)]}'
{"etc/nova/policy.json":[{"author":{"_account_id":1849,"name":"Joe Gordon","email":"joe.gordon0@gmail.com","username":"jogo"},"change_message_id":"9c6f081e52b64b73dbb6b225b8d7d88854b1c8d8","unresolved":false,"context_lines":[{"line_number":279,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"rule:admin_or_owner\","},{"line_number":280,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"rule:admin_or_owner\","},{"line_number":281,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"rule:admin_or_owner\","},{"line_number":282,"context_line":"    \"compute_extension:v3:server-metadata:create\": \"\","},{"line_number":283,"context_line":"    \"compute_extension:v3:server-metadata:update\": \"rule:admin_or_owner\","},{"line_number":284,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"rule:admin_or_owner\","},{"line_number":285,"context_line":"    \"compute_extension:v3:servers:discoverable\": \"\","}],"source_content_type":"application/json","patch_set":14,"id":"da86d52c_e0e9c87f","line":282,"updated":"2015-02-12 17:19:40.000000000","message":"create isn\u0027t admin or owner?","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"636c74a92bbab0e28e3b5ac9d90f7c56add8614d","unresolved":false,"context_lines":[{"line_number":279,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"rule:admin_or_owner\","},{"line_number":280,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"rule:admin_or_owner\","},{"line_number":281,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"rule:admin_or_owner\","},{"line_number":282,"context_line":"    \"compute_extension:v3:server-metadata:create\": \"\","},{"line_number":283,"context_line":"    \"compute_extension:v3:server-metadata:update\": \"rule:admin_or_owner\","},{"line_number":284,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"rule:admin_or_owner\","},{"line_number":285,"context_line":"    \"compute_extension:v3:servers:discoverable\": \"\","}],"source_content_type":"application/json","patch_set":14,"id":"da86d52c_6e74a736","line":282,"in_reply_to":"da86d52c_2a4c60c8","updated":"2015-02-13 23:43:50.000000000","message":"oops, @Andrew, you are right, for this case, we should write \u0027admin_or_owner\u0027 at here. will update soon","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"b3b0a815ef76d3f7b62c3e8eec4e9df99de04abb","unresolved":false,"context_lines":[{"line_number":279,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"rule:admin_or_owner\","},{"line_number":280,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"rule:admin_or_owner\","},{"line_number":281,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"rule:admin_or_owner\","},{"line_number":282,"context_line":"    \"compute_extension:v3:server-metadata:create\": \"\","},{"line_number":283,"context_line":"    \"compute_extension:v3:server-metadata:update\": \"rule:admin_or_owner\","},{"line_number":284,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"rule:admin_or_owner\","},{"line_number":285,"context_line":"    \"compute_extension:v3:servers:discoverable\": \"\","}],"source_content_type":"application/json","patch_set":14,"id":"da86d52c_ba69abbf","line":282,"in_reply_to":"da86d52c_9f0db991","updated":"2015-02-13 01:32:35.000000000","message":"yes, there isn\u0027t owner. create means anyone create one resource, the created resource belong to the requester.","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"},{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"2bdacf54c98d472c048c139d0a356979691be88c","unresolved":false,"context_lines":[{"line_number":279,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"rule:admin_or_owner\","},{"line_number":280,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"rule:admin_or_owner\","},{"line_number":281,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"rule:admin_or_owner\","},{"line_number":282,"context_line":"    \"compute_extension:v3:server-metadata:create\": \"\","},{"line_number":283,"context_line":"    \"compute_extension:v3:server-metadata:update\": \"rule:admin_or_owner\","},{"line_number":284,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"rule:admin_or_owner\","},{"line_number":285,"context_line":"    \"compute_extension:v3:servers:discoverable\": \"\","}],"source_content_type":"application/json","patch_set":14,"id":"da86d52c_2a4c60c8","line":282,"in_reply_to":"da86d52c_ba69abbf","updated":"2015-02-13 20:59:54.000000000","message":"The policy should be checked against the instance, so admin_or_owner defines the relationship with the instance not the metadata.  