)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"77f1de0692ff888cb88c9e18a6a5c7ad3ef69bff","unresolved":false,"context_lines":[{"line_number":11,"context_line":" - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope"},{"line_number":12,"context_line":" - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html"},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"There are two type of scope:"},{"line_number":15,"context_line":"1. \u0027system\u0027: policy with \u0027system\u0027 scope means user with"},{"line_number":16,"context_line":"\u0027system-scoped\u0027 token have permission to access otherwise not."},{"line_number":17,"context_line":"This scope type can be applied to API policies which need"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":11,"id":"7faddb67_dd3f9683","line":14,"range":{"start_line":14,"start_character":14,"end_line":14,"end_character":18},"updated":"2019-09-05 09:14:22.000000000","message":"nit:types","commit_id":"95531517b726a0bc379bc8d9b2fc39abf5943eb5"}],"nova/policies/services.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b03d8faedd7ffdf796c8270a50d41948682577e9","unresolved":false,"context_lines":[{"line_number":54,"context_line":"        # so this policy is not \u0027project\u0027 scoped."},{"line_number":55,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":56,"context_line":"        deprecated_rule\u003dDEPRECATED_SERVICE_POLICY,"},{"line_number":57,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":58,"context_line":"        deprecated_since\u003d\u002720.0.0\u0027),"},{"line_number":59,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":60,"context_line":"        SERVICE % \u0027enable\u0027,"},{"line_number":61,"context_line":"        base.RULE_ADMIN_API,"}],"source_content_type":"text/x-python","patch_set":7,"id":"9fb8cfa7_1875e395","line":58,"range":{"start_line":57,"start_character":0,"end_line":58,"end_character":35},"updated":"2019-06-04 15:02:45.000000000","message":"hmm, this is funky, we are only deprecating the deprecated rule, not this new rule... so it feels a bit odd doing it like this. But this does gives us the correct sample policy file and docs. Although the docs don\u0027t mention the deprecated rules.","commit_id":"5fc5722eed9cb83dfa61be969f530ba2bd9ca3f1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6664c8a3e1866802c32236f5937423a4a9b83f3e","unresolved":false,"context_lines":[{"line_number":54,"context_line":"        # so this policy is not \u0027project\u0027 scoped."},{"line_number":55,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":56,"context_line":"        deprecated_rule\u003dDEPRECATED_SERVICE_POLICY,"},{"line_number":57,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":58,"context_line":"        deprecated_since\u003d\u002720.0.0\u0027),"},{"line_number":59,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":60,"context_line":"        SERVICE % \u0027enable\u0027,"},{"line_number":61,"context_line":"        base.RULE_ADMIN_API,"}],"source_content_type":"text/x-python","patch_set":7,"id":"9fb8cfa7_a60c68ec","line":58,"range":{"start_line":57,"start_character":0,"end_line":58,"end_character":35},"in_reply_to":"9fb8cfa7_1875e395","updated":"2019-06-09 05:40:50.000000000","message":"I did not get about \u0027deprecating the deprecated rule\u0027. we are deprecating the old rule which we 1. renamed(the only rules need granularity) 2. added scope 3. modified default roles (in next patch). And a warning to user will be clearly saying these are the things changed for this rule:\n\nexample 1:\nUserWarning: Policy \"os_compute_api:os-services\":\"rule:admin_api\"\nwas deprecated in 20.0.0 in favour of\n\"os_compute_api:os-services:disable\":\"(role:admin and system_scope:all)\".\n\nexample 2:\nUserWarning: Policy \"os_compute_api:servers:show\":\"rule:admin_or_owner\"\nwas deprecated in 20.0.0 in favor of\n\"os_compute_api:servers:show\":\"(role:reader and system_scope:all) or (rule:owner)\".\n\n\nComplete warning text:\n\n /opt/stack/nova/.tox/py27/local/lib/python2.7/site-packages/oslo_policy/policy.py:665: UserWarning: Policy \"os_compute_api:os-services\":\"rule:admin_api\" was deprecated in 20.0.0 in favor of \"os_compute_api:os-services:disable\":\"(role:admin and system_scope:all)\". Reason:\n    Since Train release, nova API policies are more granular and introducing\n    new default roles with scope_type capabilities. These new changes improve\n    the security level, manageability. New policies are more rich in term of\n    handling access at system and project level with read, write roles. Nova\n    APIs are consuming these new policies improvements and automatically\n    migrate the old overridden policies. Old policies are silently going to\n    be ignored in nova 21.0.0 (OpenStack U) release.\n    . Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually.","commit_id":"5fc5722eed9cb83dfa61be969f530ba2bd9ca3f1"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"8c67d44dd39d6a0a5763cbc17f93c3bd27ec3e1a","unresolved":false,"context_lines":[{"line_number":54,"context_line":"        # so this policy is not \u0027project\u0027 scoped."},{"line_number":55,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":56,"context_line":"        deprecated_rule\u003dDEPRECATED_SERVICE_POLICY,"},{"line_number":57,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":58,"context_line":"        deprecated_since\u003d\u002720.0.0\u0027),"},{"line_number":59,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":60,"context_line":"        SERVICE % \u0027enable\u0027,"},{"line_number":61,"context_line":"        base.RULE_ADMIN_API,"}],"source_content_type":"text/x-python","patch_set":7,"id":"9fb8cfa7_e64e8e95","line":58,"range":{"start_line":57,"start_character":0,"end_line":58,"end_character":35},"in_reply_to":"9fb8cfa7_a60c68ec","updated":"2019-06-13 14:50:30.000000000","message":"It is more the code seems strange, agreed we get the correct result.","commit_id":"5fc5722eed9cb83dfa61be969f530ba2bd9ca3f1"}],"nova/tests/unit/policies/base.