)]}'
{"etc/nova/policy.json":[{"author":{"_account_id":6062,"name":"jichenjc","email":"jichenjc@cn.ibm.com","username":"jichenjc"},"change_message_id":"7469ccff34f433b3d79cb25605480571295a113d","unresolved":false,"context_lines":[{"line_number":83,"context_line":"    \"compute:security_groups:add_to_instance\": \"rule:admin_or_owner\","},{"line_number":84,"context_line":"    \"compute:security_groups:remove_from_instance\": \"rule:admin_or_owner\","},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"    \"compute:restore\": \"rule:admin_or_owner\","},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"    \"compute:volume_snapshot_create\": \"rule:admin_or_owner\","},{"line_number":89,"context_line":"    \"compute:volume_snapshot_delete\": \"rule:admin_or_owner\","}],"source_content_type":"application/json","patch_set":2,"id":"dae33548_58008f01","line":86,"range":{"start_line":86,"start_character":43,"end_line":86,"end_character":45},"updated":"2016-02-16 21:47:04.000000000","message":"maybe this can admin only thing, not sure it\u0027s out of scope","commit_id":"f87c7779cf9e02508fb276dabcac39a6f16ee518"},{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"24fa6b6089cca7cd1f8e0628c25a23bd27bf1899","unresolved":false,"context_lines":[{"line_number":83,"context_line":"    \"compute:security_groups:add_to_instance\": \"rule:admin_or_owner\","},{"line_number":84,"context_line":"    \"compute:security_groups:remove_from_instance\": \"rule:admin_or_owner\","},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"    \"compute:restore\": \"rule:admin_or_owner\","},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"    \"compute:volume_snapshot_create\": \"rule:admin_or_owner\","},{"line_number":89,"context_line":"    \"compute:volume_snapshot_delete\": \"rule:admin_or_owner\","}],"source_content_type":"application/json","patch_set":2,"id":"dae33548_ac919c54","line":86,"range":{"start_line":86,"start_character":43,"end_line":86,"end_character":45},"in_reply_to":"dae33548_58008f01","updated":"2016-02-16 22:03:37.000000000","message":"There are a few in here that I would expect to be admin only. This just changes \"\" to an essentially equivalent admin_or_owner check. But a good followup to this would be to set some of these admin only.","commit_id":"f87c7779cf9e02508fb276dabcac39a6f16ee518"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"967a2860ee20c9e7a9c6cfca12190a9419c3d8db","unresolved":false,"context_lines":[{"line_number":271,"context_line":"    \"os_compute_api:servers:stop\": \"rule:admin_or_owner\","},{"line_number":272,"context_line":"    \"os_compute_api:servers:trigger_crash_dump\": \"rule:admin_or_owner\","},{"line_number":273,"context_line":"    \"os_compute_api:servers:migrations:force_complete\": \"rule:admin_api\","},{"line_number":274,"context_line":"    \"os_compute_api:servers:discoverable\": \"rule:admin_or_owner\","},{"line_number":275,"context_line":"    \"os_compute_api:os-access-ips:discoverable\": \"rule:admin_or_owner\","},{"line_number":276,"context_line":"    \"os_compute_api:os-access-ips\": \"rule:admin_or_owner\","},{"line_number":277,"context_line":"    \"os_compute_api:os-admin-actions\": \"rule:admin_api\","}],"source_content_type":"application/json","patch_set":6,"id":"dae33548_b20b6923","line":274,"range":{"start_line":274,"start_character":44,"end_line":274,"end_character":63},"updated":"2016-02-18 05:09:33.000000000","message":"Should we keep this as \"\" or \"@\"? This is used to control whether the extension visiable in the /extensions API, so there isn\u0027t a owner of the extensions.","commit_id":"90b34f021ab6cbcf512ba35e5ce5ece8db62d187"},{"author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"change_message_id":"3074b3a3a033d28abef033702f9daaa8a6186d44","unresolved":false,"context_lines":[{"line_number":271,"context_line":"    \"os_compute_api:servers:stop\": \"rule:admin_or_owner\","},{"line_number":272,"context_line":"    \"os_compute_api:servers:trigger_crash_dump\": \"rule:admin_or_owner\","},{"line_number":273,"context_line":"    \"os_compute_api:servers:migrations:force_complete\": \"rule:admin_api\","},{"line_number":274,"context_line":"    \"os_compute_api:servers:discoverable\": \"rule:admin_or_owner\","},{"line_number":275,"context_line":"    \"os_compute_api:os-access-ips:discoverable\": \"rule:admin_or_owner\","},{"line_number":276,"context_line":"    \"os_compute_api:os-access-ips\": \"rule:admin_or_owner\","},{"line_number":277,"context_line":"    \"os_compute_api:os-admin-actions\": \"rule:admin_api\","}],"source_content_type":"application/json","patch_set":6,"id":"dae33548_1a7ccdea","line":274,"range":{"start_line":274,"start_character":44,"end_line":274,"end_character":63},"in_reply_to":"dae33548_b20b6923","updated":"2016-02-18 14:50:24.000000000","message":"Sounds like it should be switched to \"@\" then. I would prefer to do it in a followup so this is mostly a straight switch of \"\" to \"rule:admin_or_owner\". Then we can improve specific policies that should be different and explain in the commit message without it growing too long explaining each of these cases. I only changed the quota-sets one because it was failing a Tempest test.","commit_id":"90b34f021ab6cbcf512ba35e5ce5ece8db62d187"}]}