So admin_or_owner should be used here.","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"de4a487e0f89a3b8a2245279343eb8af41778312","unresolved":false,"context_lines":[{"line_number":279,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"rule:admin_or_owner\","},{"line_number":280,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"rule:admin_or_owner\","},{"line_number":281,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"rule:admin_or_owner\","},{"line_number":282,"context_line":"    \"compute_extension:v3:server-metadata:create\": \"\","},{"line_number":283,"context_line":"    \"compute_extension:v3:server-metadata:update\": \"rule:admin_or_owner\","},{"line_number":284,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"rule:admin_or_owner\","},{"line_number":285,"context_line":"    \"compute_extension:v3:servers:discoverable\": \"\","}],"source_content_type":"application/json","patch_set":14,"id":"da86d52c_9f0db991","line":282,"in_reply_to":"da86d52c_e0e9c87f","updated":"2015-02-13 01:14:45.000000000","message":"@Joe\n\nbecause before creating a resource, the owner doesn\u0027t exist I guess.","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"}],"nova/api/openstack/compute/plugins/v3/server_metadata.py":[{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"2bdacf54c98d472c048c139d0a356979691be88c","unresolved":false,"context_lines":[{"line_number":54,"context_line":"    def index(self, req, server_id):"},{"line_number":55,"context_line":"        \"\"\"Returns the list of metadata for a given instance.\"\"\""},{"line_number":56,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":57,"context_line":"        authorize(context, action\u003d\u0027index\u0027)"},{"line_number":58,"context_line":"        return {\u0027metadata\u0027: self._get_metadata(context, server_id)}"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"    @extensions.expected_errors((400, 403, 404, 409, 413))"}],"source_content_type":"text/x-python","patch_set":14,"id":"da86d52c_8a638c40","line":57,"updated":"2015-02-13 20:59:54.000000000","message":"Don\u0027t you want to get the instance and pass that in to all of these authorize methods?  Otherwise you\u0027re just verifying the project_id in the request against what\u0027s returned from auth.","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"},{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"055a15802f4ed725b586904fa6351f9d841672a3","unresolved":false,"context_lines":[{"line_number":54,"context_line":"    def index(self, req, server_id):"},{"line_number":55,"context_line":"        \"\"\"Returns the list of metadata for a given instance.\"\"\""},{"line_number":56,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":57,"context_line":"        authorize(context, action\u003d\u0027index\u0027)"},{"line_number":58,"context_line":"        return {\u0027metadata\u0027: self._get_metadata(context, server_id)}"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"    @extensions.expected_errors((400, 403, 404, 409, 413))"}],"source_content_type":"text/x-python","patch_set":14,"id":"da86d52c_eb8f7274","line":57,"in_reply_to":"da86d52c_4e90c34e","updated":"2015-02-16 19:37:11.000000000","message":"Thanks for the explanation.  That makes sense, though I\u0027m a bit wary of the approach.  Updating the target later means that it is possible for the behavior of defined policy rules to change.  As long as the targets are updated before this code is considered \"supported\" and exposed to users that\u0027s fine, but this does introduce a risk that we will forget to do that.","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"636c74a92bbab0e28e3b5ac9d90f7c56add8614d","unresolved":false,"context_lines":[{"line_number":54,"context_line":"    def index(self, req, server_id):"},{"line_number":55,"context_line":"        \"\"\"Returns the list of metadata for a given instance.\"\"\""},{"line_number":56,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":57,"context_line":"        authorize(context, action\u003d\u0027index\u0027)"},{"line_number":58,"context_line":"        return {\u0027metadata\u0027: self._get_metadata(context, server_id)}"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"    @extensions.expected_errors((400, 403, 404, 409, 413))"}],"source_content_type":"text/x-python","patch_set":14,"id":"da86d52c_4e90c34e","line":57,"in_reply_to":"da86d52c_8a638c40","updated":"2015-02-13 23:43:50.000000000","message":"Yes, you are right. Ideally we should check the \u0027real\u0027 target. But as the discussion at https://review.openstack.org/#/c/143393/20/nova/api/openstack/compute/plugins/v3/pause_server.py\n\nI didn\u0027t describe that at spec for this... and we want to focus on \u0027move policy into rest api layer\u0027....and for \u0027index\u0027 action, we need change a little behavior, we raise exception before policy checking failed, after checking target, index only return a list obj without the target that didn\u0027t pass the policy checking.\n\nAnd thinking of without target, we only miss one case that I\u0027m not sure there is any user use it. it is per-user permission, user can use write rule like \"user_id: %{user_id}\"\n\nThe per-tenant permission checking actually done by db code. So without checking target, we didn\u0027t missing the basic use-case.\n\nSo the final decision is just focus on \u0027move policy\u0027, check \u0027real target\u0027 will be done in next release with another spec.