)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"32e9b4c9cd70392dd3096c2b6e7f3ee5a1b68f47","unresolved":false,"context_lines":[{"line_number":9,"context_line":"The target passed to Enforcer.authorize should be a dict,"},{"line_number":10,"context_line":"similar to the target dict to the RequestContext.can method."},{"line_number":11,"context_line":"However, we were passing an instance of _DeprecatedPolicyValues"},{"line_number":12,"context_line":"because what is ultimately what comes out of"},{"line_number":13,"context_line":"RequestContext.to_policy_values(). As of change"},{"line_number":14,"context_line":"I4642c57990b145c0e691140970574412682e66a5 in oslo.policy, that"},{"line_number":15,"context_line":"incorrect type for the target parameter results in an error in"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"3f79a3b5_bfcc1796","line":12,"range":{"start_line":12,"start_character":8,"end_line":12,"end_character":12},"updated":"2018-12-10 20:12:36.000000000","message":"that","commit_id":"fc5b333b6265ad7065ffc5fac08396febb430bc6"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"54677305fcb0de43c97ca7bc6195f3a2246e91aa","unresolved":false,"context_lines":[{"line_number":19,"context_line":"  \u003cclass \u0027oslo_context.context._DeprecatedPolicyValues\u0027\u003e instead."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"This resolves the issue by using the same default target dict"},{"line_number":22,"context_line":"that RequestContext.can uses if a target is not supplied."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Note that we get here from NovaKeystoneContext via API middleware"},{"line_number":25,"context_line":"before any request handler is invoked in the wsgi stack, so there"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"3f79a3b5_7fad1f32","line":22,"updated":"2018-12-10 20:34:52.000000000","message":"Yup - target should be as much information as possible about the thing being accessed by the API (like an instance or hypervisor).\n\nCredentials are dictionaries or context objects meant to represent the user who is calling the API.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"}],"nova/context.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"53f2ac5e283499efc7aa80caa02b2e6b124ea82c","unresolved":false,"context_lines":[{"line_number":250,"context_line":"            authorized and False if not authorized and fatal is False."},{"line_number":251,"context_line":"        \"\"\""},{"line_number":252,"context_line":"        if target is None:"},{"line_number":253,"context_line":"            target \u003d self.default_target()"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"        try:"},{"line_number":256,"context_line":"            return policy.authorize(self, action, target)"}],"source_content_type":"text/x-python","patch_set":2,"id":"5fc1f717_5438b4ed","line":253,"updated":"2019-03-12 22:01:00.000000000","message":"My only concern with something like this is inadvertently allowing access to an API based on a policy written like:\n\n  \"compute:foobar:create\": \"project_id:%(target.project_id)s\"\n\nWould effectively noop any real authorization check, but it sounds like that\u0027s what is happening today.\n\nIn that case, maybe it\u0027s better to get protection testing in place before refactoring this out, iff that\u0027s what y\u0027all decide to do.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8999c09a4f738dee2b4aed892f16349895f43a02","unresolved":false,"context_lines":[{"line_number":250,"context_line":"            authorized and False if not authorized and fatal is False."},{"line_number":251,"context_line":"        \"\"\""},{"line_number":252,"context_line":"        if target is None:"},{"line_number":253,"context_line":"            target \u003d self.default_target()"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"        try:"},{"line_number":256,"context_line":"            return policy.authorize(self, action, target)"}],"source_content_type":"text/x-python","patch_set":2,"id":"5fc1f717_df06fd1c","line":253,"in_reply_to":"5fc1f717_5438b4ed","updated":"2019-03-12 22:04:33.000000000","message":"Shameless plug - we have docs close to merging that describe how to simplify some of this stuff\n\nhttp://logs.openstack.org/63/638563/9/check/openstack-tox-docs/44b339a/html/contributor/services.html#why-are-authorization-scopes-important\n\nhttp://logs.openstack.org/63/638563/9/check/openstack-tox-docs/44b339a/html/contributor/services.html#how-to-i-incorporate-authorization-scopes-into-a-service","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"dbdab84e8bd418ecbf2340175f1cc83a1413481c","unresolved":false,"context_lines":[{"line_number":250,"context_line":"            authorized and False if not authorized and fatal is False."},{"line_number":251,"context_line":"        \"\"\""},{"line_number":252,"context_line":"        if target is None:"},{"line_number":253,"context_line":"            target \u003d self.default_target()"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"        try:"},{"line_number":256,"context_line":"            return policy.authorize(self, action, target)"}],"source_content_type":"text/x-python","patch_set":2,"id":"dfbec78f_f3fd7b3a","line":253,"in_reply_to":"5fc1f717_df06fd1c","updated":"2019-05-07 22:53:24.000000000","message":"Yeah, that is totally what happens today all over the place.