)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6ca2a7d7c9960f3ea80abeb9e81425e4b25ea3b7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d5912ef7_b5f8727c","updated":"2024-12-16 08:09:45.000000000","message":"+1 as Sylvain is more familiar with this and is reviewing diff from previous proposal","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"b13fe9dc288336893b80be085a944cdc02085251","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"70b0a788_da810d71","updated":"2024-12-13 08:37:11.000000000","message":"This is a reproposal from an already approved spec and this is on time before soft spec freeze.\n\nI\u0027ll check the difference between the previous spec and this one later.","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a6d3d2aecbc962117541f9f443f9454a224dda1f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"271ed9d8_f95d1f43","in_reply_to":"70b0a788_da810d71","updated":"2024-12-13 21:20:02.000000000","message":"there are two part in this\n1. repropose the service role spec\n2. add manager role proposal\n\nlet me explicitly mention it in commit msg also","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"5e4e4d4685843d1df812821b7926ca919bfce25c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"3ac3972b_d3427671","updated":"2024-12-17 05:23:36.000000000","message":"here we can read the html version \n\n- https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_ccd/937650/3/check/openstack-tox-docs/ccd674c/docs/specs/2025.1/approved/policy-service-and-manager-role-default.html","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"7be78d8e44e4359cbc2e5989fe1aa48ab6da62fb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"7e764df1_3cf54e1a","updated":"2025-01-13 13:42:08.000000000","message":"This will need a spec freeze excption but if gmann thinks they can compelte this work this cycle then im supprotive of granting it.\n\n@gmann@ghanshyammann.com can you ensure you add this to the weekly meeting or ask for an expction on irc.","commit_id":"53bd67a092a972f592a8e70eb3b2614649dbed7d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e55e6b7f8bf8c55cbd7a871b82d2b55970d0a576","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"039ddb74_786691ee","updated":"2025-05-20 16:30:58.000000000","message":"marking it as WIP as it need more updates as per my testing in Tempest.","commit_id":"53bd67a092a972f592a8e70eb3b2614649dbed7d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ede0ea0863860cc5efa5f8d330aa827aa754b535","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"92d71781_b9a76d02","in_reply_to":"4c9bec1d_88a6fb36","updated":"2025-01-15 18:50:22.000000000","message":"I see, thanks for more information. will do the needful.","commit_id":"53bd67a092a972f592a8e70eb3b2614649dbed7d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6f6d4d2d3883cb81e84e0aa15b972896f2432ede","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"a28d1123_e12f7983","in_reply_to":"7e764df1_3cf54e1a","updated":"2025-01-15 18:22:47.000000000","message":"I think I proposed this before spec freeze -https://review.opendev.org/c/openstack/nova-specs/+/937650/comments/70b0a788_da810d71","commit_id":"53bd67a092a972f592a8e70eb3b2614649dbed7d"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"0c11ede39084d0704fc7e90f59a9f906c8e05165","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"4c9bec1d_88a6fb36","in_reply_to":"a28d1123_e12f7983","updated":"2025-01-15 18:29:10.000000000","message":"the spec freeze was milestone 2 and its the approval deadlien not the proposal deadline.\n\nhttps://releases.openstack.org/epoxy/schedule.html#epoxy-2-milestone\n\nso it was tehncially january 9th\n\nhttps://releases.openstack.org/epoxy/schedule.html#nova-spec-freeze\n\nwe had a soft freese on decmeber 12 for new proposals \n\nhttps://releases.openstack.org/epoxy/schedule.html#nova-spec-soft-freeze\n\nand you did propsoe it on time for that.\n\nthis is not an entirly new spec however as its a partial repoposal of something that has been on going for many year so ir other agree i dont think we shoudl punt this just because of the spec freeze deadline.","commit_id":"53bd67a092a972f592a8e70eb3b2614649dbed7d"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"db42a8e6bc14a4ce653e71e0cd44f70a7419b59b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"edf74a39_2724dc4f","updated":"2025-05-29 15:44:27.000000000","message":"+1 im largely ok with this.\nim a little uncertain about moving any apis form member to manager because of the interop problems\n\nif we had an api that allows you to discover the policy rules that would resolve that concern but that probaly out of scope of this spec.\n\nit would be really nice have an api in nova where i could call it with a token and it would tell me what endpoints i can call given my current roles ectra. \n\nthat is quite hard to do but ti would make custom policy discoverable form the api and remove any interopt concerns.\n\nlong term i think we need to move in that direction, just not now.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6700db13ffd6f37a07a37225693672b11f031e78","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"e0274d4c_fe9f0fdc","updated":"2025-05-29 00:28:04.000000000","message":"I am proposing the manager and service role spec separately.\n\n* manager role - this spec\n* service role- re-proposing in https://review.opendev.org/c/openstack/nova-specs/+/951218","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8902b9a0018342b27dfa691c742917ff9fadf367","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"a62959a7_f1a17f9f","updated":"2025-06-06 22:32:54.000000000","message":"Looks good to me, definitely agree about the importance and usefulness of a role that represents an admin of a specific project.","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"8b7c618998d70f16831dac4be8c641f54674699d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"0b5b7a02_dc71af36","updated":"2025-06-05 13:05:09.000000000","message":"Makes sense and keeps us moving down the RBAC path.","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3b769c7438ae478f01b9f8dd040c3429cac31e64","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"ac4666cc_a7798927","updated":"2025-06-06 00:38:03.000000000","message":"ill leave +w for mel to respond to my comment but i think this is good to go form my perspective","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"}],"specs/2025.1/approved/policy-service-and-manager-role-default.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"b86feff536a01deb63514e539e9957ca460b6311","unresolved":true,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Another useful role is \u0027manager\u0027 role at project level. A project manager"},{"line_number":19,"context_line":"can handle project-level management APIs and intended to perform more"},{"line_number":20,"context_line":"privileged operations than project member on its project resources."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b24cf25a_89def407","line":20,"updated":"2024-12-13 02:25:52.000000000","message":"Note to self: the manager role is permissions in between admin and member:\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html#manager","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ec205328d6e1ac076f38a0a1addf382df88389fa","unresolved":false,"context_lines":[{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Another useful role is \u0027manager\u0027 role at project level. A project manager"},{"line_number":19,"context_line":"can handle project-level management APIs and intended to perform more"},{"line_number":20,"context_line":"privileged operations than project member on its project resources."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Problem description"},{"line_number":23,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"83e32ab7_4d38b8f0","line":20,"in_reply_to":"b24cf25a_89def407","updated":"2024-12-13 21:23:06.000000000","message":"Acknowledged","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"b86feff536a01deb63514e539e9957ca460b6311","unresolved":true,"context_lines":[{"line_number":81,"context_line":"* os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":82,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":83,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":84,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Manager role"},{"line_number":87,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"b8c723a7_d08716bd","line":84,"updated":"2024-12-13 02:25:52.000000000","message":"++ makes sense","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ec205328d6e1ac076f38a0a1addf382df88389fa","unresolved":false,"context_lines":[{"line_number":81,"context_line":"* os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":82,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":83,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":84,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Manager role"},{"line_number":87,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ca5e9c92_e1bbc7ce","line":84,"in_reply_to":"b8c723a7_d08716bd","updated":"2024-12-13 21:23:06.000000000","message":"Acknowledged","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"b86feff536a01deb63514e539e9957ca460b6311","unresolved":true,"context_lines":[{"line_number":215,"context_line":"----------"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"* Modify the service-to-service APIs defaults to ``service`` role"},{"line_number":218,"context_line":"* Modify the project-level management APIs defaults to ``manager`` role"},{"line_number":219,"context_line":"* Modify policy rule unit tests to use service and manager role token"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"50946c95_271a939e","line":218,"updated":"2024-12-13 02:25:52.000000000","message":"Is there a list of APIs in mind that will be changed to default to ``manager`` role? Lock/unlock was mentioned earlier but I wasn\u0027t sure what else would go in that bucket.","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"6ca2a7d7c9960f3ea80abeb9e81425e4b25ea3b7","unresolved":true,"context_lines":[{"line_number":215,"context_line":"----------"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"* Modify the service-to-service APIs defaults to ``service`` role"},{"line_number":218,"context_line":"* Modify the project-level management APIs defaults to ``manager`` role"},{"line_number":219,"context_line":"* Modify policy rule unit