)]}'
{"specs/2025.2/approved/policy-service-role-default.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6be7510dad6196df7de914de241204b0ea6af373","unresolved":true,"context_lines":[{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"We need to make sure all the policy rules for internal service-to-service"},{"line_number":42,"context_line":"APIs are default to ``service`` role only. Example:"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":""},{"line_number":45,"context_line":".. code-block:: python"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a678453_c54ee891","line":42,"updated":"2025-06-05 13:08:54.000000000","message":"It might be good to link to the keystone docs on this role. I wasn\u0027t aware it was a thing before now https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#primer","commit_id":"6136b84375ec21e35f98a1aecc175bc2aab33513"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"62e42b19c6cab9ff187544f6075950394ee95bf6","unresolved":true,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":48,"context_line":"       name\u003d\u0027os_compute_api:os-server-external-events:create\u0027,"},{"line_number":49,"context_line":"       check_str\u003d\u0027role:service\u0027,"},{"line_number":50,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":51,"context_line":"   )"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"cb835b8a_874c6382","line":49,"range":{"start_line":49,"start_character":0,"end_line":49,"end_character":32},"updated":"2025-05-29 16:41:53.000000000","message":"@sean, just to highlight, are you ok with the new role which is \u0027service\u0027, I remember somewhere last cycle you mentioned that for upgrade, it is better to keep it for \u0027admin-or-service\u0027 for a cycle and then change to \u0027service\u0027 in next cycle.","commit_id":"6136b84375ec21e35f98a1aecc175bc2aab33513"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2a686959e787fb7e0b3e93113f25f6c7ed41e5d0","unresolved":true,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":48,"context_line":"       name\u003d\u0027os_compute_api:os-server-external-events:create\u0027,"},{"line_number":49,"context_line":"       check_str\u003d\u0027role:service\u0027,"},{"line_number":50,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":51,"context_line":"   )"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"16dbd978_f69b7369","line":49,"range":{"start_line":49,"start_character":0,"end_line":49,"end_character":32},"in_reply_to":"8d83d807_9d542c35","updated":"2025-05-29 17:04:19.000000000","message":"just to capture my responce form irc.\n\nyes. my orginal concern was about giving installer project time to adtop to the requirement for service projects like cinder or Neutron to have the service role.\n\nbut at this point they have had quite a long time to do that.\n\nso if we are confident that we can test this probably in ci\nThen I\u0027m willing to go straight to the desired state.","commit_id":"6136b84375ec21e35f98a1aecc175bc2aab33513"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9afdd6ce090e850c3b62b4a2fe42f2a0d28c7ab0","unresolved":true,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":"   policy.DocumentedRuleDefault("},{"line_number":48,"context_line":"       name\u003d\u0027os_compute_api:os-server-external-events:create\u0027,"},{"line_number":49,"context_line":"       check_str\u003d\u0027role:service\u0027,"},{"line_number":50,"context_line":"       scope_types\u003d[\u0027project\u0027]"},{"line_number":51,"context_line":"   )"},{"line_number":52,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"8d83d807_9d542c35","line":49,"range":{"start_line":49,"start_character":0,"end_line":49,"end_character":32},"in_reply_to":"cb835b8a_874c6382","updated":"2025-05-29 16:43:55.000000000","message":"NOTE: we will support admin role via deprecated old defaults but those will only work if old defaults are not disabled completely (in upstream CI, we are moving to new defaults means disable old defaults compltly )","commit_id":"6136b84375ec21e35f98a1aecc175bc2aab33513"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"056b812506bf3710fe94e9698d35b5ac77dc01cf","unresolved":true,"context_lines":[{"line_number":135,"context_line":"sure to override the required permission in policy.yaml because by default"},{"line_number":136,"context_line":"they will be accessed by the ``service`` role user only. If deployment"},{"line_number":137,"context_line":"overrides these policies then, they need to start considering the new"},{"line_number":138,"context_line":"default policy rules."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Implementation"},{"line_number":141,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"20ea7f82_680fd8ec","line":138,"updated":"2025-05-29 15:47:01.000000000","message":"so i think we should document the change in default role for theis in the api-ref\n\nbut other then that think I\u0027m ok with this proposal.","commit_id":"6136b84375ec21e35f98a1aecc175bc2aab33513"}]}