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"255bd498a11ff1121b36de19e07ca38d8847a622","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"        self.system_admin_context \u003d nova_context.RequestContext("},{"line_number":37,"context_line":"                user_id\u003d\"admin\", project_id\u003dself.admin_project_id,"},{"line_number":38,"context_line":"                roles\u003d[\u0027admin\u0027], system_scope\u003d\u0027all\u0027)"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"        self.project_member_context \u003d nova_context.RequestContext("},{"line_number":41,"context_line":"                user_id\u003d\"project_member\", project_id\u003dself.project_id,"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_5b03ce0c","line":38,"updated":"2019-11-20 23:37:20.000000000","message":"I think we should add the system_reader_context here, and prove they don\u0027t have access to the admin APIs (yet):\n\n  self.system_reader_context \u003d nova_context.RequestContext(\n                user_id\u003d\"admin\", project_id\u003dself.admin_project_id,\n                roles\u003d[\u0027reader\u0027], system_scope\u003d\u0027all\u0027)\n\nI guess we could use the role \"foo\" to avoid any confusion? Really just want to make sure we test we check for the admin role and the scope.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67d1d49473ae4d49fdf621640911e6d6db29a168","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"        self.system_admin_context \u003d nova_context.RequestContext("},{"line_number":37,"context_line":"                user_id\u003d\"admin\", project_id\u003dself.admin_project_id,"},{"line_number":38,"context_line":"                roles\u003d[\u0027admin\u0027], system_scope\u003d\u0027all\u0027)"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"        self.project_member_context \u003d nova_context.RequestContext("},{"line_number":41,"context_line":"                user_id\u003d\"project_member\", project_id\u003dself.project_id,"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_466992bb","line":38,"in_reply_to":"3fa7e38b_5b03ce0c","updated":"2019-11-22 18:22:07.000000000","message":"done.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"255bd498a11ff1121b36de19e07ca38d8847a622","unresolved":false,"context_lines":[{"line_number":39,"context_line":""},{"line_number":40,"context_line":"        self.project_member_context \u003d nova_context.RequestContext("},{"line_number":41,"context_line":"                user_id\u003d\"project_member\", project_id\u003dself.project_id,"},{"line_number":42,"context_line":"                roles\u003d[\u0027member\u0027])"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"        self.other_project_member_context \u003d nova_context.RequestContext("},{"line_number":45,"context_line":"                user_id\u003d\"other_project_member\","}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_3b0e1232","line":42,"updated":"2019-11-20 23:37:20.000000000","message":"I am tempted say add project_reader_context here too, although I get its not totally needed here, as anything that isn\u0027t admin is enough from a coverage point of view.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"}],"nova/tests/unit/policies/test_services.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d4f651b789b25b5769572f8857d1196379d8b1a1","unresolved":false,"context_lines":[{"line_number":18,"context_line":"from nova.tests.unit.policies import base"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"class ServicesPolicyTest(base.BasePolicyTest):"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    \"\"\"Test os-services APIs policies with all possible context."},{"line_number":24,"context_line":""}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_dbd49eec","line":21,"updated":"2019-11-21 00:25:50.000000000","message":"I actually think in this patch we should be able to leave this test unchanged, and only add the extra test that enables the scope checking.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67d1d49473ae4d49fdf621640911e6d6db29a168","unresolved":false,"context_lines":[{"line_number":18,"context_line":"from nova.tests.unit.policies import base"},{"line_number":19,"context_line":""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"class ServicesPolicyTest(base.BasePolicyTest):"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    \"\"\"Test os-services APIs policies with all possible context."},{"line_number":24,"context_line":""}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_e69d1ebb","line":21,"in_reply_to":"3fa7e38b_dbd49eec","updated":"2019-11-22 18:22:07.000000000","message":"yeah, i did more optimization here which i should do in original patch and reflect only scope enable/disable tests verification.