)]}'
{"nova/policies/base.py":[{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"36114e32ec772dc1f13963cfbd5b34dfe1ece374","unresolved":false,"context_lines":[{"line_number":32,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":33,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":34,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":35,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d PROJECT_MEMBER + \u0027or\u0027 + SYSTEM_ADMIN"},{"line_number":36,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d PROJECT_READER + \u0027or\u0027 + SYSTEM_READER"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"}],"source_content_type":"text/x-python","patch_set":8,"id":"7faddb67_beae9b2b","line":35,"updated":"2019-08-15 17:08:19.000000000","message":"This becomes\n\n role:member and project_id:%(project_id)sorrule:admin_api and system_scope:all\n\nSo I think we need spaces around \u0027or\u0027 like \u0027 or \u0027.","commit_id":"d94227661fa2adbff267d8d437c4b75be812f57c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f1bac0bddb1b4b430911ea9e1e715fa4b039348d","unresolved":false,"context_lines":[{"line_number":32,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":33,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":34,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":35,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d PROJECT_MEMBER + \u0027or\u0027 + SYSTEM_ADMIN"},{"line_number":36,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d PROJECT_READER + \u0027or\u0027 + SYSTEM_READER"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"}],"source_content_type":"text/x-python","patch_set":8,"id":"7faddb67_d566cded","line":35,"in_reply_to":"7faddb67_beae9b2b","updated":"2019-08-16 01:38:12.000000000","message":"ah yeah. Thanks nice catch.","commit_id":"d94227661fa2adbff267d8d437c4b75be812f57c"},{"author":{"_account_id":6167,"name":"Ken\u0027ichi Ohmichi","email":"ken1ohmichi@gmail.com","username":"oomichi"},"change_message_id":"36114e32ec772dc1f13963cfbd5b34dfe1ece374","unresolved":false,"context_lines":[{"line_number":33,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":34,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":35,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d PROJECT_MEMBER + \u0027or\u0027 + SYSTEM_ADMIN"},{"line_number":36,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d PROJECT_READER + \u0027or\u0027 + SYSTEM_READER"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"},{"line_number":39,"context_line":"# with legacy roles::"}],"source_content_type":"text/x-python","patch_set":8,"id":"7faddb67_1e632f1c","line":36,"updated":"2019-08-15 17:08:19.000000000","message":"ditto","commit_id":"d94227661fa2adbff267d8d437c4b75be812f57c"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"241ef1f22e540f8f21aa7850e5e2d5e970808f13","unresolved":false,"context_lines":[{"line_number":16,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":17,"context_line":"RULE_ANY \u003d \u0027@\u0027"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"# TODO(gmann): # Special string ``system_scope:all`` is added for system"},{"line_number":20,"context_line":"# scoped policies for backwards compatibility where ``nova.conf [oslo_policy]"},{"line_number":21,"context_line":"# enforce_scope \u003d False``."},{"line_number":22,"context_line":"# Otherwise, this might open up APIs to be more permissive unintentionally if a"}],"source_content_type":"text/x-python","patch_set":9,"id":"7faddb67_559add13","line":19,"range":{"start_line":19,"start_character":15,"end_line":19,"end_character":17},"updated":"2019-08-16 06:17:50.000000000","message":"nit: redunant.","commit_id":"f0b1298ef7f13f5cffde9b99dc872f76ceb5f583"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e6f52e62bcff7c00fe2faf444e7951fd8c4e21e5","unresolved":false,"context_lines":[{"line_number":16,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":17,"context_line":"RULE_ANY \u003d \u0027@\u0027"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"# TODO(gmann): # Special string ``system_scope:all`` is added for system"},{"line_number":20,"context_line":"# scoped policies for backwards compatibility where ``nova.conf [oslo_policy]"},{"line_number":21,"context_line":"# enforce_scope \u003d False``."},{"line_number":22,"context_line":"# Otherwise, this might open up APIs to be more permissive unintentionally if a"}],"source_content_type":"text/x-python","patch_set":9,"id":"7faddb67_dae839e0","line":19,"range":{"start_line":19,"start_character":15,"end_line":19,"end_character":17},"in_reply_to":"7faddb67_559add13","updated":"2019-08-16 06:22:28.000000000","message":"Done","commit_id":"f0b1298ef7f13f5cffde9b99dc872f76ceb5f583"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"241ef1f22e540f8f21aa7850e5e2d5e970808f13","unresolved":false,"context_lines":[{"line_number":22,"context_line":"# Otherwise, this might open up APIs to be more permissive unintentionally if a"},{"line_number":23,"context_line":"# deployment isn\u0027t enforcing scope. For example, the \u0027list all servers\u0027"},{"line_number":24,"context_line":"# policy will be System Scoped Reader with ``role:reader`` and"},{"line_number":25,"context_line":"# scope_type\u003d[\u0027system\u0027] Until enforce_scope\u003dTrue by default, it would"},{"line_number":26,"context_line":"# be possible for users with the ``reader`` role on a project to access the"},{"line_number":27,"context_line":"# \u0027list all servers\u0027 API. Once nova defaults ``nova.conf [oslo_policy]"},{"line_number":28,"context_line":"# enforce_scope\u003dTrue``, the ``system_scope:all`` bits of these check strings"}],"source_content_type":"text/x-python","patch_set":9,"id":"7faddb67_15eb0578","line":25,"range":{"start_line":25,"start_character":24,"end_line":25,"end_character":48},"updated":"2019-08-16 06:17:50.000000000","message":"nit:s/Until enforce_scope\u003dTrue/until ``enforce_scope\u003dTrue``","commit_id":"f0b1298ef7f13f5cffde9b99dc872f76ceb5f583"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e6f52e62bcff7c00fe2faf444e7951fd8c4e21e5","unresolved":false,"context_lines":[{"line_number":22,"context_line":"# Otherwise, this might open up APIs to be more permissive unintentionally if a"},{"line_number":23,"context_line":"# deployment isn\u0027t enforcing scope. For example, the \u0027list all servers\u0027"},{"line_number":24,"context_line":"# policy will be System Scoped Reader with ``role:reader`` and"},{"line_number":25,"context_line":"# scope_type\u003d[\u0027system\u0027] Until enforce_scope\u003dTrue by default, it would"},{"line_number":26,"context_line":"# be possible for users with the ``reader`` role on a project to access the"},{"line_number":27,"context_line":"# \u0027list all servers\u0027 API. Once nova defaults ``nova.conf [oslo_policy]"},{"line_number":28,"context_line":"# enforce_scope\u003dTrue``, the ``system_scope:all`` bits of these check strings"}],"source_content_type":"text/x-python","patch_set":9,"id":"7faddb67_7abb45e4","line":25,"range":{"start_line":25,"start_character":24,"end_line":25,"end_character":48},"in_reply_to":"7faddb67_15eb0578","updated":"2019-08-16 06:22:28.000000000","message":"Done","commit_id":"f0b1298ef7f13f5cffde9b99dc872f76ceb5f583"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"39276d2f8e68c9049dc4d9a44b87dae356bdea22","unresolved":false,"context_lines":[{"line_number":28,"context_line":"# enforce_scope\u003dTrue``, the ``system_scope:all`` bits of these check strings"},{"line_number":29,"context_line":"# can be removed since that will be handled automatically by scope_types in"},{"line_number":30,"context_line":"# oslo.policy\u0027s RuleDefault objects."},{"line_number":31,"context_line":"SYSTEM_ADMIN \u003d \u0027rule:admin_api and system_scope:all\u0027"},{"line_number":32,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":33,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":34,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_1b68f6b7","line":31,"range":{"start_line":31,"start_character":16,"end_line":31,"end_character":30},"updated":"2019-11-20 23:44:11.000000000","message":"I think role:admin is better, because \"admin\" is a built in role.","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d327b703541c64b260c26586d9548b13a8e15589","unresolved":false,"context_lines":[{"line_number":28,"context_line":"# enforce_scope\u003dTrue``, the ``system_scope:all`` bits of these check strings"},{"line_number":29,"context_line":"# can be removed since that will be handled automatically by scope_types in"},{"line_number":30,"context_line":"# oslo.policy\u0027s RuleDefault objects."},{"line_number":31,"context_line":"SYSTEM_ADMIN \u003d \u0027rule:admin_api and system_scope:all\u0027"},{"line_number":32,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":33,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":34,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_6645ae14","line":31,"range":{"start_line":31,"start_character":16,"end_line":31,"end_character":30},"in_reply_to":"3fa7e38b_1b68f6b7","updated":"2019-11-22 18:22:12.000000000","message":"done","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"39276d2f8e68c9049dc4d9a44b87dae356bdea22","unresolved":false,"context_lines":[{"line_number":33,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":34,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":35,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d PROJECT_MEMBER + \u0027 or \u0027 + SYSTEM_ADMIN"},{"line_number":36,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d PROJECT_READER + \u0027 or \u0027 + SYSTEM_READER"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"},{"line_number":39,"context_line":"# with legacy roles::"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_5b6aeeb4","line":36,"updated":"2019-11-20 23:44:11.000000000","message":"We need an extra note here, there are implied roles in keystone such that any member as the reader role by default.","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d327b703541c64b260c26586d9548b13a8e15589","unresolved":false,"context_lines":[{"line_number":33,"context_line":"PROJECT_MEMBER \u003d \u0027role:member and project_id:%(project_id)s\u0027"},{"line_number":34,"context_line":"PROJECT_READER \u003d \u0027role:reader and project_id:%(project_id)s\u0027"},{"line_number":35,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d PROJECT_MEMBER + \u0027 or \u0027 + SYSTEM_ADMIN"},{"line_number":36,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d PROJECT_READER + \u0027 or \u0027 + SYSTEM_READER"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"},{"line_number":39,"context_line":"# with legacy roles::"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_e662feac","line":36,"in_reply_to":"3fa7e38b_5b6aeeb4","updated":"2019-11-22 18:22:12.000000000","message":"done","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"39276d2f8e68c9049dc4d9a44b87dae356bdea22","unresolved":false,"context_lines":[{"line_number":66,"context_line":"        \"admin_api\","},{"line_number":67,"context_line":"        \"is_admin:True\","},{"line_number":68,"context_line":"        \"Default rule for most Admin APIs.