)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"707d0239308ed323c37cfba51613ae81ee10c90c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ab03bd3c_a417d6c9","updated":"2022-11-15 10:47:45.000000000","message":"Looks good to me, we could maybe have other APIs that could use the service role but I don\u0027t see them now.\n\nThat being said, as I wrote in one comment, I guess you\u0027ll add another spec for Placement APIs separatly, right?","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"21efd64ab726b2795a1b357fbaf95854ffa1d26d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f7884b08_c62c4963","updated":"2022-11-15 13:28:32.000000000","message":"overall im happy with this but im going to hold +w for dan to review.","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"21efd64ab726b2795a1b357fbaf95854ffa1d26d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":3,"id":"542e4831_04dc73b3","in_reply_to":"ab03bd3c_a417d6c9","updated":"2022-11-15 13:28:32.000000000","message":"thats already proposed against the placment repo \nhttps://review.opendev.org/c/openstack/placement/+/864385","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"}],"specs/2023.1/approved/policy-service-role-default.rst":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"}],"source_content_type":"text/x-rst","patch_set":1,"id":"67d65d83_1d6525ba","line":21,"range":{"start_line":21,"start_character":0,"end_line":21,"end_character":12},"updated":"2022-11-14 20:39:27.000000000","message":"\"Currently, APIs...\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"}],"source_content_type":"text/x-rst","patch_set":1,"id":"636f7ea6_2b380962","line":21,"range":{"start_line":21,"start_character":65,"end_line":21,"end_character":70},"updated":"2022-11-14 20:39:27.000000000","message":"\"have their\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"}],"source_content_type":"text/x-rst","patch_set":1,"id":"4b58fb94_cd96e0be","line":21,"range":{"start_line":21,"start_character":65,"end_line":21,"end_character":70},"in_reply_to":"636f7ea6_2b380962","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":18,"context_line":"Problem description"},{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"}],"source_content_type":"text/x-rst","patch_set":1,"id":"25c0bc0e_f186c6bc","line":21,"range":{"start_line":21,"start_character":0,"end_line":21,"end_character":12},"in_reply_to":"67d65d83_1d6525ba","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."}],"source_content_type":"text/x-rst","patch_set":1,"id":"c5621657_6f80f11e","line":22,"range":{"start_line":22,"start_character":15,"end_line":22,"end_character":18},"updated":"2022-11-14 20:39:27.000000000","message":"\"as\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":19,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."}],"source_content_type":"text/x-rst","patch_set":1,"id":"e748526b_499b875b","line":22,"range":{"start_line":22,"start_character":15,"end_line":22,"end_character":18},"in_reply_to":"c5621657_6f80f11e","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"2c8d2568_7539cbd3","line":23,"range":{"start_line":23,"start_character":59,"end_line":23,"end_character":63},"updated":"2022-11-14 20:39:27.000000000","message":"Since this is describing the need for such a role, and saying that the admin role is currently required, I think you should remove \"role\" here and just say \"service users.\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"374b26ba_524e5980","line":23,"range":{"start_line":23,"start_character":59,"end_line":23,"end_character":63},"in_reply_to":"2c8d2568_7539cbd3","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Aslo our service-to-service APIs are accessible by the admin or project"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5a341426_e28361a8","line":24,"range":{"start_line":24,"start_character":13,"end_line":24,"end_character":17},"updated":"2022-11-14 20:39:27.000000000","message":"s/role//","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":21,"context_line":"Even APIs is for internal service-to-service APIs communication, their"},{"line_number":22,"context_line":"default policy is either admin or project roles which means operators"},{"line_number":23,"context_line":"need to assign the admin or project roles to their service role users."},{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Aslo our service-to-service APIs are accessible by the admin or project"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ed434db1_c3de7d98","line":24,"range":{"start_line":24,"start_character":13,"end_line":24,"end_character":17},"in_reply_to":"5a341426_e28361a8","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Aslo our service-to-service APIs are accessible by the admin or project"},{"line_number":28,"context_line":"users."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":1,"id":"6f84ad0f_31ca6448","line":27,"range":{"start_line":27,"start_character":0,"end_line":27,"end_character":4},"updated":"2022-11-14 20:39:27.000000000","message":"\"Also\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":24,"context_line":"That service role user having admin or project role access is poor"},{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Aslo our service-to-service APIs are accessible by the admin or project"},{"line_number":28,"context_line":"users."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e849ad1c_b41abe0e","line":27,"range":{"start_line":27,"start_character":0,"end_line":27,"end_character":4},"in_reply_to":"6f84ad0f_31ca6448","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Aslo our service-to-service APIs are accessible by the admin or project"},{"line_number":28,"context_line":"users."