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"255bd498a11ff1121b36de19e07ca38d8847a622","unresolved":false,"context_lines":[{"line_number":33,"context_line":"        self.controller \u003d services_v21.ServiceController()"},{"line_number":34,"context_line":"        self.req \u003d fakes.HTTPRequest.blank(\u0027/services\u0027)"},{"line_number":35,"context_line":"        # Check that admin is able to delete the service"},{"line_number":36,"context_line":"        self.delete_success_contexts \u003d [self.legacy_admin_context]"},{"line_number":37,"context_line":"        # Check that project member(non admin) is not able to delete"},{"line_number":38,"context_line":"        # the service"},{"line_number":39,"context_line":"        self.delete_fail_contexts \u003d [self.project_member_context]"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_bb2be27f","line":36,"updated":"2019-11-20 23:37:20.000000000","message":"Why not have self.admin_api_success_context and self.admin_api_fail_context and share between all the API calls in here?\n\nI would be tempted to move that into the base class, as it will be the same for anything using the admin_api rule, I think.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67d1d49473ae4d49fdf621640911e6d6db29a168","unresolved":false,"context_lines":[{"line_number":33,"context_line":"        self.controller \u003d services_v21.ServiceController()"},{"line_number":34,"context_line":"        self.req \u003d fakes.HTTPRequest.blank(\u0027/services\u0027)"},{"line_number":35,"context_line":"        # Check that admin is able to delete the service"},{"line_number":36,"context_line":"        self.delete_success_contexts \u003d [self.legacy_admin_context]"},{"line_number":37,"context_line":"        # Check that project member(non admin) is not able to delete"},{"line_number":38,"context_line":"        # the service"},{"line_number":39,"context_line":"        self.delete_fail_contexts \u003d [self.project_member_context]"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_46975291","line":36,"in_reply_to":"3fa7e38b_bb2be27f","updated":"2019-11-22 18:22:07.000000000","message":"nice idea. done. we can prepare the same for other also like system_reader_success/fail_contexft etc","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d4f651b789b25b5769572f8857d1196379d8b1a1","unresolved":false,"context_lines":[{"line_number":93,"context_line":"                                     body\u003d{\u0027status\u0027: \u0027enabled\u0027})"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"class ServicesScopeTypePolicyTest(ServicesPolicyTest):"},{"line_number":97,"context_line":"    \"\"\"Test os-services APIs policies with system scope enabled."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    This class set the nova.conf [oslo_policy] enforce_scope to True"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_9b04e67f","line":96,"updated":"2019-11-21 00:25:50.000000000","message":"It would be good if we can actually have this test in the previous patch, which should actually just involve changing the config.\n\nThen in this patch we can add all the overrides you have below, because the policy has the scope check added.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67d1d49473ae4d49fdf621640911e6d6db29a168","unresolved":false,"context_lines":[{"line_number":93,"context_line":"                                     body\u003d{\u0027status\u0027: \u0027enabled\u0027})"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"class ServicesScopeTypePolicyTest(ServicesPolicyTest):"},{"line_number":97,"context_line":"    \"\"\"Test os-services APIs policies with system scope enabled."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    This class set the nova.conf [oslo_policy] enforce_scope to True"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_a63f2684","line":96,"in_reply_to":"3fa7e38b_9b04e67f","updated":"2019-11-22 18:22:07.000000000","message":"ok. because oslo has system scope support so enabling that and checking the nova policy before changes keep working is good way to review the exact change.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"255bd498a11ff1121b36de19e07ca38d8847a622","unresolved":false,"context_lines":[{"line_number":111,"context_line":"        self.req \u003d fakes.HTTPRequest.blank(\u0027/services\u0027)"},{"line_number":112,"context_line":"        # Check that System admin (token with system scope) is able"},{"line_number":113,"context_line":"        # to delete the service"},{"line_number":114,"context_line":"        self.delete_success_contexts \u003d [self.system_admin_context]"},{"line_number":115,"context_line":"        # Check that non-system scopped token (project scopped and legacy"},{"line_number":116,"context_line":"        # admin) is not able to delete the service"},{"line_number":117,"context_line":"        self.delete_fail_contexts \u003d [self.legacy_admin_context,"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_fb2cfa93","line":114,"updated":"2019-11-20 23:37:20.000000000","message":"As above, I think its simpler to override some shared lists here.","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"67d1d49473ae4d49fdf621640911e6d6db29a168","unresolved":false,"context_lines":[{"line_number":111,"context_line":"        self.req \u003d fakes.HTTPRequest.blank(\u0027/services\u0027)"},{"line_number":112,"context_line":"        # Check that System admin (token with system scope) is able"},{"line_number":113,"context_line":"        # to delete the service"},{"line_number":114,"context_line":"        self.delete_success_contexts \u003d [self.system_admin_context]"},{"line_number":115,"context_line":"        # Check that non-system scopped token (project scopped and legacy"},{"line_number":116,"context_line":"        # admin) is not able to delete the service"},{"line_number":117,"context_line":"        self.delete_fail_contexts \u003d [self.legacy_admin_context,"}],"source_content_type":"text/x-python","patch_set":15,"id":"3fa7e38b_464af226","line":114,"in_reply_to":"3fa7e38b_fb2cfa93","updated":"2019-11-22 18:22:07.000000000","message":"done","commit_id":"6f41f4a0a506722126f0ff584530166a11e7f0e7"}]}