)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8878,"name":"Masahito Muroi","email":"masahito.muroi@linecorp.com","username":"masa"},"change_message_id":"8808172e8dfd18d2c2f4e0b6b61ddeaa66428411","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5d9a7c90_4765ce9c","updated":"2026-03-10 10:52:44.000000000","message":"Please move on to the https://review.opendev.org/c/openstack/nova-specs/+/977339 because this spec is in the Flamingo directory and old architecture.","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"}],"specs/2024.2/approved/instance-metadata-protection.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"06080c4e9c4fca347c8a1f86234d571bbe4c27b7","unresolved":true,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Therefore, I propose the following feature:"},{"line_number":25,"context_line":"- Allow only specific roles to create, update, or delete certain tags and"},{"line_number":26,"context_line":"  metadata keys specified in the configuration"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"647555c5_c433e0ce","line":26,"updated":"2025-01-14 12:04:36.000000000","message":"the instnace metadata and instnace tags are not inteded to be used by admins.\n\nwe could add a new policy role for this but it would have to default to project_member.\n\na cloud that made that admin only woudl noit be interoperable with other clouds but it woudl be a decision they could make if its right for there usecase.","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"e323e6a73b640b2264eb06084bca84e20d5c6d66","unresolved":true,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Therefore, I propose the following feature:"},{"line_number":25,"context_line":"- Allow only specific roles to create, update, or delete certain tags and"},{"line_number":26,"context_line":"  metadata keys specified in the configuration"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"994623c4_232a6f44","line":26,"in_reply_to":"0a80e44c_cb50b16f","updated":"2025-04-07 10:46:05.000000000","message":"ya, vendor data is a good shout-out for this use case.","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"c374c11e4aa62af61cfb410794ae35c51bf6b92d","unresolved":true,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Therefore, I propose the following feature:"},{"line_number":25,"context_line":"- Allow only specific roles to create, update, or delete certain tags and"},{"line_number":26,"context_line":"  metadata keys specified in the configuration"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"0a80e44c_cb50b16f","line":26,"in_reply_to":"647555c5_c433e0ce","updated":"2025-04-07 09:23:37.000000000","message":"This is exactly what \"vendordata\" was added for. There are three types of metadata for an instance:\n\n* data from the cloud itself (IP addresses, ssh keys, etc)\n* data from the user -- what we call \"user-data\", which is often things like early configuration data for the instance to bootstrap itself\n* data from the operator of the cloud -- this is called \"vendordata\" for historical reasons\n\nOriginally vendordata was intended so that you could provide things like cryptographic join tokens from Active Directory or FreeIPA, but it will work with anything you as a cloud deployer want to provide. You can either provide static vendordata (every instance gets the same time), or dynamic data by providing a REST API that Nova contacts to gather data on instance creation. Vendor data was originally added at the request of the FreeIPA team.\n\nFurther information is available here: https://www.madebymikal.com/nova-vendordata-deployment-an-excessively-detailed-guide/\n\nAt the very least this proposal should explain why vendordata isn\u0027t a fit for this problem and cannot be extended to address it.","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"aec74564a73e9a71f1bd624e6243ea45cfc5e48d","unresolved":true,"context_lines":[{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Therefore, I propose the following feature:"},{"line_number":25,"context_line":"- Allow only specific roles to create, update, or delete certain tags and"},{"line_number":26,"context_line":"  metadata keys specified in the configuration"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":2,"id":"27d62fe5_aec0dd5b","line":26,"in_reply_to":"994623c4_232a6f44","updated":"2025-11-17 10:46:14.000000000","message":"I guess the difference between this proposal and vendordata is, that vendordata can only be seen by the VM through the metadata service while the instance metadata is persisted in the DB and - at least in the case of tags - exposed via API.","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"aec74564a73e9a71f1bd624e6243ea45cfc5e48d","unresolved":true,"context_lines":[{"line_number":32,"context_line":"When an instance is used by external resources outside of OpenStack, there may"},{"line_number":33,"context_line":"be a need to add that information as metadata to the instance."},{"line_number":34,"context_line":"For example, when an instance is used as a Kubernetes Worker Node, a cloud"},{"line_number":35,"context_line":"administrator may want to add cluster information via tags or metadata."},{"line_number":36,"context_line":"However, since tags and metadata can also be used by users, the following"},{"line_number":37,"context_line":"issues may arise:"},{"line_number":38,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"b666f3fe_cdceac1a","line":35,"updated":"2025-11-17 10:46:14.000000000","message":"Why are the admin and the user different persons? For what does a user of the k8s service need the rights to fiddle with the k8s node VMs?","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"06080c4e9c4fca347c8a1f86234d571bbe4c27b7","unresolved":true,"context_lines":[{"line_number":58,"context_line":"Add the following settings to `nova.conf`:"},{"line_number":59,"context_line":".. code-block:: ini"},{"line_number":60,"context_line":"    protected_metadata \u003d key1:[admin],key_.*:[admin, k8s_admin]"},{"line_number":61,"context_line":"    protected_tags \u003d tag1:[admin],tag_.*:[admin]"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"`protected_metadata` specifies metadata keys and the roles that can modify"},{"line_number":64,"context_line":"those keys. Regular expressions can be used to specify keys, and roles are"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8fbe1a6e_500c6ca7","line":61,"updated":"2025-01-14 12:04:36.000000000","message":"this is config-driven api behvior which is not something we shoudl do.\n\nif we were to add a feature  like this i would intead want this to work by havign a rest api where admins could define a set of admin/protected tags and then they woudl use the exisign api to apply them to instances.","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"06080c4e9c4fca347c8a1f86234d571bbe4c27b7","unresolved":true,"context_lines":[{"line_number":102,"context_line":"This would allow for the protection of administrator-specific metadata."},{"line_number":103,"context_line":"However, this solution alone does not allow for granular permission management"},{"line_number":104,"context_line":"based on roles. Additionally, it would require adding new tables to the"},{"line_number":105,"context_line":"database."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Data model impact"},{"line_number":108,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a4e3ba48_0ff2b2d5","line":105,"updated":"2025-01-14 12:04:36.000000000","message":"it would not require addign new tabels. we could store the admin data in the instance_system_metadata table.\n\nthis is also a more viable approch IMO then a config option.","commit_id":"56aee56d3e60204d17a6721ad6b10e31bafe3a61"}]}