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"47f43efd_7d1bd012","line":28,"updated":"2022-11-14 20:39:27.000000000","message":"I think I would be a little more verbose here, saying something like:\n\n\"Another problem is that APIs which are meant to only be used by machines are able to be called by regular users and human admins. Requiring (and allowing only) a service role for these APIs help avoid intentional and accidental abuse.\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":25,"context_line":"security practice as they can perform admin or project level operations."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Aslo our service-to-service APIs are accessible by the admin or project"},{"line_number":28,"context_line":"users."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Use Cases"},{"line_number":31,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"96981d0c_5a1b425c","line":28,"in_reply_to":"47f43efd_7d1bd012","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an operator I want to keep ``service`` role user to access"},{"line_number":34,"context_line":"service-to-service APIs with least privilege permission."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8e2743fb_11990ee9","line":34,"range":{"start_line":34,"start_character":45,"end_line":34,"end_character":55},"updated":"2022-11-14 20:39:27.000000000","message":"permission is redundant here. Recommend removing or replacing with \"possible\".","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e25d09a6541821daaada19c56ec70e183fcc9583","unresolved":false,"context_lines":[{"line_number":31,"context_line":"---------"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"As an operator I want to keep ``service`` role user to access"},{"line_number":34,"context_line":"service-to-service APIs with least privilege permission."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9dc7a237_d3c0168e","line":34,"range":{"start_line":34,"start_character":45,"end_line":34,"end_character":55},"in_reply_to":"8e2743fb_11990ee9","updated":"2022-11-14 21:05:19.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"We need to make sure all the policy for internal service-to-service APIs"},{"line_number":40,"context_line":"are default to ``service`` role only. Example:"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3c3337a0_50f2143f","line":39,"range":{"start_line":39,"start_character":29,"end_line":39,"end_character":35},"updated":"2022-11-14 20:39:27.000000000","message":"\"policies\" or maybe better \"policy rules\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"We need to make sure all the policy for internal service-to-service APIs"},{"line_number":40,"context_line":"are default to ``service`` role only. Example:"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1d0e4a15_e065b9c2","line":39,"range":{"start_line":39,"start_character":29,"end_line":39,"end_character":35},"in_reply_to":"3c3337a0_50f2143f","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":48,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":49,"context_line":"   )"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Keystone ``service`` role is kept outside of the existing role hierarchy"},{"line_number":52,"context_line":"that includes ``admin``, ``member``, and ``reader``. Keeping the ``service``"},{"line_number":53,"context_line":"role outside the current hierarchy ensures we\u0027re following the principle"},{"line_number":54,"context_line":"of least privilege for service accounts."}],"source_content_type":"text/x-rst","patch_set":1,"id":"ca5fe19a_857868c9","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":8},"updated":"2022-11-14 20:39:27.000000000","message":"\"Keystone\u0027s\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":48,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":49,"context_line":"   )"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Keystone ``service`` role is kept outside of the existing role hierarchy"},{"line_number":52,"context_line":"that includes ``admin``, ``member``, and ``reader``. Keeping the ``service``"},{"line_number":53,"context_line":"role outside the current hierarchy ensures we\u0027re following the principle"},{"line_number":54,"context_line":"of least privilege for service accounts."}],"source_content_type":"text/x-rst","patch_set":1,"id":"37a26307_808c982d","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":8},"in_reply_to":"ca5fe19a_857868c9","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":56,"context_line":"We need to keep all the service-to-service APIs default to ``service`` role"},{"line_number":57,"context_line":"only and not to add any other role in policy default. If any of the"},{"line_number":58,"context_line":"service-to-service APIs are used by admin or non-admin user then Nova"},{"line_number":59,"context_line":"recommendation is to override the default in policy.yaml file."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"As Nova have dropped the system scope implementation, service-to-service"},{"line_number":62,"context_line":"communication with ``service`` role will be done with project scope token"}],"source_content_type":"text/x-rst","patch_set":1,"id":"310fa902_d2c030eb","line":59,"updated":"2022-11-14 20:39:27.000000000","message":"I agree with this on principle, but I think we have two classes of things:\n\n 1. APIs which are *only* suitable for services (i.e. swap volume, external event)\n 2. APIs which are both intended for service usage, but for which there is a valid admin reason as well.\n \nThe way this is worded it sounds like operators should have to override their policy for #2, and I don\u0027t think we want that. If there is an API that can be legitimately used by both, it should default to both.","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":56,"context_line":"We need to keep all the service-to-service APIs default to ``service`` role"},{"line_number":57,"context_line":"only and not to add any other role in policy default. If any of the"},{"line_number":58,"context_line":"service-to-service APIs are used by admin or non-admin user then Nova"},{"line_number":59,"context_line":"recommendation is to override the default in policy.yaml file."