tests to use service and manager role token"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"939459ab_4bfa4451","line":218,"in_reply_to":"0f162e16_ee58a594","updated":"2024-12-16 08:09:45.000000000","message":"I see, I think that is OK.","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ec205328d6e1ac076f38a0a1addf382df88389fa","unresolved":true,"context_lines":[{"line_number":215,"context_line":"----------"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"* Modify the service-to-service APIs defaults to ``service`` role"},{"line_number":218,"context_line":"* Modify the project-level management APIs defaults to ``manager`` role"},{"line_number":219,"context_line":"* Modify policy rule unit tests to use service and manager role token"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0f162e16_ee58a594","line":218,"in_reply_to":"50946c95_271a939e","updated":"2024-12-13 21:23:06.000000000","message":"I was thinking of adding/preparing the exact list of APIs during implementation, and at that time, we can discuss if the manager role there makes sense or not. but I can add the initial list here, and if any change is needed, we can do it during implementation.","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7b16f15f84bac9f9d3abfd5faec2504734a71e68","unresolved":false,"context_lines":[{"line_number":215,"context_line":"----------"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"* Modify the service-to-service APIs defaults to ``service`` role"},{"line_number":218,"context_line":"* Modify the project-level management APIs defaults to ``manager`` role"},{"line_number":219,"context_line":"* Modify policy rule unit tests to use service and manager role token"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff58391c_294d64a8","line":218,"in_reply_to":"939459ab_4bfa4451","updated":"2024-12-17 04:32:49.000000000","message":"Done","commit_id":"a0dfe8a8361542067d0f4402267e0e3aba0db019"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e90472133b233dfefcde9df137bae244bf429b79","unresolved":true,"context_lines":[{"line_number":132,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate\u0027 (\"Cold migrate a server without"},{"line_number":133,"context_line":"  specifying a host\")"},{"line_number":134,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate_live\u0027 (\"Live migrate a server to a"},{"line_number":135,"context_line":"  new host without a reboot\")"},{"line_number":136,"context_line":"* \u0027os_compute_api:os-migrations:index\u0027 (\"List migrations\")"},{"line_number":137,"context_line":"* \u0027os_compute_api:servers:migrations:show\u0027 (\"Show details for an in-progress"},{"line_number":138,"context_line":"  live migration for a \"given server\")"}],"source_content_type":"text/x-rst","patch_set":3,"id":"cc32a1d9_c76ce871","line":135,"updated":"2025-01-08 15:20:01.000000000","message":"hmmm, do we have another policy for migrate_live to a specific host ?","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2d5fdfae891f0d7958b5155abff6cac6173c4275","unresolved":false,"context_lines":[{"line_number":132,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate\u0027 (\"Cold migrate a server without"},{"line_number":133,"context_line":"  specifying a host\")"},{"line_number":134,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate_live\u0027 (\"Live migrate a server to a"},{"line_number":135,"context_line":"  new host without a reboot\")"},{"line_number":136,"context_line":"* \u0027os_compute_api:os-migrations:index\u0027 (\"List migrations\")"},{"line_number":137,"context_line":"* \u0027os_compute_api:servers:migrations:show\u0027 (\"Show details for an in-progress"},{"line_number":138,"context_line":"  live migration for a \"given server\")"}],"source_content_type":"text/x-rst","patch_set":3,"id":"6bafee3c_9f25c44d","line":135,"in_reply_to":"cc32a1d9_c76ce871","updated":"2025-01-09 01:40:57.000000000","message":"yes, we do have separate one \u0027os_compute_api:os-migrate-server:migrate:host\u0027. As that need host information, that stay for admin only.\n\n- https://github.com/openstack/nova/blob/634be5191e0fde60aac774fb7917868de9a2b29c/nova/policies/migrate_server.py#L38","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"55f25636e92cd5290ffb7def64f32a4b6fb5e6ba","unresolved":true,"context_lines":[{"line_number":142,"context_line":"  live migration for a given server \")"},{"line_number":143,"context_line":"* \u0027os_compute_api:servers:migrations:delete\u0027 (\"Delete(Abort) an in-progress"},{"line_number":144,"context_line":"  live migration\")"},{"line_number":145,"context_line":"* \u0027os_compute_api:os-admin-actions:reset_state\u0027 (\"Reset the state of a given"},{"line_number":146,"context_line":"  server\")"},{"line_number":147,"context_line":"* \u0027os_compute_api:os-admin-actions:inject_network_info\u0027 (\"Inject network"},{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"}],"source_content_type":"text/x-rst","patch_set":3,"id":"859887f4_a1639f00","line":146,"range":{"start_line":145,"start_character":1,"end_line":146,"end_character":10},"updated":"2025-01-08 14:07:53.000000000","message":"that is a fairly dangerous action. I tempted to say we might want to keep it for real admins only.","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2d5fdfae891f0d7958b5155abff6cac6173c4275","unresolved":false,"context_lines":[{"line_number":142,"context_line":"  live migration for a given server \")"},{"line_number":143,"context_line":"* \u0027os_compute_api:servers:migrations:delete\u0027 (\"Delete(Abort) an in-progress"},{"line_number":144,"context_line":"  live migration\")"},{"line_number":145,"context_line":"* \u0027os_compute_api:os-admin-actions:reset_state\u0027 (\"Reset the state of a given"},{"line_number":146,"context_line":"  server\")"},{"line_number":147,"context_line":"* \u0027os_compute_api:os-admin-actions:inject_network_info\u0027 (\"Inject network"},{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e591be57_9760c294","line":146,"range":{"start_line":145,"start_character":1,"end_line":146,"end_character":10},"in_reply_to":"27073ded_cc17632a","updated":"2025-01-09 01:40:57.000000000","message":"ok, no strong argument to open it for project manager. done","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e90472133b233dfefcde9df137bae244bf429b79","unresolved":true,"context_lines":[{"line_number":142,"context_line":"  live migration for a given server \")"},{"line_number":143,"context_line":"* \u0027os_compute_api:servers:migrations:delete\u0027 (\"Delete(Abort) an in-progress"},{"line_number":144,"context_line":"  live migration\")"},{"line_number":145,"context_line":"* \u0027os_compute_api:os-admin-actions:reset_state\u0027 (\"Reset the state of a given"},{"line_number":146,"context_line":"  server\")"},{"line_number":147,"context_line":"* \u0027os_compute_api:os-admin-actions:inject_network_info\u0027 (\"Inject network"},{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"}],"source_content_type":"text/x-rst","patch_set":3,"id":"27073ded_cc17632a","line":146,"range":{"start_line":145,"start_character":1,"end_line":146,"end_character":10},"in_reply_to":"859887f4_a1639f00","updated":"2025-01-08 15:20:01.000000000","message":"yup, agreed","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e90472133b233dfefcde9df137bae244bf429b79","unresolved":false,"context_lines":[{"line_number":147,"context_line":"* \u0027os_compute_api:os-admin-actions:inject_network_info\u0027 (\"Inject network"},{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"},{"line_number":150,"context_line":"  host\")"},{"line_number":151,"context_line":"* \u0027os_compute_api:os-instance-actions:events\u0027 (\"Add events details in action"},{"line_number":152,"context_line":"  details for a server\")"},{"line_number":153,"context_line":"* \u0027os_compute_api:os-instance-actions:events:details\u0027 (\"Add \"details\" key in"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5efa2b97_76f14f88","line":150,"updated":"2025-01-08 15:20:01.000000000","message":"of course, evacuate to host is a different policy.","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2d5fdfae891f0d7958b5155abff6cac6173c4275","unresolved":false,"context_lines":[{"line_number":147,"context_line":"* \u0027os_compute_api:os-admin-actions:inject_network_info\u0027 (\"Inject network"},{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"},{"line_number":150,"context_line":"  host\")"},{"line_number":151,"context_line":"* \u0027os_compute_api:os-instance-actions:events\u0027 (\"Add events details in action"},{"line_number":152,"context_line":"  details for a server\")"},{"line_number":153,"context_line":"* \u0027os_compute_api:os-instance-actions:events:details\u0027 (\"Add \"details\" key in"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a520f24a_bf6038ae","line":150,"in_reply_to":"5efa2b97_76f14f88","updated":"2025-01-09 01:40:57.000000000","message":"nice point. Unfortunately we do not have any separate policy to evacuate on specified host. If the host is passed (especially with force flag), server is evacuated to that host without checking any extra policy permission than original evacuate permission. \n\n- https://github.com/openstack/nova/blob/634be5191e0fde60aac774fb7917868de9a2b29c/nova/policies/evacuate.py\n- https://github.com/openstack/nova/blob/634be5191e0fde60aac774fb7917868de9a2b29c/nova/api/openstack/compute/evacuate.py#L137-L139\n\nConsidering that, As part of this change, I think I should keep it for admin only. \nIf needed, later we can add a separate policy for evacuate on the specified host and then change normal evacuate to admin-or-manager ?","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"55f25636e92cd5290ffb7def64f32a4b6fb5e6ba","unresolved":true,"context_lines":[{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"},{"line_number":150,"context_line":"  host\")"},{"line_number":151,"context_line":"* \u0027os_compute_api:os-instance-actions:events\u0027 (\"Add events details in action"},{"line_number":152,"context_line":"  details for a server\")"},{"line_number":153,"context_line":"* \u0027os_compute_api:os-instance-actions:events:details\u0027 (\"Add \"details\" key in"},{"line_number":154,"context_line":"  action events for a server\")"},{"line_number":155,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":156,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":157,"context_line":"  occurred before a specified time