-rst","patch_set":2,"id":"988a3fa3_bb345b50","line":46,"range":{"start_line":43,"start_character":0,"end_line":46,"end_character":30},"in_reply_to":"b55d8589_ec689f4d","updated":"2021-05-27 16:47:28.000000000","message":"sure, that is what I thought, there might be some customer contract to let special users about hosts in some other way than API. done","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d8662bc40892fec720477d7bd754facf47fa90e","unresolved":true,"context_lines":[{"line_number":52,"context_line":"------------"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Allow ``project_id`` in the request body of POST /servers API so that system"},{"line_number":55,"context_line":"user can create server on behalf of the project."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Data model impact"},{"line_number":58,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"013cb63b_11e9da21","line":55,"updated":"2021-05-26 11:29:09.000000000","message":"Could this be an independent but useful feauture? E.g. a system admin regardless of the existence of the project admin might want to create VMs for a project user. I\u0027m not saying we have to implement it now. Just wanted to no that such use case might make sense in other perspective.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":true,"context_lines":[{"line_number":52,"context_line":"------------"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Allow ``project_id`` in the request body of POST /servers API so that system"},{"line_number":55,"context_line":"user can create server on behalf of the project."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Data model impact"},{"line_number":58,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4a65ebe7_d4739321","line":55,"in_reply_to":"013cb63b_11e9da21","updated":"2021-05-27 16:47:28.000000000","message":"sure, but having that in alternate is fine right? I means for this use it is alternate but for some other use case like you mentioned it is separately independent feature.\n\nor you want it to be removed from here?","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2e8414fcc5c33904d774b4114da86a13d44d4aa5","unresolved":true,"context_lines":[{"line_number":52,"context_line":"------------"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Allow ``project_id`` in the request body of POST /servers API so that system"},{"line_number":55,"context_line":"user can create server on behalf of the project."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Data model impact"},{"line_number":58,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e48f0b66_fa272a69","line":55,"in_reply_to":"4a65ebe7_d4739321","updated":"2021-06-02 10:10:58.000000000","message":"good as is.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d8662bc40892fec720477d7bd754facf47fa90e","unresolved":true,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"- Check if requested host is assigned to project or not"},{"line_number":80,"context_line":"- If no then return 400 otherwise continue the request"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"Security impact"},{"line_number":83,"context_line":"---------------"},{"line_number":84,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f7ecde07_b88de2d7","line":81,"updated":"2021-05-26 11:29:09.000000000","message":"Just want to clarify that this also means that the project admin still not see the OS-EXT-SRV-ATTR:hypervisor_hostname field in the POST /servers response even if the value of it would be already known to them.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2e8414fcc5c33904d774b4114da86a13d44d4aa5","unresolved":true,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"- Check if requested host is assigned to project or not"},{"line_number":80,"context_line":"- If no then return 400 otherwise continue the request"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"Security impact"},{"line_number":83,"context_line":"---------------"},{"line_number":84,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"ebeee337_685ce633","line":81,"in_reply_to":"03816749_44fc7ec0","updated":"2021-06-02 10:10:58.000000000","message":"I think that OS-EXT-SRV-ATTR:hypervisor_hostname  is admin only today. So my question is will this attribute visible for the project admin?","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":true,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"- Check if requested host is assigned to project or not"},{"line_number":80,"context_line":"- If no then return 400 otherwise continue the request"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"Security impact"},{"line_number":83,"context_line":"---------------"},{"line_number":84,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"03816749_44fc7ec0","line":81,"in_reply_to":"6d50fd96_01aa06e5","updated":"2021-05-27 16:47:28.000000000","message":"I am not completely getting this point. \n\nOS-EXT-SRV-ATTR:hypervisor_hostname (also OS-EXT-SRV-ATTR:hostname, OS-EXT-SRV-ATTR:host) is shown in GET /servers (details) API irrespective of assigned host or not.\n\nare you saying we should show it in POST response too?","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"011a5f6e9e7fea2e6a6758d0bdbc943fc5bdfeab","unresolved":true,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"- Check if requested host is assigned to project or not"},{"line_number":80,"context_line":"- If no then return 400 otherwise continue the request"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"Security impact"},{"line_number":83,"context_line":"---------------"},{"line_number":84,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"6d50fd96_01aa06e5","line":81,"in_reply_to":"f7ecde07_b88de2d7","updated":"2021-05-26 16:15:51.000000000","message":"Good point. Do we want to start showing this to users if they \"own\" the host? If we do, we should probably drop the prefix in a microversion. We could do this in the same microversion as the hostname change.","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d8662bc40892fec720477d7bd754facf47fa90e","unresolved":true,"context_lines":[{"line_number":112,"context_line":"Upgrade impact"},{"line_number":113,"context_line":"--------------"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"None."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Implementation"},{"line_number":118,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b9d7f03b_cc95cb7d","line":115,"updated":"2021-05-26 11:29:09.000000000","message":"See my comment on L41 about a possible upgrade impact","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"904c3c5a3194ca0aad5cc01bd2200fa7a147dc87","unresolved":false,"context_lines":[{"line_number":112,"context_line":"Upgrade impact"},{"line_number":113,"context_line":"--------------"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"None."