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"77afdbf75766d3e4f3a56161e1a9e999bc90175a","unresolved":false,"context_lines":[{"line_number":250,"context_line":"            authorized and False if not authorized and fatal is False."},{"line_number":251,"context_line":"        \"\"\""},{"line_number":252,"context_line":"        if target is None:"},{"line_number":253,"context_line":"            target \u003d self.default_target()"},{"line_number":254,"context_line":""},{"line_number":255,"context_line":"        try:"},{"line_number":256,"context_line":"            return policy.authorize(self, action, target)"}],"source_content_type":"text/x-python","patch_set":2,"id":"bfb3d3c7_4239563f","line":253,"in_reply_to":"dfbec78f_f3fd7b3a","updated":"2019-05-17 01:48:17.000000000","message":"Sounds good - we can tackle that another time.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"54677305fcb0de43c97ca7bc6195f3a2246e91aa","unresolved":false,"context_lines":[{"line_number":260,"context_line":"            return False"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"    def default_target(self):"},{"line_number":263,"context_line":"        return {\u0027project_id\u0027: self.project_id, \u0027user_id\u0027: self.user_id}"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"    def to_policy_values(self):"},{"line_number":266,"context_line":"        policy \u003d super(RequestContext, self).to_policy_values()"}],"source_content_type":"text/x-python","patch_set":2,"id":"3f79a3b5_3fab271f","line":263,"updated":"2018-12-10 20:34:52.000000000","message":"I suppose this is the most basic format of a target dictionary for nova, right?","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"dbdab84e8bd418ecbf2340175f1cc83a1413481c","unresolved":false,"context_lines":[{"line_number":260,"context_line":"            return False"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"    def default_target(self):"},{"line_number":263,"context_line":"        return {\u0027project_id\u0027: self.project_id, \u0027user_id\u0027: self.user_id}"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"    def to_policy_values(self):"},{"line_number":266,"context_line":"        policy \u003d super(RequestContext, self).to_policy_values()"}],"source_content_type":"text/x-python","patch_set":2,"id":"dfbec78f_13f92f4c","line":263,"in_reply_to":"3f79a3b5_313b4cf3","updated":"2019-05-07 22:53:24.000000000","message":"Yeah, this is a bigger issue.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"e63fab73efcb4aead0297d70597a564dd9ee3559","unresolved":false,"context_lines":[{"line_number":260,"context_line":"            return False"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"    def default_target(self):"},{"line_number":263,"context_line":"        return {\u0027project_id\u0027: self.project_id, \u0027user_id\u0027: self.user_id}"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"    def to_policy_values(self):"},{"line_number":266,"context_line":"        policy \u003d super(RequestContext, self).to_policy_values()"}],"source_content_type":"text/x-python","patch_set":2,"id":"3f79a3b5_ba10a2ab","line":263,"in_reply_to":"3f79a3b5_3fab271f","updated":"2018-12-10 23:53:16.000000000","message":"It\u0027s just what we\u0027ve always defaulted for the target yeah.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0a7c051047cb34e5c7346dde6dd705defc463387","unresolved":false,"context_lines":[{"line_number":260,"context_line":"            return False"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"    def default_target(self):"},{"line_number":263,"context_line":"        return {\u0027project_id\u0027: self.project_id, \u0027user_id\u0027: self.user_id}"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"    def to_policy_values(self):"},{"line_number":266,"context_line":"        policy \u003d super(RequestContext, self).to_policy_values()"}],"source_content_type":"text/x-python","patch_set":2,"id":"3f79a3b5_313b4cf3","line":263,"in_reply_to":"3f79a3b5_ba10a2ab","updated":"2018-12-11 12:05:48.000000000","message":"Interesting...\n\nThis doesn\u0027t seem overly nova specific and the values are likely coming from keystonemiddleware or oslo.context. Maybe there is a way we can make this more reusable. For example, I wonder if you could ask oslo.context for an initial target dictionary, which would come populated with stuff like this. Then the service would just update that dictionary with service-specific information about the resource being accessed or whatever. It\u0027d would be nice to \"standardize\" as much stuff in the target and creds dictionaries as possible between services, then it\u0027s not as much of a guessing game for operators (since that\u0027s unfortunatley the API operators have for building policies).\n\nNot something to tackle in this patch per se, just thinking out loud.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"}],"nova/policy.