for all servers\")"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7dbd7530_70252415","line":154,"range":{"start_line":151,"start_character":0,"end_line":154,"end_character":30},"updated":"2025-01-08 14:07:53.000000000","message":"These details are about nova stack traces and maybe hostname information. I\u0027m not sure these are really actionable for a project admin.","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2d5fdfae891f0d7958b5155abff6cac6173c4275","unresolved":false,"context_lines":[{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"},{"line_number":150,"context_line":"  host\")"},{"line_number":151,"context_line":"* \u0027os_compute_api:os-instance-actions:events\u0027 (\"Add events details in action"},{"line_number":152,"context_line":"  details for a server\")"},{"line_number":153,"context_line":"* \u0027os_compute_api:os-instance-actions:events:details\u0027 (\"Add \"details\" key in"},{"line_number":154,"context_line":"  action events for a server\")"},{"line_number":155,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":156,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":157,"context_line":"  occurred before a specified time for all servers\")"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a18b109a_893f26c8","line":154,"range":{"start_line":151,"start_character":0,"end_line":154,"end_character":30},"in_reply_to":"52fcc365_03aeb220","updated":"2025-01-09 01:40:57.000000000","message":"for actions it is user policy but to return events and event-details it is admin only\n- https://github.com/openstack/nova/blob/634be5191e0fde60aac774fb7917868de9a2b29c/nova/policies/instance_actions.py#L62\n\nYou are right gibi, we do return the host information in events response without any separate information. \n- https://github.com/openstack/nova/blob/634be5191e0fde60aac774fb7917868de9a2b29c/nova/api/openstack/compute/instance_actions.py#L175\n\nLike evacuate (above comment), I will leave the events and events-detail policy for admin only and later if we add separate policy for events (if needed) then we can change the non-admin level information for project manager role.","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e90472133b233dfefcde9df137bae244bf429b79","unresolved":true,"context_lines":[{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"},{"line_number":150,"context_line":"  host\")"},{"line_number":151,"context_line":"* \u0027os_compute_api:os-instance-actions:events\u0027 (\"Add events details in action"},{"line_number":152,"context_line":"  details for a server\")"},{"line_number":153,"context_line":"* \u0027os_compute_api:os-instance-actions:events:details\u0027 (\"Add \"details\" key in"},{"line_number":154,"context_line":"  action events for a server\")"},{"line_number":155,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":156,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":157,"context_line":"  occurred before a specified time for all servers\")"}],"source_content_type":"text/x-rst","patch_set":3,"id":"52fcc365_03aeb220","line":154,"range":{"start_line":151,"start_character":0,"end_line":154,"end_character":30},"in_reply_to":"7dbd7530_70252415","updated":"2025-01-08 15:20:01.000000000","message":"I think we cleanup the stack traces for the instance actions, as it\u0027s already a user policy AFAIK\n\nAre we sure this was only an admin policy ?","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"6310fb37add327b91b647c172ebf2898cf689c02","unresolved":false,"context_lines":[{"line_number":148,"context_line":"  information into the server\")"},{"line_number":149,"context_line":"* \u0027os_compute_api:os-evacuate\u0027 (\"Evacuate a server from a failed host to a new"},{"line_number":150,"context_line":"  host\")"},{"line_number":151,"context_line":"* \u0027os_compute_api:os-instance-actions:events\u0027 (\"Add events details in action"},{"line_number":152,"context_line":"  details for a server\")"},{"line_number":153,"context_line":"* \u0027os_compute_api:os-instance-actions:events:details\u0027 (\"Add \"details\" key in"},{"line_number":154,"context_line":"  action events for a server\")"},{"line_number":155,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":156,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":157,"context_line":"  occurred before a specified time for all servers\")"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a05a93ed_a03aa05e","line":154,"range":{"start_line":151,"start_character":0,"end_line":154,"end_character":30},"in_reply_to":"a18b109a_893f26c8","updated":"2025-01-09 12:01:30.000000000","message":"OK, works for me.","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"55f25636e92cd5290ffb7def64f32a4b6fb5e6ba","unresolved":true,"context_lines":[{"line_number":262,"context_line":"overrides these policies then, they need to start considering the new"},{"line_number":263,"context_line":"default policy rules. Same thing for any policy default changed from the"},{"line_number":264,"context_line":"``member`` role to ``manager`` role."},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"Implementation"},{"line_number":267,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"41868adc_b0c498d1","line":265,"updated":"2025-01-08 14:07:53.000000000","message":"Is there any special consideration regarding the service-to-service communication via the new policy defaults during a rolling upgrade where some services has already been upgraded and therefore expect a token with a service role while others are not upgraded yet and therefore expect an admin token instead?","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a2745fe57935910be1087f46569f59b467fb89ae","unresolved":false,"context_lines":[{"line_number":262,"context_line":"overrides these policies then, they need to start considering the new"},{"line_number":263,"context_line":"default policy rules. Same thing for any policy default changed from the"},{"line_number":264,"context_line":"``member`` role to ``manager`` role."},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"Implementation"},{"line_number":267,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"747f65e2_8af67b24","line":265,"in_reply_to":"1e0c2641_75466e63","updated":"2025-01-10 22:26:25.000000000","message":"Done","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2d5fdfae891f0d7958b5155abff6cac6173c4275","unresolved":true,"context_lines":[{"line_number":262,"context_line":"overrides these policies then, they need to start considering the new"},{"line_number":263,"context_line":"default policy rules. Same thing for any policy default changed from the"},{"line_number":264,"context_line":"``member`` role to ``manager`` role."},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"Implementation"},{"line_number":267,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"7bb6c255_f9c220aa","line":265,"in_reply_to":"41868adc_b0c498d1","updated":"2025-01-09 01:40:57.000000000","message":"yeah that is the important point. IT can be handled via two ways:\n\n1. service-to-service communication token are configurable and operator can always configure the service role token there. Currently, most of the services do send the admin+service token (has admin and service role) when communicating to other services so they will continue passing with old as well as new policy defaults. Though end goal is to remove the admin role from service token but we can keep it for some time during migration.\n-https://github.com/openstack/cinder/blob/962fe29e778c58a8e90c78602e7249cb4b06e450/cinder/compute/nova.py#L35-L55\n-example https://zuul.opendev.org/t/openstack/build/e56397212cb64864b766fade8dca99f6/log/controller/logs/etc/cinder/cinder_conf.txt#74\n\n2. services still support old defaults, and it will give some time to operators to upgrade the services so that new tokens are used among service-to-service communication APIs, which are service-only policies.","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"6310fb37add327b91b647c172ebf2898cf689c02","unresolved":true,"context_lines":[{"line_number":262,"context_line":"overrides these policies then, they need to start considering the new"},{"line_number":263,"context_line":"default policy rules. Same thing for any policy default changed from the"},{"line_number":264,"context_line":"``member`` role to ``manager`` role."},{"line_number":265,"context_line":""},{"line_number":266,"context_line":"Implementation"},{"line_number":267,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"1e0c2641_75466e63","line":265,"in_reply_to":"7bb6c255_f9c220aa","updated":"2025-01-09 12:01:30.000000000","message":"OK. This sounds good to me.","commit_id":"90bfb079e670b981929494db8cab678ea7679a80"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":58,"context_line":"       name\u003d\u0027os_compute_api:os-server-external-events:create\u0027,"},{"line_number":59,"context_line":"       check_str\u003d\u0027role:service\u0027,"},{"line_number":60,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":61,"context_line":"   )"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Keystone\u0027s ``service`` role is kept outside of the existing role hierarchy"},{"line_number":64,"context_line":"that includes ``admin``, ``member``, and ``reader``. Keeping the ``service``"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3bb4a6ec_6b26812a","line":61,"updated":"2025-01-09 11:49:10.000000000","message":"shoudl this not be \"admin_or_servicve initally for upgrade reasons\nand then role:service next cycle?\n\nwe need one release IMO for neutorn and cinder to adapt to requiring the service user to be used instead of admin when talking to this endpoint unless\nthey uncondtionally require both already.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":58,"context_line":"       name\u003d\u0027os_compute_api:os-server-external-events:create\u0027,"},{"line_number":59,"context_line":"       check_str\u003d\u0027role:service\u0027,"},{"line_number":60,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":61,"context_line":"   )"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Keystone\u0027s ``service`` role is kept outside of the existing role hierarchy"},{"line_number":64,"context_line":"that includes ``admin``, ``member``, and ``reader``. Keeping the ``service``"}],"source_content_type":"text/x-rst","patch_set":4,"id":"22c0f652_5915c7a6","line":61,"in_reply_to":"3bb4a6ec_6b26812a","updated":"2025-01-10 21:22:19.000000000","message":"I think services use the admin+service role but that is configurable and there might be operators which might have configued admin token for the service token. I am fine to give some transition time to them and we can make it admin_service for a cycle. done","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"As Nova have dropped the system scope implementation, service-to-service"},{"line_number":76,"context_line":"communication with ``service`` role will be done with project scope token"},{"line_number":77,"context_line":"(which is currently done in devstack setup)."