},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"Implementation"},{"line_number":118,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"da847b90_7b111d83","line":115,"in_reply_to":"b9d7f03b_cc95cb7d","updated":"2021-05-27 16:47:28.000000000","message":"Ack","commit_id":"40433590046d57443705811e843c2c89ffda8787"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"8fd0d4277cfd114f64e6f1643eb8d2f97db833f0","unresolved":true,"context_lines":[{"line_number":40,"context_line":"If the requested project is in ``filter_tenant_id`` then that host will be"},{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."}],"source_content_type":"text/x-rst","patch_set":3,"id":"8d51cfbc_0cf90af0","line":43,"range":{"start_line":43,"start_character":11,"end_line":43,"end_character":65},"updated":"2021-06-02 13:49:11.000000000","message":"Hmm, isn\u0027t the point for them to be able to see some of the machine details like cpu, ram, disk? I\u0027m not sure what the point is of being able to see all your hypervisors, without some detail. The thing I was objecting to was exposing the identifying information that may contain infrastructure details (i.e. the hostname).","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c0aac526ea46b807b734540cbe862b9ead1fd436","unresolved":true,"context_lines":[{"line_number":40,"context_line":"If the requested project is in ``filter_tenant_id`` then that host will be"},{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."}],"source_content_type":"text/x-rst","patch_set":3,"id":"57e81a72_6adb893c","line":43,"range":{"start_line":43,"start_character":11,"end_line":43,"end_character":65},"in_reply_to":"4cc3254a_2c04aeed","updated":"2021-07-14 17:37:52.000000000","message":"\u003e I see your point. cpu, ram, disk etc info are removed from hypervisor API in wallaby[1]. The complete list/info we return in hypervisor API is \n\u003e - https://github.com/openstack/nova/blob/master/doc/api_samples/os-hypervisors/v2.88/hypervisors-show-resp.json\n\nUh, oh, I missed that. Not sure what the point of that was as it seems like it removes a lot of the useful information people were relying on to make sure that nova was seeing their full set of resources. But, okay.\n\n\u003e from that list, how about returning the below info:\n\u003e \n\u003e - state\n\u003e - status\n\u003e - uptime\n\nAck, yep.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"713f20bcfd1941ea2d2e0925e9b93036bbb2cf1a","unresolved":false,"context_lines":[{"line_number":40,"context_line":"If the requested project is in ``filter_tenant_id`` then that host will be"},{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf4dc181_600badf8","line":43,"range":{"start_line":43,"start_character":11,"end_line":43,"end_character":65},"in_reply_to":"57e81a72_6adb893c","updated":"2021-07-14 18:14:49.000000000","message":"Done","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9070cb16c3ace34ee03a2dec82653a58fd01f724","unresolved":true,"context_lines":[{"line_number":40,"context_line":"If the requested project is in ``filter_tenant_id`` then that host will be"},{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."}],"source_content_type":"text/x-rst","patch_set":3,"id":"4cc3254a_2c04aeed","line":43,"range":{"start_line":43,"start_character":11,"end_line":43,"end_character":65},"in_reply_to":"8d51cfbc_0cf90af0","updated":"2021-07-14 17:17:18.000000000","message":"I see your point. cpu, ram, disk etc info are removed from hypervisor API in wallaby[1]. The complete list/info we return in hypervisor API is \n- https://github.com/openstack/nova/blob/master/doc/api_samples/os-hypervisors/v2.88/hypervisors-show-resp.json\n\nfrom that list, how about returning the below info:\n\n- state\n- status\n- uptime\n\n\n[1] https://specs.openstack.org/openstack/nova-specs/specs/wallaby/implemented/modernize-os-hypervisors-api.html","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9d51fa4a57627660caf591537b45cdf1f5684d50","unresolved":false,"context_lines":[{"line_number":40,"context_line":"If the requested project is in ``filter_tenant_id`` then that host will be"},{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."}],"source_content_type":"text/x-rst","patch_set":3,"id":"ffba122f_165f6afd","line":43,"range":{"start_line":43,"start_character":11,"end_line":43,"end_character":65},"in_reply_to":"bf4dc181_600badf8","updated":"2021-11-17 00:09:20.000000000","message":"I realize that uptime is not returned in hypervisors list but in hypervisors detail list. so removing it for project admin also.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2e8414fcc5c33904d774b4114da86a13d44d4aa5","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"2f6adb0b_3b914009","line":44,"updated":"2021-06-02 10:10:58.000000000","message":"Do we need to change the POST /servers API to accept the hypervisor uuid instead of hypervisor_hostname to target a specific compute node?","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"8fd0d4277cfd114f64e6f1643eb8d2f97db833f0","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"36ac4267_8b47c38f","line":44,"in_reply_to":"2f6adb0b_3b914009","updated":"2021-06-02 13:49:11.000000000","message":"Yes.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9070cb16c3ace34ee03a2dec82653a58fd01f724","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"5fa02390_4c9e80eb","line":44,"in_reply_to":"36ac4267_8b47c38f","updated":"2021-07-14 17:17:18.000000000","message":"so we can accept both uuid as well as name. As hostname is taken in AZ as name-pattern[1] or hostname pattern (string pattern) for force-host case[2], allowing uuid also does not actually change the API.\n\n[1] https://github.com/openstack/nova/blob/9e7cd668694d427df5618fb77a860b3daf83d8e8/nova/api/openstack/compute/schemas/servers.py#L184\n\n[2] https://github.com/openstack/nova/blob/9e7cd668694d427df5618fb77a860b3daf83d8e8/nova/api/openstack/compute/schemas/servers.py#L362-L364","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dcceea965cd5ee14a05f7aac4f3e32cd3816d144","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"21c2b501_dc99eaec","line":44,"in_reply_to":"3e8ce0a9_34f33d03","updated":"2021-07-15 17:46:32.000000000","message":"I think doing option3 looks more better way and document the workaround for old microversion (override policy + disable system scope).