\")"},{"line_number":69,"context_line":"]"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"def list_rules():"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_1bad56e9","line":69,"updated":"2019-11-20 23:44:11.000000000","message":"I was expecting us to add rules for all of these, rather than hard coding it on each API, and adding the rules here.\n\nIt really does help when you want to add things like nova_member and nova_reader, as an operator.","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d327b703541c64b260c26586d9548b13a8e15589","unresolved":false,"context_lines":[{"line_number":66,"context_line":"        \"admin_api\","},{"line_number":67,"context_line":"        \"is_admin:True\","},{"line_number":68,"context_line":"        \"Default rule for most Admin APIs.\")"},{"line_number":69,"context_line":"]"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"def list_rules():"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_46e67218","line":69,"in_reply_to":"3fa7e38b_1bad56e9","updated":"2019-11-22 18:22:12.000000000","message":"you mean to define the SYSTEM_READER as Rule here and use that at L31 instead of direct check_str ?","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"644122672be41b1567df2e79acf8812551a82914","unresolved":false,"context_lines":[{"line_number":66,"context_line":"        \"admin_api\","},{"line_number":67,"context_line":"        \"is_admin:True\","},{"line_number":68,"context_line":"        \"Default rule for most Admin APIs.\")"},{"line_number":69,"context_line":"]"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"def list_rules():"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_47a65ac2","line":69,"in_reply_to":"3fa7e38b_46e67218","updated":"2019-11-25 17:56:36.000000000","message":"Basically, I think we should add rules for all of them, then reference the rule in the API rules, rather than the check_str directly.\n\nThis means operators can more easily add custom roles for each of the use cases we support out the box, on a per service basis, if needed.\n\nAn example is adding a role where all they can do is do read actions in nova, that should be a simple single rule override, IMHO.","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e83c90f7fe105fcac0385a3be9fa17110c72e0a0","unresolved":false,"context_lines":[{"line_number":66,"context_line":"        \"admin_api\","},{"line_number":67,"context_line":"        \"is_admin:True\","},{"line_number":68,"context_line":"        \"Default rule for most Admin APIs.\")"},{"line_number":69,"context_line":"]"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":""},{"line_number":72,"context_line":"def list_rules():"}],"source_content_type":"text/x-python","patch_set":14,"id":"3fa7e38b_87dc5218","line":69,"in_reply_to":"3fa7e38b_47a65ac2","updated":"2019-11-25 18:03:56.000000000","message":"I see. it clear now. i did not think from override point of view.","commit_id":"d4d5a477b67ea178e1834eec3d007a89315ae346"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b21c153059a06317a483c880dbb3fe5186aa94d8","unresolved":false,"context_lines":[{"line_number":80,"context_line":"        \"Default rule for Project level non admin APIs.\"),"},{"line_number":81,"context_line":"    policy.RuleDefault("},{"line_number":82,"context_line":"        \"project_reader_api\","},{"line_number":83,"context_line":"        \"role:reader and project_id:%(project_id)s\","},{"line_number":84,"context_line":"        \"Default rule for Project level read only APIs.\"),"},{"line_number":85,"context_line":"    policy.RuleDefault("},{"line_number":86,"context_line":"        \"system_admin_or_owner\","}],"source_content_type":"text/x-python","patch_set":16,"id":"3fa7e38b_04413664","line":83,"updated":"2019-11-26 09:25:20.000000000","message":"Might be worth a comment saying that everyone with role:member gets role:reader via keystone\u0027s implied roles support (as I understand it). i.e. giving access to reader, also gives access to member.","commit_id":"d22f71b838d91213740b0a43c468948f76f22562"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0dfb1dfdf92b8bbd1dc5e08f49ad6a398274dfd4","unresolved":false,"context_lines":[{"line_number":80,"context_line":"        \"Default rule for Project level non admin APIs.\"),"},{"line_number":81,"context_line":"    policy.RuleDefault("},{"line_number":82,"context_line":"        \"project_reader_api\","},{"line_number":83,"context_line":"        \"role:reader and project_id:%(project_id)s\","},{"line_number":84,"context_line":"        \"Default rule for Project level read only APIs.\"),"},{"line_number":85,"context_line":"    policy.RuleDefault("},{"line_number":86,"context_line":"        \"system_admin_or_owner\","}],"source_content_type":"text/x-python","patch_set":16,"id":"3fa7e38b_24c7879b","line":83,"in_reply_to":"3fa7e38b_04413664","updated":"2019-11-26 18:57:27.000000000","message":"ok. Done.","commit_id":"d22f71b838d91213740b0a43c468948f76f22562"}]}