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Below APIs policy will be default to ``service`` role:"},{"line_number":80,"context_line":"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ff6a48b9_ce94dbbc","line":77,"updated":"2025-01-09 11:49:10.000000000","message":"+1","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":74,"context_line":""},{"line_number":75,"context_line":"As Nova have dropped the system scope implementation, service-to-service"},{"line_number":76,"context_line":"communication with ``service`` role will be done with project scope token"},{"line_number":77,"context_line":"(which is currently done in devstack setup)."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"Below APIs policy will be default to ``service`` role:"},{"line_number":80,"context_line":"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""}],"source_content_type":"text/x-rst","patch_set":4,"id":"9236e0db_a671d033","line":77,"in_reply_to":"ff6a48b9_ce94dbbc","updated":"2025-01-10 21:22:19.000000000","message":"Acknowledged","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":82,"context_line":"* os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":83,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":84,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":85,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Manager role"},{"line_number":88,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"6ddb6f79_3c72706e","line":85,"updated":"2025-01-09 11:49:10.000000000","message":"again i agree the long term it should but for 2025.1 i think it need to be admin or service \n\nadn then just servcie in 2025.2 or 2026.1","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":82,"context_line":"* os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":83,"context_line":"* os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":84,"context_line":"* os_compute_api:os-volumes-attachments:swap"},{"line_number":85,"context_line":"* os_compute_api:os-server-external-events:create"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Manager role"},{"line_number":88,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"4f85db24_b88e8156","line":85,"in_reply_to":"6ddb6f79_3c72706e","updated":"2025-01-10 21:22:19.000000000","message":"Done","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":122,"context_line":"               \u0027path\u0027: \u0027/servers/{server_id}/action (os-migrateLive)\u0027"},{"line_number":123,"context_line":"           }"},{"line_number":124,"context_line":"       ],"},{"line_number":125,"context_line":"   )"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"Below APIs policy will be default to ``PROJECT_MANAGER_OR_ADMIN`` role:"},{"line_number":128,"context_line":"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""}],"source_content_type":"text/x-rst","patch_set":4,"id":"79600429_066c4528","line":125,"updated":"2025-01-09 11:49:10.000000000","message":"im ok with a manger being able to live migrage instance but i assume we wont allow them to selefct a host by default? that would still be admin only? but they can ask to live migrate and have the schduler ot select a host\n\nthe reason im asking is i think it woudl be problemtic to ever allow a the manager role to do a force live migration to a specific host in default policy since using the old microversion to do a force migration bypasses tenant isolation filter among others.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":122,"context_line":"               \u0027path\u0027: \u0027/servers/{server_id}/action (os-migrateLive)\u0027"},{"line_number":123,"context_line":"           }"},{"line_number":124,"context_line":"       ],"},{"line_number":125,"context_line":"   )"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"Below APIs policy will be default to ``PROJECT_MANAGER_OR_ADMIN`` role:"},{"line_number":128,"context_line":"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""}],"source_content_type":"text/x-rst","patch_set":4,"id":"496356a8_b4c2fcb9","line":125,"in_reply_to":"79600429_066c4528","updated":"2025-01-10 21:22:19.000000000","message":"Agree but we do not have separate policy for live migration to specified host\n\n- https://github.com/openstack/nova/blob/a459467899d2b406aa8cf530ae481255eaf3c957/nova/api/openstack/compute/migrate_server.py#L111\n\nLike many other operations, we need to add a separate policy for that (which will be default to admin only) and then we can make live migrate policy (for scheduler selected host) default to admin-or-manager (similar to cold migration policy for specified host and not specified host). Until then I will keep live miration to allow for admin only. \ndone","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":131,"context_line":""},{"line_number":132,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate\u0027 (\"Cold migrate a server without"},{"line_number":133,"context_line":"  specifying a host\")"},{"line_number":134,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate_live\u0027 (\"Live migrate a server to a"},{"line_number":135,"context_line":"  new host without a reboot\")"},{"line_number":136,"context_line":"* \u0027os_compute_api:os-migrations:index\u0027 (\"List migrations\")"},{"line_number":137,"context_line":"* \u0027os_compute_api:servers:migrations:show\u0027 (\"Show details for an in-progress"},{"line_number":138,"context_line":"  live migration for a \"given server\")"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bbce9441_ce4f6cd0","line":135,"range":{"start_line":134,"start_character":0,"end_line":135,"end_character":29},"updated":"2025-01-10 21:22:19.000000000","message":"need to keep it for admin only until we add the separate policy for migrate to specified host.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":133,"context_line":"  specifying a host\")"},{"line_number":134,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate_live\u0027 (\"Live migrate a server to a"},{"line_number":135,"context_line":"  new host without a reboot\")"},{"line_number":136,"context_line":"* \u0027os_compute_api:os-migrations:index\u0027 (\"List migrations\")"},{"line_number":137,"context_line":"* \u0027os_compute_api:servers:migrations:show\u0027 (\"Show details for an in-progress"},{"line_number":138,"context_line":"  live migration for a \"given server\")"},{"line_number":139,"context_line":"* \u0027os_compute_api:servers:migrations:index\u0027 (\"Lists in-progress live migrations"},{"line_number":140,"context_line":"  for a given server\")"},{"line_number":141,"context_line":"* \u0027os_compute_api:servers:migrations:force_complete\u0027 (\"Force an in-progress"},{"line_number":142,"context_line":"  live migration for a given server \")"},{"line_number":143,"context_line":"* \u0027os_compute_api:servers:migrations:delete\u0027 (\"Delete(Abort) an in-progress"}],"source_content_type":"text/x-rst","patch_set":4,"id":"55998b07_c1b4e0e5","line":140,"range":{"start_line":136,"start_character":0,"end_line":140,"end_character":22},"updated":"2025-01-09 11:49:10.000000000","message":"i do not i agree with this.\n\nThis include the socue and destination comptue node  (hypervior_hostname and host value).\n\n {\n            \"created_at\": \"2012-10-29T13:42:02.000000\",\n            \"dest_compute\": \"compute2\",\n            \"dest_host\": \"1.2.3.4\",\n            \"dest_node\": \"node2\",\n            \"id\": 1234,\n            \"instance_uuid\": \"8600d31b-d1a1-4632-b2ff-45c2be1a70ff\",\n            \"new_instance_type_id\": 2,\n            \"old_instance_type_id\": 1,\n            \"source_compute\": \"compute1\",\n            \"source_node\": \"node1\",\n            \"status\": \"done\",\n            \"updated_at\": \"2012-10-29T13:42:02.000000\"\n        },\n        \nthat is not approrate to expse to an end user even with the manager role.\n\nif we allow this api to be callsed with a manager role we need to filter out the host specific fileds.\n\n\nthat appolies to all 3 apis","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":133,"context_line":"  specifying a host\")"},{"line_number":134,"context_line":"* \u0027os_compute_api:os-migrate-server:migrate_live\u0027 (\"Live migrate a server to a"},{"line_number":135,"context_line":"  new host without a reboot\")"},{"line_number":136,"context_line":"* \u0027os_compute_api:os-migrations:index\u0027 (\"List migrations\")"},{"line_number":137,"context_line":"* \u0027os_compute_api:servers:migrations:show\u0027 (\"Show details for an in-progress"},{"line_number":138,"context_line":"  live migration for a \"given server\")"},{"line_number":139,"context_line":"* \u0027os_compute_api:servers:migrations:index\u0027 (\"Lists in-progress live migrations"},{"line_number":140,"context_line":"  for a given server\")"},{"line_number":141,"context_line":"* \u0027os_compute_api:servers:migrations:force_complete\u0027 (\"Force an in-progress"},{"line_number":142,"context_line":"  live migration for a given server \")"},{"line_number":143,"context_line":"* \u0027os_compute_api:servers:migrations:delete\u0027 (\"Delete(Abort) an in-progress"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7a5bae70_8d85fb30","line":140,"range":{"start_line":136,"start_character":0,"end_line":140,"end_character":22},"in_reply_to":"55998b07_c1b4e0e5","updated":"2025-01-10 21:22:19.000000000","message":"thanks, yeah we should not allow manager to know host info. I missed these to audit. done","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":142,"context_line":"  live migration for a given server \")"},{"line_number":143,"context_line":"* \u0027os_compute_api:servers:migrations:delete\u0027 (\"Delete(Abort) an in-progress"},{"line_number":144,"context_line":"  live migration\")"},{"line_number":145,"context_line":"* \u0027os_compute_api:os-admin-actions:inject_network_info\u0027 (\"Inject network"},{"line_number":146,"context_line":"  information into the server\")"},{"line_number":147,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":148,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":149,"context_line":"  occurred before a specified time for all servers\")"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3831dc74_a916ce36","line":146,"range":{"start_line":145,"start_character":3,"end_line":146,"end_character":31},"updated":"2025-01-09 11:49:10.000000000","message":"this feature is deprecated so i dont think it reasonable to grant access to the manger role, even admins shoudl not be useing this today.