\n\nAs we all think doing this change in microversion, then I will take opportunity to standardize the concept of booting-on-host, which can involve:\n\n1. First remove the legacy hack of force host via \u0027availability_zone\u0027 field (in pattern \u0027node:host\u0027) for newer microversion\n\n2. adding uuid support in POST /servers API which is current spec\u0027s proposal. we can discuss if we can do this via new field or standardizing existing field name to avoid user confusion. \n\n3. list hypervisor uuid to project admin. this also current spec\u0027s proposal.\n\n4. anything else we want to improve form API side ?\n\nFrom above, I think 1st proposal might need more discussion.\n\nI am leaving this from Xena cycle and we can discuss about all above points in Y PTG for improving this API together.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"713f20bcfd1941ea2d2e0925e9b93036bbb2cf1a","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"f696bc07_fe70d98f","line":44,"in_reply_to":"5fa02390_4c9e80eb","updated":"2021-07-14 18:14:49.000000000","message":"Added this.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"58b167221e5d9257dcd4247d8f2b58da53dd687d","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3e8ce0a9_34f33d03","line":44,"in_reply_to":"92d83123_2fbaadaf","updated":"2021-07-15 15:31:00.000000000","message":"-1 on option 1, I continue to think project-admin should not be seeing hypervisor name details -- that is for system-admin.\n\nI quite like option 2, it seems like a tidy way to handle this situation IMHO. And it\u0027s already a common pattern in openstack to be able to provide name or UUID of a resource interchangeably. Would we be leveraging the existing \"host\" request parameter for this? Would we also do the same for \"hypervisor_hostname\"? Both of these parameters are available \u003e\u003d 2.74. Is the use case for \"hypervisor_hostname\" to allow an operator to boot an instance on a specific ironic node?\n\nI am also OK with option 3 if everyone else prefers that.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"f90b58c4137825f800cb4c1e4e9c408b9cd09e5a","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"92d83123_2fbaadaf","line":44,"in_reply_to":"a011a114_ece9dc8a","updated":"2021-07-15 10:58:09.000000000","message":"i belive option 3 is the best choice of those 3.\ni thinke 2 is proably my second choice and i dont think we shoudl do 1.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f3d55ba2e39d6ac19ef6b83f5fdad8a06adf5476","unresolved":true,"context_lines":[{"line_number":41,"context_line":"listed for project admin. If no project is listed in ``filter_tenant_id`` then"},{"line_number":42,"context_line":"return an empty list. Only hypervisors\u0027 ``uuid`` will be returned for project"},{"line_number":43,"context_line":"admin, and the rest of the fields will be returned as ``hidden``."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"A new API policy will be introduced to switch the above behaviour to always"},{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"a011a114_ece9dc8a","line":44,"in_reply_to":"f696bc07_fe70d98f","updated":"2021-07-15 04:26:39.000000000","message":"we discussed this in IRC today, and dansmith raised the point that POST /servers API change is behavioral change and will not be known/notice by users so doing it without microversion is risky/questionable.\n\nAlso during testing (in https://review.opendev.org/c/openstack/nova/+/794863), uuid in POST /servers API fails today and will pass after this proposal so this is interop issue also.\n\nand I too agree that current proposal should not be done without microiversion.\n\nNow we have below three choice:\n\n1. return hypervisor name to project-admin so that we do not need to change POST /servers API but this will leak the infrastructure details to project-admin.\n\n2. Convert the UUID to host name at API layer (this patch https://review.opendev.org/c/openstack/nova/+/794863 ) and backport this to all stable branches. In that way, we can avoid interop issue at least. \n\n3. This is not best but if we have no choice. Do this change in microversion and leave older microversion unsolved for new default RBAC(when we will remove the legacy policy).","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2e8414fcc5c33904d774b4114da86a13d44d4aa5","unresolved":true,"context_lines":[{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"No change in returning the hypervisors list for System scoped users."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Alternatives"},{"line_number":51,"context_line":"------------"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"28740956_879d86d8","line":49,"updated":"2021-06-02 10:10:58.000000000","message":"Do we need to change the behavior of OS-EXT-SRV-ATTR:hypervisor_hostname field in the /servers and /servers/details responses for the project admin? Will this field visible to the project admin by default? I think it should not as that would reveal the hostname even though the project admin only knows about the uuid. I hope this will be a minor pain to the project admin that she specified a compute node uuid in the boot request but she cannot observe that information in the response.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c0aac526ea46b807b734540cbe862b9ead1fd436","unresolved":false,"context_lines":[{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"No change in returning the hypervisors list for System scoped users."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Alternatives"},{"line_number":51,"context_line":"------------"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"b324ea1a_8ad5bf0c","line":49,"in_reply_to":"1f2f0921_5799a1d2","updated":"2021-07-14 17:37:52.000000000","message":"Ack","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"8fd0d4277cfd114f64e6f1643eb8d2f97db833f0","unresolved":true,"context_lines":[{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"No change in returning the hypervisors list for System scoped users."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Alternatives"},{"line_number":51,"context_line":"------------"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"dd7dde3f_e44f3e21","line":49,"in_reply_to":"28740956_879d86d8","updated":"2021-06-02 13:49:11.000000000","message":"Exposing the uuid as a hostname seems wrong. If we want them to be able to correlate an existing host to a target, then I think we need to just expose the hypervisor uuid to those users.