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"As Nova have dropped the system scope implementation, service-to-service"},{"line_number":62,"context_line":"communication with ``service`` role will be done with project scope token"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1fc8ca1c_6ab48382","line":59,"in_reply_to":"310fa902_d2c030eb","updated":"2022-11-14 21:02:55.000000000","message":"Yes that is true, may be we have or will have some APIs for both usage. we can mention that.","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":94,"context_line":"Security impact"},{"line_number":95,"context_line":"---------------"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"Easier to understand service-to-service APIs policy and restrict them to"},{"line_number":98,"context_line":"least privilege permission."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Notifications impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"cafa9222_95221c3a","line":97,"range":{"start_line":97,"start_character":56,"end_line":97,"end_character":64},"updated":"2022-11-14 20:39:27.000000000","message":"\"restricting\"","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1309e0f10f40d1ed46e78d2d7c75351a6b905957","unresolved":false,"context_lines":[{"line_number":94,"context_line":"Security impact"},{"line_number":95,"context_line":"---------------"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"Easier to understand service-to-service APIs policy and restrict them to"},{"line_number":98,"context_line":"least privilege permission."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Notifications impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ab7ecd2f_179655c1","line":97,"range":{"start_line":97,"start_character":56,"end_line":97,"end_character":64},"in_reply_to":"cafa9222_95221c3a","updated":"2022-11-14 21:02:55.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"92a7631f1db1debade2fb0e6a24b14007092e9fb","unresolved":true,"context_lines":[{"line_number":172,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"API Reference should be updated to add all the service-service APIs under"},{"line_number":175,"context_line":"separate section and mention about ``service`` role as their default."},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"References"},{"line_number":178,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"db51e0bf_ca1e1cf5","line":175,"updated":"2022-11-14 20:39:27.000000000","message":"++","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ba7f72ea8f20f581b02687175cc837a9f4aacf7c","unresolved":false,"context_lines":[{"line_number":172,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"API Reference should be updated to add all the service-service APIs under"},{"line_number":175,"context_line":"separate section and mention about ``service`` role as their default."},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"References"},{"line_number":178,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"c65be448_de62b81f","line":175,"in_reply_to":"db51e0bf_ca1e1cf5","updated":"2022-11-15 16:37:49.000000000","message":"Done","commit_id":"457712c0230d25d74d3fcf4fb35be543ef352bb2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"21efd64ab726b2795a1b357fbaf95854ffa1d26d","unresolved":true,"context_lines":[{"line_number":32,"context_line":"Use Cases"},{"line_number":33,"context_line":"---------"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"As an operator I want to keep ``service`` role user to access"},{"line_number":36,"context_line":"service-to-service APIs with least privilege."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":3,"id":"f32c05fa_baa606b6","line":35,"range":{"start_line":35,"start_character":25,"end_line":35,"end_character":29},"updated":"2022-11-15 13:28:32.000000000","message":"allow","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ba7f72ea8f20f581b02687175cc837a9f4aacf7c","unresolved":true,"context_lines":[{"line_number":32,"context_line":"Use Cases"},{"line_number":33,"context_line":"---------"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"As an operator I want to keep ``service`` role user to access"},{"line_number":36,"context_line":"service-to-service APIs with least privilege."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":3,"id":"6ea9dac2_04205497","line":35,"range":{"start_line":35,"start_character":25,"end_line":35,"end_character":29},"in_reply_to":"f32c05fa_baa606b6","updated":"2022-11-15 16:37:49.000000000","message":"I think keep is fine too, as it supports the contention that service-to-service APIs should be *only* service-role, where possible.","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"707d0239308ed323c37cfba51613ae81ee10c90c","unresolved":false,"context_lines":[{"line_number":60,"context_line":"where APIs are both intended for service usage, as well as admin (any other"},{"line_number":61,"context_line":"user role) usage. For such policy rules we need to default them to ``service``"},{"line_number":62,"context_line":"as well as ``admin`` (or any other user role) role. For example,"},{"line_number":63,"context_line":"\u0027role:admin or role:service\u0027"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"As Nova have dropped the system scope implementation, service-to-service"},{"line_number":66,"context_line":"communication with ``service`` role will be done with project scope token"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7a1cfa64_de85d8ee","line":63,"updated":"2022-11-15 10:47:45.000000000","message":"Yup, please. For example, we always say that Placement can both be used for internal service usage *but* some of its APIs can be called from direct admin users in order to know the current capacity of their clouds.