\n\nDoes make sense to you?","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"ebfa5427d892a2670a64f9669e353d98a7c5ad7c","unresolved":false,"context_lines":[{"line_number":54,"context_line":"    def index(self, req, server_id):"},{"line_number":55,"context_line":"        \"\"\"Returns the list of metadata for a given instance.\"\"\""},{"line_number":56,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":57,"context_line":"        authorize(context, action\u003d\u0027index\u0027)"},{"line_number":58,"context_line":"        return {\u0027metadata\u0027: self._get_metadata(context, server_id)}"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"    @extensions.expected_errors((400, 403, 404, 409, 413))"}],"source_content_type":"text/x-python","patch_set":14,"id":"da86d52c_d04336ad","line":57,"in_reply_to":"da86d52c_eb8f7274","updated":"2015-02-17 01:23:21.000000000","message":"Yes, that will changed behavior a little. From return error change to return successful. So it still back-compatible behavior\u0027s change, that is one of reason we can do it later. Thanks for your reply!","commit_id":"b9ddb13320f2cae22fdc7c5bc6b94b4837c61f34"}],"nova/tests/unit/fake_policy.py":[{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"0fa0f283d6608e451b18c6cda3caa1c313446656","unresolved":false,"context_lines":[{"line_number":346,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"\","},{"line_number":347,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"\","},{"line_number":348,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"\","},{"line_number":349,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"\","},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"    \"network:get_all\": \"\","},{"line_number":352,"context_line":"    \"network:get\": \"\","}],"source_content_type":"text/x-python","patch_set":12,"id":"da86d52c_db13f3fe","line":349,"updated":"2015-02-12 07:24:44.000000000","message":"Why don\u0027t you add the above policies to etc/nova/policy.json ?","commit_id":"b3be0fc5a42d82d4a2e603f764cfcd9427b8b157"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"3f76401cb3d5aead21af4ffc023271989312a02d","unresolved":false,"context_lines":[{"line_number":346,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"\","},{"line_number":347,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"\","},{"line_number":348,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"\","},{"line_number":349,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"\","},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"    \"network:get_all\": \"\","},{"line_number":352,"context_line":"    \"network:get\": \"\","}],"source_content_type":"text/x-python","patch_set":12,"id":"da86d52c_161802d2","line":349,"in_reply_to":"da86d52c_1653a217","updated":"2015-02-12 08:01:13.000000000","message":"yes, sorry, I\u0027m done with lastest patch.","commit_id":"b3be0fc5a42d82d4a2e603f764cfcd9427b8b157"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"c9bf46e76d4d504494ae629a7b9c788d6cfba06f","unresolved":false,"context_lines":[{"line_number":346,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"\","},{"line_number":347,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"\","},{"line_number":348,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"\","},{"line_number":349,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"\","},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"    \"network:get_all\": \"\","},{"line_number":352,"context_line":"    \"network:get\": \"\","}],"source_content_type":"text/x-python","patch_set":12,"id":"da86d52c_1653a217","line":349,"in_reply_to":"da86d52c_bb7f1faa","updated":"2015-02-12 07:45:52.000000000","message":"I mean we need to the above policies to etc/nova/policy.json *also*","commit_id":"b3be0fc5a42d82d4a2e603f764cfcd9427b8b157"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"f9d9a25057c292ef6eda797ef71aa8992158d5e7","unresolved":false,"context_lines":[{"line_number":346,"context_line":"    \"compute_extension:v3:server-metadata:update_all\": \"\","},{"line_number":347,"context_line":"    \"compute_extension:v3:server-metadata:delete\": \"\","},{"line_number":348,"context_line":"    \"compute_extension:v3:server-metadata:show\": \"\","},{"line_number":349,"context_line":"    \"compute_extension:v3:server-metadata:index\": \"\","},{"line_number":350,"context_line":""},{"line_number":351,"context_line":"    \"network:get_all\": \"\","},{"line_number":352,"context_line":"    \"network:get\": \"\","}],"source_content_type":"text/x-python","patch_set":12,"id":"da86d52c_bb7f1faa","line":349,"in_reply_to":"da86d52c_db13f3fe","updated":"2015-02-12 07:40:57.000000000","message":"Because the unitest will load those rules. If there isn\u0027t rule for this action, the policy enforcement will failed. Then all the unittests can be passed.","commit_id":"b3be0fc5a42d82d4a2e603f764cfcd9427b8b157"}]}