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9070cb16c3ace34ee03a2dec82653a58fd01f724","unresolved":true,"context_lines":[{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"No change in returning the hypervisors list for System scoped users."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Alternatives"},{"line_number":51,"context_line":"------------"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1f2f0921_5799a1d2","line":49,"in_reply_to":"d61347a3_e95114d1","updated":"2021-07-14 17:17:18.000000000","message":"OS-EXT-SRV-ATTR:hypervisor_hostname is exposed to SYSTEM_ADMIN only (in new rbac)[1].\n\nIf we want to return hypervisor_uuid in response to GET /servers API then this is API change and need microversion bump. As main goal of this proposal is to sync project admin know and use hypervisor_uuid as per the new rbac policy and policy are not microversioned. \n\nHow about leaving GET /servers API as it is and later in new proposal (or along with other API change) we can return the hypervisor_uuidin GET with microversion bump ? \n\n[1] https://github.com/openstack/nova/blob/9e7cd668694d427df5618fb77a860b3daf83d8e8/nova/policies/extended_server_attributes.py#L27","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"90677ac439c4c20a998a331e4fcf5c5846fa3f23","unresolved":true,"context_lines":[{"line_number":46,"context_line":"return the complete list of hypervisors to allowed users."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"No change in returning the hypervisors list for System scoped users."},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"Alternatives"},{"line_number":51,"context_line":"------------"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"d61347a3_e95114d1","line":49,"in_reply_to":"dd7dde3f_e44f3e21","updated":"2021-06-09 07:56:09.000000000","message":"I\u0027m OK to add a new field e.g. hypervisor_uuid to the responses.","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2e8414fcc5c33904d774b4114da86a13d44d4aa5","unresolved":true,"context_lines":[{"line_number":123,"context_line":"An upgrade check will be added to check if policy"},{"line_number":124,"context_line":"``os_compute_api:os-hypervisors:list`` is overridden to non-default and"},{"line_number":125,"context_line":"new policy ``os_compute_api:os-hypervisors:list:allow_full_list`` is not"},{"line_number":126,"context_line":"overridden then fail the upgrade check."},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"Implementation"},{"line_number":129,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"cd398926_36749a60","line":126,"updated":"2021-06-02 10:10:58.000000000","message":"thanks!","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2e8414fcc5c33904d774b4114da86a13d44d4aa5","unresolved":true,"context_lines":[{"line_number":146,"context_line":"----------"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"- API changes without microversion"},{"line_number":149,"context_line":"- Upgrade check for new poliy"},{"line_number":150,"context_line":"- Testing for the changes."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d4c0e06c_badf2922","line":149,"range":{"start_line":149,"start_character":24,"end_line":149,"end_character":29},"updated":"2021-06-02 10:10:58.000000000","message":"nit:policy","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9070cb16c3ace34ee03a2dec82653a58fd01f724","unresolved":false,"context_lines":[{"line_number":146,"context_line":"----------"},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"- API changes without microversion"},{"line_number":149,"context_line":"- Upgrade check for new poliy"},{"line_number":150,"context_line":"- Testing for the changes."},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d4049bc2_e345914c","line":149,"range":{"start_line":149,"start_character":24,"end_line":149,"end_character":29},"in_reply_to":"d4c0e06c_badf2922","updated":"2021-07-14 17:17:18.000000000","message":"Done","commit_id":"cf83f0b8e6a967a2034057d8ce9be08904bbff0b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"90b72f441453dfc4ad2fc3cc922747ec4d4a213e","unresolved":true,"context_lines":[{"line_number":94,"context_line":""},{"line_number":95,"context_line":"``POST /servers``"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"- API will start accepting ``hypervisor-uuid`` as well as"},{"line_number":98,"context_line":"  ``hypervisor_hostname`` to boot the server for force host as well as for host"},{"line_number":99,"context_line":"  with scheduler run case."},{"line_number":100,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dbf6c441_e1e7e278","line":97,"range":{"start_line":97,"start_character":29,"end_line":97,"end_character":45},"updated":"2021-07-14 19:10:05.000000000","message":"hypervisor_uuid\n\ni think this need to be a new field indepenent of the existing `hypervisor_hostname`\nso i think you need microverion as a result.","commit_id":"fef98263cd244ac5f02b8a71de2adc5decf53201"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9d51fa4a57627660caf591537b45cdf1f5684d50","unresolved":true,"context_lines":[{"line_number":94,"context_line":""},{"line_number":95,"context_line":"``POST /servers``"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"- API will start accepting ``hypervisor-uuid`` as well as"},{"line_number":98,"context_line":"  ``hypervisor_hostname`` to boot the server for force host as well as for host"},{"line_number":99,"context_line":"  with scheduler run case."},{"line_number":100,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"622503f7_e0a809c6","line":97,"range":{"start_line":97,"start_character":29,"end_line":97,"end_character":45},"in_reply_to":"dbf6c441_e1e7e278","updated":"2021-11-17 00:09:20.000000000","message":"yeah microversion is needed.","commit_id":"fef98263cd244ac5f02b8a71de2adc5decf53201"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"90b72f441453dfc4ad2fc3cc922747ec4d4a213e","unresolved":true,"context_lines":[{"line_number":95,"context_line":"``POST /servers``"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"- API will start accepting ``hypervisor-uuid`` as well as"},{"line_number":98,"context_line":"  ``hypervisor_hostname`` to boot the server for force host as well as for host"},{"line_number":99,"context_line":"  with scheduler run case."