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":142,"context_line":"  live migration for a given server \")"},{"line_number":143,"context_line":"* \u0027os_compute_api:servers:migrations:delete\u0027 (\"Delete(Abort) an in-progress"},{"line_number":144,"context_line":"  live migration\")"},{"line_number":145,"context_line":"* \u0027os_compute_api:os-admin-actions:inject_network_info\u0027 (\"Inject network"},{"line_number":146,"context_line":"  information into the server\")"},{"line_number":147,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":148,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":149,"context_line":"  occurred before a specified time for all servers\")"}],"source_content_type":"text/x-rst","patch_set":4,"id":"12454445_cb8945c7","line":146,"range":{"start_line":145,"start_character":3,"end_line":146,"end_character":31},"in_reply_to":"3831dc74_a916ce36","updated":"2025-01-10 21:22:19.000000000","message":"done. agree not to enhance access for the deprecated things.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":147,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":148,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":149,"context_line":"  occurred before a specified time for all servers\")"},{"line_number":150,"context_line":"* \u0027os_compute_api:os-server-diagnostics\u0027 (\"Show the usage data for a server\")"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"**Current default: PROJECT_MEMBER_OR_ADMIN -\u003e New"},{"line_number":153,"context_line":"default: PROJECT_MANAGER_OR_ADMIN:**"}],"source_content_type":"text/x-rst","patch_set":4,"id":"240b935c_0d022a3e","line":150,"range":{"start_line":150,"start_character":2,"end_line":150,"end_character":77},"updated":"2025-01-09 11:49:10.000000000","message":"this leaks host specifc info like the virt_type (qemu vs kvm), virt driver and host OS so i dont think this is approate to leak to the mager persona.\n\nthe manager role shoudl not have any info about the underlyign host.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"35e189118f30370a47218ad7aae0d7985b0ccc62","unresolved":true,"context_lines":[{"line_number":147,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":148,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":149,"context_line":"  occurred before a specified time for all servers\")"},{"line_number":150,"context_line":"* \u0027os_compute_api:os-server-diagnostics\u0027 (\"Show the usage data for a server\")"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"**Current default: PROJECT_MEMBER_OR_ADMIN -\u003e New"},{"line_number":153,"context_line":"default: PROJECT_MANAGER_OR_ADMIN:**"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b940ab99_963cd870","line":150,"range":{"start_line":150,"start_character":2,"end_line":150,"end_character":77},"in_reply_to":"240b935c_0d022a3e","updated":"2025-01-09 16:28:47.000000000","message":"by the way for the apis that expose infra-specific info,\ni see two paths forward, 1 remove them from this version of hte spec and address that next cycle, 2. we could address this by filtering the infra files and returning them only to an admin as we do with the admin-only filed in the server show. that would require makring them as not reuqired in the resopnce schema.\ni also dont know if we should have a new microversion fo that as a result as client can nolonger depend on those always being present.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":147,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:list\u0027 (\"List all usage audits.\")"},{"line_number":148,"context_line":"* \u0027os_compute_api:os-instance-usage-audit-log:show\u0027 (\"List all usage audits"},{"line_number":149,"context_line":"  occurred before a specified time for all servers\")"},{"line_number":150,"context_line":"* \u0027os_compute_api:os-server-diagnostics\u0027 (\"Show the usage data for a server\")"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"**Current default: PROJECT_MEMBER_OR_ADMIN -\u003e New"},{"line_number":153,"context_line":"default: PROJECT_MANAGER_OR_ADMIN:**"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8447d619_3771b2a1","line":150,"range":{"start_line":150,"start_character":2,"end_line":150,"end_character":77},"in_reply_to":"b940ab99_963cd870","updated":"2025-01-10 21:22:19.000000000","message":"i see, let\u0027s keep it for admin for now and we can address it later if specific requirement from manager role to access other info.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":157,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027 (\"Restore a soft deleted server\")"},{"line_number":158,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027 (\"Force delete a server before"},{"line_number":159,"context_line":"  deferred cleanup\")"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":".. note::"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"   Currently, project member can perform the below server actions. It might"}],"source_content_type":"text/x-rst","patch_set":4,"id":"e5256304_686bee7f","line":160,"updated":"2025-01-09 11:49:10.000000000","message":"+1 these seam fine.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":157,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027 (\"Restore a soft deleted server\")"},{"line_number":158,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027 (\"Force delete a server before"},{"line_number":159,"context_line":"  deferred cleanup\")"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":".. note::"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"   Currently, project member can perform the below server actions. It might"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1da27d47_5b362e46","line":160,"in_reply_to":"e5256304_686bee7f","updated":"2025-01-10 21:22:19.000000000","message":"Acknowledged","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"97ee3f80d138816136f4d9daf675402a82aaed56","unresolved":true,"context_lines":[{"line_number":180,"context_line":"   * \u0027os_compute_api:servers:reboot\u0027 (\"Reboot a server\")"},{"line_number":181,"context_line":"   * \u0027os_compute_api:servers:rebuild\u0027 (\"Rebuild a server\")"},{"line_number":182,"context_line":"   * \u0027os_compute_api:servers:rebuild:trusted_certs\u0027 (\"Rebuild a server with"},{"line_number":183,"context_line":"     trusted image certificate IDs\")"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Alternatives"},{"line_number":186,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"2ab01aa2_d3658113","line":183,"updated":"2025-01-09 11:49:10.000000000","message":"i agree i think these shoudl remain project member.\n\nlock is the only one i would consider modfigying to require manager but i dont think the upgrade impact and interop probelms change that would cause is warrented.","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"42e4c7db7eb3cff72efcf837c72b409f74c03c05","unresolved":false,"context_lines":[{"line_number":180,"context_line":"   * \u0027os_compute_api:servers:reboot\u0027 (\"Reboot a server\")"},{"line_number":181,"context_line":"   * \u0027os_compute_api:servers:rebuild\u0027 (\"Rebuild a server\")"},{"line_number":182,"context_line":"   * \u0027os_compute_api:servers:rebuild:trusted_certs\u0027 (\"Rebuild a server with"},{"line_number":183,"context_line":"     trusted image certificate IDs\")"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"Alternatives"},{"line_number":186,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"d6cf7bcc_c8e91d9c","line":183,"in_reply_to":"2ab01aa2_d3658113","updated":"2025-01-10 21:22:19.000000000","message":"Acknowledged","commit_id":"1989c67d5e377c77a0d2885d080fdf3d35b5f1e1"}],"specs/2025.2/approved/policy-manager-role-default.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"db42a8e6bc14a4ce653e71e0cd44f70a7419b59b","unresolved":true,"context_lines":[{"line_number":105,"context_line":"  server\")"},{"line_number":106,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027 (\"Restore a soft deleted server\")"},{"line_number":107,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027 (\"Force delete a server before"},{"line_number":108,"context_line":"  deferred cleanup\")"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"**Introducing new policy to allow more operation for ``manager`` users:**"},{"line_number":111,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"e15bad8b_914fe374","line":108,"updated":"2025-05-29 15:44:27.000000000","message":"This might be reasonable to do, but it has an upgrade and interop impact.\nits a non discoverable config driven api change since policy is not currently visabe at the api level and we do not bump microversion for policy changes.\n\nGiven how infrequently these api are really used it is proably ok but we will need to document this in the api-ref and sate taht the policy default changed in 2025.2","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"970845f5bab4381d1d49bdedd06b078c41fa2f91","unresolved":true,"context_lines":[{"line_number":105,"context_line":"  server\")"},{"line_number":106,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027 (\"Restore a soft deleted server\")"},{"line_number":107,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027 (\"Force delete a server before"},{"line_number":108,"context_line":"  deferred cleanup\")"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"**Introducing new policy to allow more operation for ``manager`` users:**"},{"line_number":111,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"95327c48_fe9d80de","line":108,"in_reply_to":"86526d06_92eee5da","updated":"2025-05-29 18:08:18.000000000","message":"I did not mean to mark this comment as resolved. I cannot disagree with Sean\u0027s concern about the upgrade, so let\u0027s see what others think about this upgrade impact. If they are usful for member role, we can keep those as member level. If allowed for member then manager anyways can perform these action also.