\n\nDefaulting to \u0027service\u0027 only would be too restrictive, here the proposal looks good to me.","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f5a78a4ca12776835e3d15aa59cfe25edb14f5e9","unresolved":false,"context_lines":[{"line_number":60,"context_line":"where APIs are both intended for service usage, as well as admin (any other"},{"line_number":61,"context_line":"user role) usage. For such policy rules we need to default them to ``service``"},{"line_number":62,"context_line":"as well as ``admin`` (or any other user role) role. For example,"},{"line_number":63,"context_line":"\u0027role:admin or role:service\u0027"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"As Nova have dropped the system scope implementation, service-to-service"},{"line_number":66,"context_line":"communication with ``service`` role will be done with project scope token"}],"source_content_type":"text/x-rst","patch_set":3,"id":"16b7ccde_0436715f","line":63,"in_reply_to":"0e6c6813_4150bbbe","updated":"2022-11-15 16:26:23.000000000","message":"yeah, I raised separate spec for placement and that is ready for review.","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"21efd64ab726b2795a1b357fbaf95854ffa1d26d","unresolved":false,"context_lines":[{"line_number":60,"context_line":"where APIs are both intended for service usage, as well as admin (any other"},{"line_number":61,"context_line":"user role) usage. For such policy rules we need to default them to ``service``"},{"line_number":62,"context_line":"as well as ``admin`` (or any other user role) role. For example,"},{"line_number":63,"context_line":"\u0027role:admin or role:service\u0027"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"As Nova have dropped the system scope implementation, service-to-service"},{"line_number":66,"context_line":"communication with ``service`` role will be done with project scope token"}],"source_content_type":"text/x-rst","patch_set":3,"id":"0e6c6813_4150bbbe","line":63,"in_reply_to":"7a1cfa64_de85d8ee","updated":"2022-11-15 13:28:32.000000000","message":"placement is out of scope of this spec but we disucced this on irc and said placement should default the exising admin apis to admin-or-service as a first step.\n\nsee https://review.opendev.org/c/openstack/placement/+/864385","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"707d0239308ed323c37cfba51613ae81ee10c90c","unresolved":false,"context_lines":[{"line_number":71,"context_line":"* os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":72,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":73,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":74,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Alternatives"},{"line_number":77,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"b12cbca6_9b4c3fd7","line":74,"updated":"2022-11-15 10:47:45.000000000","message":"*nods*","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"21efd64ab726b2795a1b357fbaf95854ffa1d26d","unresolved":false,"context_lines":[{"line_number":71,"context_line":"* os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":72,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":73,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":74,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Alternatives"},{"line_number":77,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bd2c3f9b_406ecf0c","line":74,"in_reply_to":"b12cbca6_9b4c3fd7","updated":"2022-11-15 13:28:32.000000000","message":"the api intoduced by https://review.opendev.org/c/openstack/nova-specs/+/855490 should also use the service role\njust mentioning that for completeness but that spec shoud referenc this one.","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f5a78a4ca12776835e3d15aa59cfe25edb14f5e9","unresolved":false,"context_lines":[{"line_number":71,"context_line":"* os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":72,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":73,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":74,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Alternatives"},{"line_number":77,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1e4d3718_21d9a0c0","line":74,"in_reply_to":"bd2c3f9b_406ecf0c","updated":"2022-11-15 16:26:23.000000000","message":"+1","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"21efd64ab726b2795a1b357fbaf95854ffa1d26d","unresolved":true,"context_lines":[{"line_number":72,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":73,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":74,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Alternatives"},{"line_number":77,"context_line":"------------"},{"line_number":78,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"772be0aa_0e222905","line":75,"updated":"2022-11-15 13:28:32.000000000","message":"by the way the primary admin-or-service endpoint that comes to mind for nova, and this is a bit of a streach is the evacuate instance action. that can be used by masikari or ooo\u0027s instance ha but for now i think keeping it admin only is ok.\n\nwe can consider if we want to enabel it as also a service api in the future but i think i would prefer not to long term.\n\nthe other one that might want to be admin-or-service is the hypervior api for use by horizon. that said im not sure if horizon needs admin for mangaing flavors or if its using the user session token for admin calls. i woudl hope its the latter in which case there is no need to make the hyperviors api admin-or-service so i would leave it admin only for now.\n\n\nim just mentioning these for completeness but i think the endpoints you have identifed are the primary service ones.","commit_id":"dda24920941b62f1d2e676e6d40766690c14ac8f"}]}