},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"aaaae6f8_730ddc3c","line":98,"range":{"start_line":98,"start_character":49,"end_line":98,"end_character":59},"updated":"2021-07-14 19:10:05.000000000","message":"i kind fo feel we shoudl not extend force host with this capablity\nand require proejct addmisn to use the new api added in https://specs.openstack.org/openstack/nova-specs/specs/train/implemented/add-host-and-hypervisor-hostname-flag-to-create-server.html","commit_id":"fef98263cd244ac5f02b8a71de2adc5decf53201"}],"specs/yoga/approved/allow-project-admin-list-hypervisors.rst":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"796ba6b501637fa578c1344e7e437229bb925352","unresolved":true,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As a user (project admin in new RBAC), I should be able to create the server"},{"line_number":34,"context_line":"on specific host which is assigned in that project."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6979bda3_1652c68b","line":33,"range":{"start_line":33,"start_character":11,"end_line":33,"end_character":24},"updated":"2021-11-17 16:14:02.000000000","message":"Do you eventually mean \"project manager\"? I assume so and that you\u0027re looking to solve this in the short term for the actually-admin-with-a-project-token case before that becomes a thing. Is that right?","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0b738ad1efd2145df3b13fa70e78355d84bb3eb3","unresolved":true,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As a user (project admin in new RBAC), I should be able to create the server"},{"line_number":34,"context_line":"on specific host which is assigned in that project."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":5,"id":"aa0a2966_9a180ea0","line":33,"range":{"start_line":33,"start_character":11,"end_line":33,"end_character":24},"in_reply_to":"6979bda3_1652c68b","updated":"2021-11-18 17:28:56.000000000","message":"yes, but with project manager once we have that. I will mention it.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c2768582ff3c37e0b35cb4cad5f95a6037483933","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As a user (project admin in new RBAC), I should be able to create the server"},{"line_number":34,"context_line":"on specific host which is assigned in that project."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":5,"id":"face4255_7878b3ee","line":33,"range":{"start_line":33,"start_character":11,"end_line":33,"end_character":24},"in_reply_to":"aa0a2966_9a180ea0","updated":"2021-12-03 00:45:12.000000000","message":"Done","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"796ba6b501637fa578c1344e7e437229bb925352","unresolved":true,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"   Allow project admin to list ``uuid``, ``state``, and, ``status``"},{"line_number":43,"context_line":"   of the hypervisors they are assigned to. That will be retrieved from"},{"line_number":44,"context_line":"   aggregate metadata info (``filter_tenant_id``)."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"   If the requested project is in ``filter_tenant_id`` then that host info will"},{"line_number":47,"context_line":"   be listed for project admin. If no project is listed in ``filter_tenant_id``"}],"source_content_type":"text/x-rst","patch_set":5,"id":"9568e0c8_64a92334","line":44,"updated":"2021-11-17 16:14:02.000000000","message":"Okay, so currently we try to not only hide hypervisor details from non-operator users, but also obscure the hypervisor details from users on different projects. We hash the project id with the hypervisor identification so that users on two separate projects can\u0027t compare hashes and determine that they are on the same (or different) hosts. That\u0027s good for privacy and preventing users from gaming the system, but it\u0027s bad because that\u0027s a one-way process and hard to reverse for the boot case.\n\nI think what we\u0027re saying here is that if you\u0027re granted access to a set of hosts, and suitably endowed with permission to control boots targeted at those hosts, then exposing the \"same or different host\" details across projects is less of a concern because you\u0027re already allowed to control your own destiny within that subset of hosts to some degree. Is that right?\n\nOn the one hand, I think the cross-project obfuscation is a *really* nice feature for anyone that doesn\u0027t trust their users fully, but on the other, I know it\u0027s non-trivial to handle in two directions here.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c2768582ff3c37e0b35cb4cad5f95a6037483933","unresolved":true,"context_lines":[{"line_number":41,"context_line":""},{"line_number":42,"context_line":"   Allow project admin to list ``uuid``, ``state``, and, ``status``"},{"line_number":43,"context_line":"   of the hypervisors they are assigned to. That will be retrieved from"},{"line_number":44,"context_line":"   aggregate metadata info (``filter_tenant_id``)."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"   If the requested project is in ``filter_tenant_id`` then that host info will"},{"line_number":47,"context_line":"   be listed for project admin. If no project is listed in ``filter_tenant_id``"}],"source_content_type":"text/x-rst","patch_set":5,"id":"0ab71c75_f362d4f5","line":44,"in_reply_to":"9568e0c8_64a92334","updated":"2021-12-03 00:45:12.000000000","message":"yeah it is difficult to de-serialize in boot process but at least they will have one way to pass uuid for booting on host they are allowed.\n\nOther thing i see, if any user want to boot server on special host and they are not allowed then they can ask operator to add them in access list.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"796ba6b501637fa578c1344e7e437229bb925352","unresolved":true,"context_lines":[{"line_number":63,"context_line":"   ``POST /servers`` API will start accepting hypervisor uuid in request field"},{"line_number":64,"context_line":"   to boot the server on that hypervisor. The existing field"},{"line_number":65,"context_line":"   ``hypervisor_hostname`` is used to pass the hypervisor name. We will rename"},{"line_number":66,"context_line":"   this existing field ``hypervisor_hostname`` to ``hypervisor`` so that user"},{"line_number":67,"context_line":"   can pass both hypervisor name or uuid (passing name or uuid in single field"},{"line_number":68,"context_line":"   is usual standard we follow in OpenStack APIs). The hypervisor uuid will be"},{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"8bbfb18d_e962c007","line":68,"range":{"start_line":66,"start_character":65,"end_line":68,"end_character":50},"updated":"2021-11-17 16:14:02.000000000","message":"Personally I don\u0027t think this is the best plan. First, it just means that existing people have to change the field they\u0027re using during boot if they\u0027re already passing a hostname. Second, we end up potentially confusing things if people use uuids for their hostnames. IIRC, ironic does (or did?) use the ironic uuid of a machine as the hypervisor_hostname.