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3b769c7438ae478f01b9f8dd040c3429cac31e64","unresolved":false,"context_lines":[{"line_number":105,"context_line":"  server\")"},{"line_number":106,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027 (\"Restore a soft deleted server\")"},{"line_number":107,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027 (\"Force delete a server before"},{"line_number":108,"context_line":"  deferred cleanup\")"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"**Introducing new policy to allow more operation for ``manager`` users:**"},{"line_number":111,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"cdf9f932_8bdba759","line":108,"in_reply_to":"95327c48_fe9d80de","updated":"2025-06-06 00:38:03.000000000","message":"Acknowledged","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"14b2899b0a8d2829161ecc34c462887f92c0d587","unresolved":false,"context_lines":[{"line_number":105,"context_line":"  server\")"},{"line_number":106,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027 (\"Restore a soft deleted server\")"},{"line_number":107,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027 (\"Force delete a server before"},{"line_number":108,"context_line":"  deferred cleanup\")"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"**Introducing new policy to allow more operation for ``manager`` users:**"},{"line_number":111,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"86526d06_92eee5da","line":108,"in_reply_to":"e15bad8b_914fe374","updated":"2025-05-29 18:01:57.000000000","message":"ack, Yeah, I will be adding doc (calling these explicitly in releasenotes and api-ref) for those to highlight the defaults change.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"db42a8e6bc14a4ce653e71e0cd44f70a7419b59b","unresolved":true,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    * ``os_compute_api:os-evacuate`` (evacuate server)"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"      * Default changing from ``ADMIN`` -\u003e ``PROJECT_MANAGER_OR_ADMIN``"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"  * New policy:"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"aaf66b8d_53e159c3","line":127,"updated":"2025-05-29 15:44:27.000000000","message":"my only consern with this is that a mananger will not be able to see that the compute service is down.\n\nso it hard for tehm to tell if they should hard reboot or evacuate ectra.\n\nso this may or may not be useful without other custom policy.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6a6d6ed260926716d44faa38129ecf3c1e48a97f","unresolved":true,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    * ``os_compute_api:os-evacuate`` (evacuate server)"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"      * Default changing from ``ADMIN`` -\u003e ``PROJECT_MANAGER_OR_ADMIN``"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"  * New policy:"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"4c948f41_7984f403","line":127,"in_reply_to":"005831f9_b6671d6b","updated":"2025-05-29 18:24:50.000000000","message":"just a side note, if server is running fine it means user know the compute service is up so may be that is ok to know by them in evacuate case also?","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"325cee89fa84be01640d6b9898dd0128c7e09675","unresolved":true,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    * ``os_compute_api:os-evacuate`` (evacuate server)"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"      * Default changing from ``ADMIN`` -\u003e ``PROJECT_MANAGER_OR_ADMIN``"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"  * New policy:"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"72931878_d22767de","line":127,"in_reply_to":"4c948f41_7984f403","updated":"2025-05-30 07:02:56.000000000","message":"There is extra complication with evacuate for sure. When a compute becomes unavailable from the nova control plane perspective nova will start allowing evacuation of VMs from the host. But at the same time it requires the admin to ensure that the nova-compute is not just unavailable from the control plane perspective but that the compute is really down, fenced, and VMs on that host cannot reappear in the system. Now ensuring this as a non admin user is impossible. Therefore evacuation is not safe for non-admin users.\n\nOur API doc clearly states that the precondition of evacuate is:\n```\nThe failed host must be fenced and no longer running the original server.\n```","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"426aeab1a00da95d768ce3a74765527731070f28","unresolved":false,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    * ``os_compute_api:os-evacuate`` (evacuate server)"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"      * Default changing from ``ADMIN`` -\u003e ``PROJECT_MANAGER_OR_ADMIN``"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"  * New policy:"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"511e88a5_a35838b3","line":127,"in_reply_to":"72931878_d22767de","updated":"2025-05-30 15:10:14.000000000","message":"thanks gibi. Yeah let\u0027s not open it for non-admin. I will update it.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"14b2899b0a8d2829161ecc34c462887f92c0d587","unresolved":true,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":"    * ``os_compute_api:os-evacuate`` (evacuate server)"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"      * Default changing from ``ADMIN`` -\u003e ``PROJECT_MANAGER_OR_ADMIN``"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"  * New policy:"},{"line_number":130,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"005831f9_b6671d6b","line":127,"in_reply_to":"aaf66b8d_53e159c3","updated":"2025-05-29 18:01:57.000000000","message":"True, service status is one of the information they need to know. Honestly saying I did not consider the custom policy case because in that case they can override this policy also. My main motive of improving defaults is that they work 100% with other defaults otherwise defaults are not correct defaults if operator need to override some policy defaults:) \n\nThe only thing I considered is whether the manager is aware of the service status (not via API). If a hard reboot also does not work, then they can try evacuating server. And if the service is up anyway, the API will deny the evacuate.\n\n**Does it leak information about infra/services?**\n\nWhile I am replying, I thought that if I allow the manager to evacuate the server, it can help determine about host and if computer service is up or not. If manager try to evacuate and compute service is up, nova return 400[1] but with msg \"\"Compute service of %(host)s is still in use.\"\"[2]. From error message, manager can know 1. service is up 2. host of instance.\n\nThere are two possible solutions I see here:\n\n1. Do not pass the error message in the user error, return 400 only. For detail erorr, nova does log error[3] so that admin can know the actual reason of 400.\n\n2. Leave evacuate to admin only.\n\n\n[1] https://github.com/openstack/nova/blob/221a3e89e8988bc664298106ee691a4e41ca71f9/nova/api/openstack/compute/evacuate.py#L161\n\n[2] \nhttps://github.com/openstack/nova/blob/221a3e89e8988bc664298106ee691a4e41ca71f9/nova/compute/api.py#L5726\n\nhttps://github.com/openstack/nova/blob/221a3e89e8988bc664298106ee691a4e41ca71f9/nova/exception.py#L591C17-L591C63\n\n[3] https://github.com/openstack/nova/blob/221a3e89e8988bc664298106ee691a4e41ca71f9/nova/compute/api.py#L5724","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"db42a8e6bc14a4ce653e71e0cd44f70a7419b59b","unresolved":true,"context_lines":[{"line_number":130,"context_line":""},{"line_number":131,"context_line":"    * ``os_compute_api:os-evacuate:host`` (evacuate server to specific host)"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"      * Default: ``ADMIN``"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"* Live migrate:"},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"c6f5a758_a6d1b82b","line":133,"updated":"2025-05-29 15:44:27.000000000","message":"+1","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"14b2899b0a8d2829161ecc34c462887f92c0d587","unresolved":false,"context_lines":[{"line_number":130,"context_line":""},{"line_number":131,"context_line":"    * ``os_compute_api:os-evacuate:host`` (evacuate server to specific host)"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"      * Default: ``ADMIN``"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"* Live migrate:"},{"line_number":136,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"b05a1eeb_30eb935a","line":133,"in_reply_to":"c6f5a758_a6d1b82b","updated":"2025-05-29 18:01:57.000000000","message":"Acknowledged","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"db42a8e6bc14a4ce653e71e0cd44f70a7419b59b","unresolved":false,"context_lines":[{"line_number":154,"context_line":"    * ``os_compute_api:servers:migrations::index`` (Lists in-progress live"},{"line_number":155,"context_line":"      migrations for a given server)"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"      * Default changing from: ``ADMIN`` -\u003e ``PROJECT_MANAGER_OR_ADMIN``"},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"  * New policy:"},{"line_number":160,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"570a9a8e_e2b00ad6","line":157,"updated":"2025-05-29 15:44:27.000000000","message":"-1 to this unless we filter the responce that mangers see to remove all host specific fields.\n\nhttps://docs.openstack.org/api-ref/compute/#id320\n\nif we hid the dest/source host/node i think it woudl be ok to allwo the to do list or show on migrations.\n\nbut we need to make those host specific fields condtional like the admin only field in server show.