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"53f2ac5e283499efc7aa80caa02b2e6b124ea82c","unresolved":false,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"    init()"},{"line_number":177,"context_line":"    # the target is user-self"},{"line_number":178,"context_line":"    credentials \u003d context.to_policy_values()"},{"line_number":179,"context_line":"    target \u003d context.default_target()"},{"line_number":180,"context_line":"    return _ENFORCER.authorize(\u0027context_is_admin\u0027, target, credentials)"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"5fc1f717_b48a38bc","line":178,"updated":"2019-03-12 22:01:00.000000000","message":"Side note, but somewhat related. You can get rid of this and just pass the context object to oslo.policy directly. This avoid weird cases where different service build credential dictionaries in different way.\n\n  return _ENFORCER.authorize(\u0027context_is_admin\u0027, target, context)\n\n\n[0] https://review.openstack.org/#/c/578995/","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"dbdab84e8bd418ecbf2340175f1cc83a1413481c","unresolved":false,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"    init()"},{"line_number":177,"context_line":"    # the target is user-self"},{"line_number":178,"context_line":"    credentials \u003d context.to_policy_values()"},{"line_number":179,"context_line":"    target \u003d context.default_target()"},{"line_number":180,"context_line":"    return _ENFORCER.authorize(\u0027context_is_admin\u0027, target, credentials)"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"dfbec78f_f3925bf6","line":178,"in_reply_to":"5fc1f717_b48a38bc","updated":"2019-05-07 22:53:24.000000000","message":"+1 that, makes sense. But its probably a different patch.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"77afdbf75766d3e4f3a56161e1a9e999bc90175a","unresolved":false,"context_lines":[{"line_number":175,"context_line":""},{"line_number":176,"context_line":"    init()"},{"line_number":177,"context_line":"    # the target is user-self"},{"line_number":178,"context_line":"    credentials \u003d context.to_policy_values()"},{"line_number":179,"context_line":"    target \u003d context.default_target()"},{"line_number":180,"context_line":"    return _ENFORCER.authorize(\u0027context_is_admin\u0027, target, credentials)"},{"line_number":181,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"bfb3d3c7_e23dea2c","line":178,"in_reply_to":"dfbec78f_f3925bf6","updated":"2019-05-17 01:48:17.000000000","message":"++ agreed","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"53f2ac5e283499efc7aa80caa02b2e6b124ea82c","unresolved":false,"context_lines":[{"line_number":177,"context_line":"    # the target is user-self"},{"line_number":178,"context_line":"    credentials \u003d context.to_policy_values()"},{"line_number":179,"context_line":"    target \u003d context.default_target()"},{"line_number":180,"context_line":"    return _ENFORCER.authorize(\u0027context_is_admin\u0027, target, credentials)"},{"line_number":181,"context_line":""},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"@policy.register(\u0027is_admin\u0027)"}],"source_content_type":"text/x-python","patch_set":2,"id":"5fc1f717_948dbcd4","line":180,"range":{"start_line":180,"start_character":32,"end_line":180,"end_character":48},"updated":"2019-03-12 22:01:00.000000000","message":"\u003crant\u003e It would be nice to see this go away in favor of proper scope consumption, but baby steps \u003c/rant\u003e\n\nAlso, something that should probably live in a change all on its own.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"}],"nova/tests/unit/test_policy.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"54677305fcb0de43c97ca7bc6195f3a2246e91aa","unresolved":false,"context_lines":[{"line_number":253,"context_line":"        mock_auth.assert_called_once_with("},{"line_number":254,"context_line":"            \u0027context_is_admin\u0027,"},{"line_number":255,"context_line":"            {\u0027user_id\u0027: \u0027fake-user\u0027, \u0027project_id\u0027: \u0027fake-project\u0027},"},{"line_number":256,"context_line":"            ctxt.to_policy_values())"},{"line_number":257,"context_line":""},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"class AdminRolePolicyTestCase(test.NoDBTestCase):"}],"source_content_type":"text/x-python","patch_set":2,"id":"3f79a3b5_1f9c2bff","line":256,"updated":"2018-12-10 20:34:52.000000000","message":"Any reason to not just use oslo.policy directly?","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"e63fab73efcb4aead0297d70597a564dd9ee3559","unresolved":false,"context_lines":[{"line_number":253,"context_line":"        mock_auth.assert_called_once_with("},{"line_number":254,"context_line":"            \u0027context_is_admin\u0027,"},{"line_number":255,"context_line":"            {\u0027user_id\u0027: \u0027fake-user\u0027, \u0027project_id\u0027: \u0027fake-project\u0027},"},{"line_number":256,"context_line":"            ctxt.to_policy_values())"},{"line_number":257,"context_line":""},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"class AdminRolePolicyTestCase(test.NoDBTestCase):"}],"source_content_type":"text/x-python","patch_set":2,"id":"3f79a3b5_7a068a75","line":256,"in_reply_to":"3f79a3b5_1f9c2bff","updated":"2018-12-10 23:53:16.000000000","message":"I could have, but this is really just about asserting how it\u0027s called since that\u0027s the bug - passing a target that\u0027s not correct for the policy interface.","commit_id":"c27af238ad99c0330eb4b55398f44be28e6f0485"}]}