\n\nMy preference would be to _add_ a hypervisor_id field, and assert that it\u0027s mutually exclusive with hypervisor_hostname.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c2768582ff3c37e0b35cb4cad5f95a6037483933","unresolved":false,"context_lines":[{"line_number":63,"context_line":"   ``POST /servers`` API will start accepting hypervisor uuid in request field"},{"line_number":64,"context_line":"   to boot the server on that hypervisor. The existing field"},{"line_number":65,"context_line":"   ``hypervisor_hostname`` is used to pass the hypervisor name. We will rename"},{"line_number":66,"context_line":"   this existing field ``hypervisor_hostname`` to ``hypervisor`` so that user"},{"line_number":67,"context_line":"   can pass both hypervisor name or uuid (passing name or uuid in single field"},{"line_number":68,"context_line":"   is usual standard we follow in OpenStack APIs). The hypervisor uuid will be"},{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"f92f44dd_3c47bcf6","line":68,"range":{"start_line":66,"start_character":65,"end_line":68,"end_character":50},"in_reply_to":"53a4a8fc_5fd91dc6","updated":"2021-12-03 00:45:12.000000000","message":"Done","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0720ec55578115d20f9b9629f377b6e425bfbd1c","unresolved":true,"context_lines":[{"line_number":63,"context_line":"   ``POST /servers`` API will start accepting hypervisor uuid in request field"},{"line_number":64,"context_line":"   to boot the server on that hypervisor. The existing field"},{"line_number":65,"context_line":"   ``hypervisor_hostname`` is used to pass the hypervisor name. We will rename"},{"line_number":66,"context_line":"   this existing field ``hypervisor_hostname`` to ``hypervisor`` so that user"},{"line_number":67,"context_line":"   can pass both hypervisor name or uuid (passing name or uuid in single field"},{"line_number":68,"context_line":"   is usual standard we follow in OpenStack APIs). The hypervisor uuid will be"},{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"53a4a8fc_5fd91dc6","line":68,"range":{"start_line":66,"start_character":65,"end_line":68,"end_character":50},"in_reply_to":"54783333_e1dec390","updated":"2021-11-25 21:30:24.000000000","message":"you mean for \u0027static info use case\u0027 ? or via API use case also? if later then we need some way to expose the hypervisor_hostname and host also to project users. If former use case we do not want to break (if any) then yes I can keep existing fields as it is.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0b738ad1efd2145df3b13fa70e78355d84bb3eb3","unresolved":true,"context_lines":[{"line_number":63,"context_line":"   ``POST /servers`` API will start accepting hypervisor uuid in request field"},{"line_number":64,"context_line":"   to boot the server on that hypervisor. The existing field"},{"line_number":65,"context_line":"   ``hypervisor_hostname`` is used to pass the hypervisor name. We will rename"},{"line_number":66,"context_line":"   this existing field ``hypervisor_hostname`` to ``hypervisor`` so that user"},{"line_number":67,"context_line":"   can pass both hypervisor name or uuid (passing name or uuid in single field"},{"line_number":68,"context_line":"   is usual standard we follow in OpenStack APIs). The hypervisor uuid will be"},{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"8f657830_47ef5d3d","line":68,"range":{"start_line":66,"start_character":65,"end_line":68,"end_character":50},"in_reply_to":"8bbfb18d_e962c007","updated":"2021-11-18 17:28:56.000000000","message":"on re-thiking on existing field and new field case, I think we need to either remove or change existing field only.\n\nExisting fields are: \u0027host\u0027 and \u0027hypervisor_hostname\u0027 but with the new rbac and this proposal, none of these info can be seen by project admin, they will only get the hypervisor uuid. so what is the use of existing field ?\n\nOnly use case I can see is if operator has given some static info (not via API but via email or so) about host/hypervisor_hostname to project trusted users and they use that to boot server on that host.\n\nIf we go with API way, then either we should remove these existing fields or give some way to get these for project admin. Or leave them as it is for static info use case (in this case I agree to add new field hypervisor_id so that we do not break existing users)","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b2ba9666f073a3e200b6398e6742dc2043fb08d9","unresolved":true,"context_lines":[{"line_number":63,"context_line":"   ``POST /servers`` API will start accepting hypervisor uuid in request field"},{"line_number":64,"context_line":"   to boot the server on that hypervisor. The existing field"},{"line_number":65,"context_line":"   ``hypervisor_hostname`` is used to pass the hypervisor name. We will rename"},{"line_number":66,"context_line":"   this existing field ``hypervisor_hostname`` to ``hypervisor`` so that user"},{"line_number":67,"context_line":"   can pass both hypervisor name or uuid (passing name or uuid in single field"},{"line_number":68,"context_line":"   is usual standard we follow in OpenStack APIs). The hypervisor uuid will be"},{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"54783333_e1dec390","line":68,"range":{"start_line":66,"start_character":65,"end_line":68,"end_character":50},"in_reply_to":"8f657830_47ef5d3d","updated":"2021-11-22 13:33:28.000000000","message":"I\u0027m would prefer to leave the existing fields and support any existing uses of it. Then adding hypervisor_uuid (or hypervisor_id) also make sense for the new use case.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b2ba9666f073a3e200b6398e6742dc2043fb08d9","unresolved":true,"context_lines":[{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"#. Remove the legacy hack of passing the host and node in ``availability_zone``"},{"line_number":73,"context_line":"   request field."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"   This is legacy hack to force the server boot on requested host and node."}],"source_content_type":"text/x-rst","patch_set":5,"id":"06eb42ca_c38439dc","line":72,"updated":"2021-11-22 13:33:28.000000000","message":"I guess we just remove it from the new microversion but keep supporting it in the existing once.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0720ec55578115d20f9b9629f377b6e425bfbd1c","unresolved":true,"context_lines":[{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"#. Remove the legacy hack of passing the host and node in ``availability_zone``"},{"line_number":73,"context_line":"   request field."