\n\nlater\n-----\nnerver mind\nthat what the new2 policy contoler showing the host info\n\n+1","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"14b2899b0a8d2829161ecc34c462887f92c0d587","unresolved":false,"context_lines":[{"line_number":154,"context_line":"    * ``os_compute_api:servers:migrations::index`` (Lists in-progress live"},{"line_number":155,"context_line":"      migrations for a given server)"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"      * Default changing from: ``ADMIN`` -\u003e ``PROJECT_MANAGER_OR_ADMIN``"},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"  * New policy:"},{"line_number":160,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"23c4b1f4_8fcd54b7","line":157,"in_reply_to":"570a9a8e_e2b00ad6","updated":"2025-05-29 18:01:57.000000000","message":"yeah, this will not show any host/infra related info and those info will be controlled but the separate policy which id default to ADMIN","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"db42a8e6bc14a4ce653e71e0cd44f70a7419b59b","unresolved":true,"context_lines":[{"line_number":171,"context_line":"   implied roles, project manager can also perform the below actions in their"},{"line_number":172,"context_line":"   project servers."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"   * \u0027os_compute_api:os-lock-server:lock\u0027 (\"Lock a server\")"},{"line_number":175,"context_line":"   * \u0027os_compute_api:os-lock-server:unlock\u0027 (\"Unlock a server\")"},{"line_number":176,"context_line":"   * \u0027os_compute_api:os-pause-server:pause\u0027 (\"Pause a server\")"},{"line_number":177,"context_line":"   * \u0027os_compute_api:os-pause-server:unpause\u0027 (\"Unpause a paused server\")"},{"line_number":178,"context_line":"   * \u0027os_compute_api:os-rescue\u0027 (\"Rescue a server\")"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a70ac47f_0c0ebc87","line":175,"range":{"start_line":174,"start_character":0,"end_line":175,"end_character":63},"updated":"2025-05-29 15:44:27.000000000","message":"so i dont think we shoudl restrict this\n\nbut if we wanted too we could extend the current behavior we have wehre non admins cant unlock a server locked by an admin.\n\ni.e. member would not be able to unlock a server locked by manager but admin would take precedence over manager.\n\n\ni think that is a natural extension that we could do.\n\ni agree that we likely shoudl not modify the other items below.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"14b2899b0a8d2829161ecc34c462887f92c0d587","unresolved":true,"context_lines":[{"line_number":171,"context_line":"   implied roles, project manager can also perform the below actions in their"},{"line_number":172,"context_line":"   project servers."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"   * \u0027os_compute_api:os-lock-server:lock\u0027 (\"Lock a server\")"},{"line_number":175,"context_line":"   * \u0027os_compute_api:os-lock-server:unlock\u0027 (\"Unlock a server\")"},{"line_number":176,"context_line":"   * \u0027os_compute_api:os-pause-server:pause\u0027 (\"Pause a server\")"},{"line_number":177,"context_line":"   * \u0027os_compute_api:os-pause-server:unpause\u0027 (\"Unpause a paused server\")"},{"line_number":178,"context_line":"   * \u0027os_compute_api:os-rescue\u0027 (\"Rescue a server\")"}],"source_content_type":"text/x-rst","patch_set":7,"id":"cec3e21b_9119697c","line":175,"range":{"start_line":174,"start_character":0,"end_line":175,"end_character":63},"in_reply_to":"a70ac47f_0c0ebc87","updated":"2025-05-29 18:01:57.000000000","message":"we do have a separate policy \u0027os_compute_api:os-lock-server:unlock:unlock_override\u0027 to hanndle the unlock a server locked by other. I will say let\u0027s keep that for use case is anyone else want to unlock server which they did not lock. adding member and manager role priority in unlocking will be more complicated. \n\nBecause we already have \u0027os_compute_api:os-lock-server:unlock:unlock_override\u0027 policy, that is why I kept the lock/unlock unchanged.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"db42a8e6bc14a4ce653e71e0cd44f70a7419b59b","unresolved":true,"context_lines":[{"line_number":242,"context_line":"they need \u0027manager\u0027 role in their project to continue performing these"},{"line_number":243,"context_line":"operations."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"* \u0027os_compute_api:os-admin-password\u0027"},{"line_number":246,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027"},{"line_number":247,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027"},{"line_number":248,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"508bc6c6_c1170955","line":245,"updated":"2025-05-29 15:44:27.000000000","message":"this one still feels a bit od to me but imn not strictly against it.\n\nits an api that if we were considering today we likely would not supprot.\npartly becasue keyparis is the recommended way to access a server even on windows\n\nis there a reason you called this out specificly.\n\ni.e. is the a usecase this enables?\n\nif so can we add it to the usecases at the start of the spec.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8ae512d806ce92ad1883b76074653db535f240fc","unresolved":true,"context_lines":[{"line_number":242,"context_line":"they need \u0027manager\u0027 role in their project to continue performing these"},{"line_number":243,"context_line":"operations."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"* \u0027os_compute_api:os-admin-password\u0027"},{"line_number":246,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027"},{"line_number":247,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027"},{"line_number":248,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"f37a648d_b1756d94","line":245,"in_reply_to":"407ba29e_6b3bc574","updated":"2025-05-30 15:32:08.000000000","message":"so this should be allowed to member right.\n\nway would we only allow it to manager.\n\nthise feels like something the person who created the vm shoudl be able to do.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"14b2899b0a8d2829161ecc34c462887f92c0d587","unresolved":true,"context_lines":[{"line_number":242,"context_line":"they need \u0027manager\u0027 role in their project to continue performing these"},{"line_number":243,"context_line":"operations."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"* \u0027os_compute_api:os-admin-password\u0027"},{"line_number":246,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027"},{"line_number":247,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027"},{"line_number":248,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"407ba29e_6b3bc574","line":245,"in_reply_to":"508bc6c6_c1170955","updated":"2025-05-29 18:01:57.000000000","message":"there is no specific use case I considered. I agree that keypair is recommened way to access server but as we have this API exist and there might be users using it, I feel allowing it to manager make sense.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3b769c7438ae478f01b9f8dd040c3429cac31e64","unresolved":false,"context_lines":[{"line_number":242,"context_line":"they need \u0027manager\u0027 role in their project to continue performing these"},{"line_number":243,"context_line":"operations."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"* \u0027os_compute_api:os-admin-password\u0027"},{"line_number":246,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027"},{"line_number":247,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027"},{"line_number":248,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"88ca0a27_067fea7f","line":245,"in_reply_to":"e0ff6ce5_c516562f","updated":"2025-06-06 00:38:03.000000000","message":"if we were to try and restict it they could snapshot the instance and rebuild to that snapshot and pass unew user-data or a new ssh key anyway so there isnt much point in blockign this.\n\nif we wante to delete that api i wwould be all for it but that a completely difffent topic :)","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"511c2a31eaa0af02486c6188bb25594d4455e06c","unresolved":false,"context_lines":[{"line_number":242,"context_line":"they need \u0027manager\u0027 role in their project to continue performing these"},{"line_number":243,"context_line":"operations."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"* \u0027os_compute_api:os-admin-password\u0027"},{"line_number":246,"context_line":"* \u0027os_compute_api:os-deferred-delete:restore\u0027"},{"line_number":247,"context_line":"* \u0027os_compute_api:os-deferred-delete:force\u0027"},{"line_number":248,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"e0ff6ce5_c516562f","line":245,"in_reply_to":"f37a648d_b1756d94","updated":"2025-05-30 18:09:43.000000000","message":"I think I agree on that and does not have any strong point on why member/who created VM cannot change password. I will keep it as it is. done.","commit_id":"7dfa09d5e51f6b5dfd14c8a1ff2e92c11158ed5a"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e8ce87c192ab58dfd581aa1abd04ddf1f92c9e2f","unresolved":true,"context_lines":[{"line_number":26,"context_line":"project member, and project reader roles. But there are many project level"},{"line_number":27,"context_line":"APIs which should be default to user who are more privileged than normal"},{"line_number":28,"context_line":"user (member, reader role user). Instead of allowing such APIs to global"},{"line_number":29,"context_line":"admin, we should have more privileged user within project."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Use Cases"},{"line_number":32,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ce313760_5050fc71","line":29,"updated":"2025-06-06 00:00:34.000000000","message":"I suspect I have missed something more general with regard to RBAC but, when I read the problem description I wonder, for the purposes of a use case, why do we need something additional to the existing project-admin role? To me that is the more privileged user within a project. Is there a specific use case you have in mind where a project-manager role would be helpful? (I like to see such explanations in specs).","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a83a11c21b4e5d61f748096e13396195f7eb2fe1","unresolved":true,"context_lines":[{"line_number":26,"context_line":"project member, and project reader roles. But there are many project level"},{"line_number":27,"context_line":"APIs which should be default to user who are more privileged than normal"},{"line_number":28,"context_line":"user (member, reader role user). Instead of allowing such APIs to global"},{"line_number":29,"context_line":"admin, we should have more privileged user within project."