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"   This is legacy hack to force the server boot on requested host and node."}],"source_content_type":"text/x-rst","patch_set":5,"id":"8dd1d5ed_44382f1c","line":72,"in_reply_to":"06eb42ca_c38439dc","updated":"2021-11-25 21:30:24.000000000","message":"yes. removing in new microversion only.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c2768582ff3c37e0b35cb4cad5f95a6037483933","unresolved":false,"context_lines":[{"line_number":69,"context_line":"   used to boot the server for force host as well as for host with scheduler"},{"line_number":70,"context_line":"   run case."},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"#. Remove the legacy hack of passing the host and node in ``availability_zone``"},{"line_number":73,"context_line":"   request field."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"   This is legacy hack to force the server boot on requested host and node."}],"source_content_type":"text/x-rst","patch_set":5,"id":"cd356914_069aa1e3","line":72,"in_reply_to":"8dd1d5ed_44382f1c","updated":"2021-12-03 00:45:12.000000000","message":"Done","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"796ba6b501637fa578c1344e7e437229bb925352","unresolved":true,"context_lines":[{"line_number":81,"context_line":"------------"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"Allow ``project_id`` in the request body of POST /servers API so that system"},{"line_number":84,"context_line":"users can create a server on behalf of the project."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Data model impact"},{"line_number":87,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"c196b2fc_a3ee1660","line":84,"updated":"2021-11-17 16:14:02.000000000","message":"This isn\u0027t really an alternative anymore, if servers has scope_types\u003dproject. But, we need something for this section, so I guess it\u0027s okay :)","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c2768582ff3c37e0b35cb4cad5f95a6037483933","unresolved":false,"context_lines":[{"line_number":81,"context_line":"------------"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"Allow ``project_id`` in the request body of POST /servers API so that system"},{"line_number":84,"context_line":"users can create a server on behalf of the project."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Data model impact"},{"line_number":87,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"50e5645b_d163aae9","line":84,"in_reply_to":"3d7b2b3b_e58e380a","updated":"2021-12-03 00:45:12.000000000","message":"Done","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0b738ad1efd2145df3b13fa70e78355d84bb3eb3","unresolved":true,"context_lines":[{"line_number":81,"context_line":"------------"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"Allow ``project_id`` in the request body of POST /servers API so that system"},{"line_number":84,"context_line":"users can create a server on behalf of the project."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Data model impact"},{"line_number":87,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3d7b2b3b_e58e380a","line":84,"in_reply_to":"c196b2fc_a3ee1660","updated":"2021-11-18 17:28:56.000000000","message":"yeah, I can mention that system users knowing the hypervisor info can grap the project admin token and then boot server on specific host.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"796ba6b501637fa578c1344e7e437229bb925352","unresolved":true,"context_lines":[{"line_number":111,"context_line":"     {"},{"line_number":112,"context_line":"       \"hypervisors\": ["},{"line_number":113,"context_line":"           {"},{"line_number":114,"context_line":"               \"hypervisor_hostname\": \"hidden\","},{"line_number":115,"context_line":"               \"id\": \"1bb62a04-c576-402c-8147-9e89757a09e3\","},{"line_number":116,"context_line":"               \"state\": \"up\","},{"line_number":117,"context_line":"               \"status\": \"enabled\""}],"source_content_type":"text/x-rst","patch_set":5,"id":"43624723_3344bee0","line":114,"range":{"start_line":114,"start_character":39,"end_line":114,"end_character":45},"updated":"2021-11-17 16:14:02.000000000","message":"Is this really a best API practice? How does someone know the difference between this an actual hypervisor named \"hidden\" ?\n\nWhy would we not make this None, \"\", or just omit the keys they\u0027re not allowed to see?","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"7d5c2e6bd1815428fcc9417abfb25000f1734dff","unresolved":true,"context_lines":[{"line_number":111,"context_line":"     {"},{"line_number":112,"context_line":"       \"hypervisors\": ["},{"line_number":113,"context_line":"           {"},{"line_number":114,"context_line":"               \"hypervisor_hostname\": \"hidden\","},{"line_number":115,"context_line":"               \"id\": \"1bb62a04-c576-402c-8147-9e89757a09e3\","},{"line_number":116,"context_line":"               \"state\": \"up\","},{"line_number":117,"context_line":"               \"status\": \"enabled\""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a0f85499_25ea783f","line":114,"range":{"start_line":114,"start_character":39,"end_line":114,"end_character":45},"in_reply_to":"19d7f340_41cc3148","updated":"2021-11-22 13:45:32.000000000","message":"if you wan that to map to the python None object it would be null in json\nhypervisors\": [\n           {\n               \"hypervisor_hostname\": null,\n             ....\n           }]\n\n\nso i would go with null or \"\" so that it will get converted to python None or \"\" when parsed with json.loads(...)","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c2768582ff3c37e0b35cb4cad5f95a6037483933","unresolved":false,"context_lines":[{"line_number":111,"context_line":"     {"},{"line_number":112,"context_line":"       \"hypervisors\": ["},{"line_number":113,"context_line":"           {"},{"line_number":114,"context_line":"               \"hypervisor_hostname\": \"hidden\","},{"line_number":115,"context_line":"               \"id\": \"1bb62a04-c576-402c-8147-9e89757a09e3\","},{"line_number":116,"context_line":"               \"state\": \"up\","},{"line_number":117,"context_line":"               \"status\": \"enabled\""}],"source_content_type":"text/x-rst","patch_set":5,"id":"abf963aa_d9992735","line":114,"range":{"start_line":114,"start_character":39,"end_line":114,"end_character":45},"in_reply_to":"2aca670f_8a7ee750","updated":"2021-12-03 00:45:12.000000000","message":"Done","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0b738ad1efd2145df3b13fa70e78355d84bb3eb3","unresolved":true,"context_lines":[{"line_number":111,"context_line":"     {"},{"line_number":112,"context_line":"       \"hypervisors\": ["},{"line_number":113,"context_line":"           {"},{"line_number":114,"context_line":"               \"hypervisor_hostname\": \"hidden\","},{"line_number":115,"context_line":"               \"id\": \"1bb62a04-c576-402c-8147-9e89757a09e3\","},{"line_number":116,"context_line":"               \"state\": \"up\","},{"line_number":117,"context_line":"               \"status\": \"enabled\""}],"source_content_type":"text/x-rst","patch_set":5,"id":"50a62287_87590ebd","line":114,"range":{"start_line":114,"start_character":39,"end_line":114,"end_character":45},"in_reply_to":"43624723_3344bee0","updated":"2021-11-18 17:28:56.000000000","message":"None sound good to me.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b2ba9666f073a3e200b6398e6742dc2043fb08d9","unresolved":true,"context_lines":[{"line_number":111,"context_line":"     {"},{"line_number":112,"context_line":"       \"hypervisors\": ["},{"line_number":113,"context_line":"           {"},{"line_number":114,"context_line":"               \"hypervisor_hostname\": \"hidden\","},{"line_number":115,"context_line":"               \"id\": \"1bb62a04-c576-402c-8147-9e89757a09e3\","},{"line_number":116,"context_line":"               \"state\": \"up\","},{"line_number":117,"context_line":"               \"status\": \"enabled\""}],"source_content_type":"text/x-rst","patch_set":5,"id":"19d7f340_41cc3148","line":114,"range":{"start_line":114,"start_character":39,"end_line":114,"end_character":45},"in_reply_to":"50a62287_87590ebd","updated":"2021-11-22 13:33:28.000000000","message":"+1 to None","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"350d717729dd04023ff906c8f0f744937c5180ba","unresolved":true,"context_lines":[{"line_number":111,"context_line":"     {"},{"line_number":112,"context_line":"       \"hypervisors\": ["},{"line_number":113,"context_line":"           {"},{"line_number":114,"context_line":"               \"hypervisor_hostname\": \"hidden\","},{"line_number":115,"context_line":"               \"id\": \"1bb62a04-c576-402c-8147-9e89757a09e3\","},{"line_number":116,"context_line":"               \"state\": \"up\","},{"line_number":117,"context_line":"               \"status\": \"enabled\""}],"source_content_type":"text/x-rst","patch_set":5,"id":"2aca670f_8a7ee750","line":114,"range":{"start_line":114,"start_character":39,"end_line":114,"end_character":45},"in_reply_to":"a0f85499_25ea783f","updated":"2021-11-22 14:37:28.000000000","message":"Yes, I mean None in terms of what we return of the user can\u0027t see that value, regardless of how it\u0027s serialized :)","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"796ba6b501637fa578c1344e7e437229bb925352","unresolved":true,"context_lines":[{"line_number":124,"context_line":"  project admin to return the complete list of hypervisors (like the same way"},{"line_number":125,"context_line":"  we return to system admin currently). The name of the policy"},{"line_number":126,"context_line":"  will be ``os_compute_api:os-hypervisors:list:allow_full_list`` which will be"},{"line_number":127,"context_line":"  default to ``SYSTEM_READER`` but scoped to [\u0027system\u0027, \u0027project\u0027]."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"``POST /servers``"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"82674708_f841181f","line":127,"range":{"start_line":127,"start_character":31,"end_line":127,"end_character":67},"updated":"2021-11-17 16:14:02.000000000","message":"Why scoped to both? If we\u0027re going to stick to the rigid behavior of \"system users see system things\" then I would think we\u0027d just make this system-only. Otherwise people may just relax this check string and introduce API behavior that isn\u0027t really compatible with the rest of the aim of system scope.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c2768582ff3c37e0b35cb4cad5f95a6037483933","unresolved":false,"context_lines":[{"line_number":124,"context_line":"  project admin to return the complete list of hypervisors (like the same way"},{"line_number":125,"context_line":"  we return to system admin currently). The name of the policy"},{"line_number":126,"context_line":"  will be ``os_compute_api:os-hypervisors:list:allow_full_list`` which will be"},{"line_number":127,"context_line":"  default to ``SYSTEM_READER`` but scoped to [\u0027system\u0027, \u0027project\u0027]."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"``POST /servers``"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"71a56b31_3e97c025","line":127,"range":{"start_line":127,"start_character":31,"end_line":127,"end_character":67},"in_reply_to":"17dc6e09_32c5e152","updated":"2021-12-03 00:45:12.000000000","message":"Done","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0b738ad1efd2145df3b13fa70e78355d84bb3eb3","unresolved":true,"context_lines":[{"line_number":124,"context_line":"  project admin to return the complete list of hypervisors (like the same way"},{"line_number":125,"context_line":"  we return to system admin currently). The name of the policy"},{"line_number":126,"context_line":"  will be ``os_compute_api:os-hypervisors:list:allow_full_list`` which will be"},{"line_number":127,"context_line":"  default to ``SYSTEM_READER`` but scoped to [\u0027system\u0027, \u0027project\u0027]."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"``POST /servers``"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"17dc6e09_32c5e152","line":127,"range":{"start_line":127,"start_character":31,"end_line":127,"end_character":67},"in_reply_to":"82674708_f841181f","updated":"2021-11-18 17:28:56.000000000","message":"so this new policy is if system wants to allow any other project users non-admin to list the hypervisor and boot server on that host. But as we will keep existing policy `os_compute_api:os-hypervisors:list\u0027 be scoped to [\u0027system\u0027, \u0027project\u0027] but default to system_reader only so that operator can override it to allow project admin also to list hypervisor uuid.\n\nBut same existing policy can be overriden to allow project member to list hypervisor if they have overriden the boot server policy to allow project member to boot server on specific host.\n\nSo we do not need this new policy, I will remove it.","commit_id":"382f0d868ae0e21de61f9cd09ccb9ac461891518"}]}