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Use Cases"},{"line_number":32,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"ee4e0ff2_c7d43256","line":29,"in_reply_to":"17f4bf02_4e5abae5","updated":"2025-06-06 00:40:55.000000000","message":"bny the way the reason the keyston doc is in direct conclit with the governace doc is https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#legacy-admin-continues-to-work-as-it-is\n\n\"\"\"\nDuring the operator feedback, it is clear that we need to keep the legacy admin working as it is currently. We will not do any change in legacy admin behavior and access information. In Phase 2, we will introduce the project manager persona who will be able to do the more privileged operation within the project than project member. More details in Phase 2 section.\n\"\"\"\n\nlegacy admin was not scoped to a single project in any way so we cannot evolve admin to be limited to a project view going forward.\n\nmanager is the name of the role that will have that fucntionaliy","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8902b9a0018342b27dfa691c742917ff9fadf367","unresolved":true,"context_lines":[{"line_number":26,"context_line":"project member, and project reader roles. But there are many project level"},{"line_number":27,"context_line":"APIs which should be default to user who are more privileged than normal"},{"line_number":28,"context_line":"user (member, reader role user). Instead of allowing such APIs to global"},{"line_number":29,"context_line":"admin, we should have more privileged user within project."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Use Cases"},{"line_number":32,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"9c55fd4b_476ec72b","line":29,"in_reply_to":"2d337673_8d779d06","updated":"2025-06-06 22:32:54.000000000","message":"Thank you both for explaining it so well 🙂 I had been aware or \"heard of\" the big RBAC discussions with the TC but was confused about the problem and agreement. This was very educational and it all makes sense now. Thank you.","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3b769c7438ae478f01b9f8dd040c3429cac31e64","unresolved":true,"context_lines":[{"line_number":26,"context_line":"project member, and project reader roles. But there are many project level"},{"line_number":27,"context_line":"APIs which should be default to user who are more privileged than normal"},{"line_number":28,"context_line":"user (member, reader role user). Instead of allowing such APIs to global"},{"line_number":29,"context_line":"admin, we should have more privileged user within project."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Use Cases"},{"line_number":32,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"17f4bf02_4e5abae5","line":29,"in_reply_to":"ce313760_5050fc71","updated":"2025-06-06 00:38:03.000000000","message":"a project admin is a global admin.\nthey are capable fo listing all instances across all projects\n\n\nit is not a project-scope admin.\n\nThere is a lot of background to this but much of the context is in \nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change,\nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operators-opt-into-the-new-functionality\nand \nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#project-manager\n\n\nlooking at https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operators-opt-into-the-new-functionality we see the workign defintion fo a \"project scoped\"  user with the admin role.\n\n\n\n\nAdmin\n\n        Denoted by someone with the admin role on a project\n        This is existing admin we have in OpenStack policy.\n        Intended for operators who need elevated privilege on complete deployement\n        Not intended for end users\n        List Hypervisors detail\n        Forcibly reset the state of an instance\n        Forcibly deleting an application stack\n        Making an image public to the entire deployment\n        Create physical provider networks\n        Add or delete services and endpoints\n        Create new volume types\n        Move pre-existing volumes in and out of projects\n        Create or delete HSM transport keys\n\nin other wors a user with an admin role in project A can delete vms in project B\n\n\n\nthe project manager is designed to allow use to have a middel ground between global admin and memeber role in a project\n\nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#project-manager\n\n\n\n    Project Manager (project-level management)\n            Denoted by someone with the manager role on a project\n            Intended for responsible end-users to give them slightly elevated privileges that affect only their own project’s resources\n            Can perform more privileged than project-members on a project\n            Forcibly reset the state of an instance\n            Forcibly deleting an application stack\n            Locking and unlocking an instance\n            Setting the default volume type for a project\n            Setting the default secret store for a project\n\n\nthe keystone doc that descib what a project admin is is incorerct based on teh resolution and direction change in yoga and has never been update to reflect the agree meaning of that term.\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html#admin\n\n\n\"\"\"\nWe reserve the admin role for the most privileged operations within a given scope. It is important to note that having admin on a project, domain, or the system carries separate authorization and are not transitive. For example, users with admin on the system should be able to manage every aspect of the deployment because they’re operators. Users with admin on a project shouldn’t be able to manage things outside the project because it would violate the tenancy of their role assignment (this doesn’t apply consistently since services are addressing this individually at their own pace).\n\"\"\"\nspecifcifcally the last sentence is incorrect and not pland to be done in any project\n\n\"\"\"\nUsers with admin on a project shouldn’t be able to manage things outside the project because it would violate the tenancy of their role assignment (this doesn’t apply consistently since services are addressing this individually at their own pace).\"\"\"\n\nthere definition of manger is better but a gain its been warped slight by a pre yoga view point\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html#manager\n\n\"\"\"\nThe manager role takes a special place in keystone. It sits between the admin and member role, allowing limited identity management while being clearly differentiated from the admin role both in terms of purpose and privileges. The manager role is meant to be assigned in a domain scope and enables users to manage identity assets in a whole domain including users, projects, groups and role assignments. This enables identity self-service management capabilities for users within a domain without the need to assign the most privileged admin role to them.\n\nThe keystone default policies include a special rule that specifies the list of roles a user with the manager role is be able to assign and revoke within the domain scope. This prevents such user from escalating their own privileges or those of others beyond manager and for this purpose the list excludes the admin role. The list can be adjusted by cloud administrators via policy definitions in case the role model differs. For example, if a new role is introduced for a specific cloud environment, the list can be adjusted to allow users with the manager role to also assign it.\n\nOther services might write default policies to enable the manager role to have more privileged managing rights or cross-project privileges in a domain.\n\"\"\"\n\n\nit focuses maninly on what manager means for Keyston particularly in the context of domains rather then the applicability of manager role more broadly or in the project context.\n\nwhere there is a disagreement between keystones docs and https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html\n\nthe governance goal superceed the keystone docs.","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6b698a932533a1e6148e2924836d95a57e8ea9b1","unresolved":true,"context_lines":[{"line_number":26,"context_line":"project member, and project reader roles. But there are many project level"},{"line_number":27,"context_line":"APIs which should be default to user who are more privileged than normal"},{"line_number":28,"context_line":"user (member, reader role user). Instead of allowing such APIs to global"},{"line_number":29,"context_line":"admin, we should have more privileged user within project."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Use Cases"},{"line_number":32,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"2d337673_8d779d06","line":29,"in_reply_to":"ee4e0ff2_c7d43256","updated":"2025-06-06 18:47:16.000000000","message":"Yeah, Sean explained it in a very detailed way and thanks for that. I am just writing it in a short/summary about why we cannot use project admin. \n\nPoint brought by the melwitt is actually we want to do in the first/preferred design of RBAC (system level admin vs project level admin)\n\nBut as you know, we got a setback/feedback from the operator on this, and we have to drop the concept of \u0027system/project level admin\u0027:\n- Operators do not want system scope roles as they are complicated to use and not required by them, as such (at least now).\n- Operators do not want to change the legacy admin, as it breaks NFV and many more use cases.\n\nKeeping legacy admin (role: admin) unchanged is the reason for no project-admin. For example:\n\nKeeping legacy admin unchanged, check_str will be:\n\n \"role: admin OR role:member and project_id:%(project_id)s\"\n    * legacy admin (admin role in any projects) and project-member are allowed\n    \nIf we want to add a project-level high privileged role than project-member:\n\nOption1: \u0027project-admin\u0027. In this case, check_str will be:\n\n \"role: admin OR role:admin and project_id:%(project_id)s\"\n    * This will basically \u003d\u003d \"role: admin\", which means admin in any project is allowed to do things.\n    \nOption2: \u0027project-manager\u0027. In this case, check_str will be:\n\n \"role: admin OR role:manager and project_id:%(project_id)s\"\n    * legacy admin and project manager are allowed.\n    * This achieves the goal of \"adding high privileged role than member but within project\".\n    \n    \nIn short, project-manager is nothing but project-admin but renamed because of legacy admin.\n\nSaid that, I think I should add it in spec so that we have reason of not using \u0027project-admin\u0027.","commit_id":"da3d034db214c26254568af4ba19fb36af0081fb"}]}