)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ad0ac945ebc7db5fb6198ee8c10a82b3643172b0","unresolved":false,"context_lines":[{"line_number":15,"context_line":"- https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html#scope"},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"This commit introduce scope_type for server API policies"},{"line_number":18,"context_line":"as \u0027system\u0027 and \u0027project\u0027 for AOO and \u0027project\u0027 for create server ."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Also adds the test case with scope_type enabled and verify we"},{"line_number":21,"context_line":"pass and fail the policy check with expected context."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":8,"id":"3f4c43b2_2683bece","line":18,"updated":"2020-04-14 09:41:19.000000000","message":"I think we should add them to all rules","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"}],"nova/policies/servers.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ad0ac945ebc7db5fb6198ee8c10a82b3643172b0","unresolved":false,"context_lines":[{"line_number":181,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":182,"context_line":"            }"},{"line_number":183,"context_line":"        ],"},{"line_number":184,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":185,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":186,"context_line":"        REQUESTED_DESTINATION,"},{"line_number":187,"context_line":"        base.RULE_ADMIN_API,"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_06ecc2c5","line":184,"updated":"2020-04-14 09:41:19.000000000","message":"Hmm, problem. This is for sure system scope, but we do not allow specifying a project Id in the api (facepalm)","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a49ada77faa8f355601f88a87d7876c1be1b310a","unresolved":false,"context_lines":[{"line_number":181,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":182,"context_line":"            }"},{"line_number":183,"context_line":"        ],"},{"line_number":184,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":185,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":186,"context_line":"        REQUESTED_DESTINATION,"},{"line_number":187,"context_line":"        base.RULE_ADMIN_API,"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_67464e7f","line":184,"in_reply_to":"3f4c43b2_06ecc2c5","updated":"2020-04-15 00:32:21.000000000","message":"yeah. I think proposal you mentioned in next patch seems","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ad0ac945ebc7db5fb6198ee8c10a82b3643172b0","unresolved":false,"context_lines":[{"line_number":256,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":257,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":258,"context_line":"            }"},{"line_number":259,"context_line":"        ]),"},{"line_number":260,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":261,"context_line":"        NETWORK_ATTACH_EXTERNAL,"},{"line_number":262,"context_line":"        \u0027is_admin:True\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_66d026f9","line":259,"updated":"2020-04-14 09:41:19.000000000","message":"Need  scope check here I think","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a49ada77faa8f355601f88a87d7876c1be1b310a","unresolved":false,"context_lines":[{"line_number":256,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":257,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":258,"context_line":"            }"},{"line_number":259,"context_line":"        ]),"},{"line_number":260,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":261,"context_line":"        NETWORK_ATTACH_EXTERNAL,"},{"line_number":262,"context_line":"        \u0027is_admin:True\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_59a5f603","line":259,"in_reply_to":"3f4c43b2_66d026f9","updated":"2020-04-15 00:32:21.000000000","message":"yeah  kept those separate from this patch otherwise this patch will be too lengthy. doing in git fetch https://review.opendev.org/openstack/nova refs/changes/04/720104/1 \u0026\u0026 git checkout FETCH_HEAD","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ad0ac945ebc7db5fb6198ee8c10a82b3643172b0","unresolved":false,"context_lines":[{"line_number":259,"context_line":"        ]),"},{"line_number":260,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":261,"context_line":"        NETWORK_ATTACH_EXTERNAL,"},{"line_number":262,"context_line":"        \u0027is_admin:True\u0027,"},{"line_number":263,"context_line":"        \"Attach an unshared external network to a server\","},{"line_number":264,"context_line":"        ["},{"line_number":265,"context_line":"            # Create a server with a requested network or port."}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_e605567c","line":262,"updated":"2020-04-14 09:41:19.000000000","message":"Yeah this just means admin api really","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ad0ac945ebc7db5fb6198ee8c10a82b3643172b0","unresolved":false,"context_lines":[{"line_number":270,"context_line":"            # Attach a network or port to an existing server."},{"line_number":271,"context_line":"            {"},{"line_number":272,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":273,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/os-interface\u0027"},{"line_number":274,"context_line":"            }"},{"line_number":275,"context_line":"        ]),"},{"line_number":276,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_66f9467f","line":273,"updated":"2020-04-14 09:41:19.000000000","message":"System admin could do this one...","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a49ada77faa8f355601f88a87d7876c1be1b310a","unresolved":false,"context_lines":[{"line_number":270,"context_line":"            # Attach a network or port to an existing server."},{"line_number":271,"context_line":"            {"},{"line_number":272,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":273,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/os-interface\u0027"},{"line_number":274,"context_line":"            }"},{"line_number":275,"context_line":"        ]),"},{"line_number":276,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_f99fa2b1","line":273,"in_reply_to":"3f4c43b2_66f9467f","updated":"2020-04-15 00:32:21.000000000","message":"doing in git fetch https://review.opendev.org/openstack/nova refs/changes/04/720104/1 \u0026\u0026 git checkout FETCH_HEAD","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ad0ac945ebc7db5fb6198ee8c10a82b3643172b0","unresolved":false,"context_lines":[{"line_number":351,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":352,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (resize)\u0027"},{"line_number":353,"context_line":"            }"},{"line_number":354,"context_line":"        ]),"},{"line_number":355,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":356,"context_line":"        name\u003dSERVERS % \u0027rebuild\u0027,"},{"line_number":357,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_c62f7af4","line":354,"updated":"2020-04-14 09:41:19.000000000","message":"Need scope check here","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a49ada77faa8f355601f88a87d7876c1be1b310a","unresolved":false,"context_lines":[{"line_number":351,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":352,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (resize)\u0027"},{"line_number":353,"context_line":"            }"},{"line_number":354,"context_line":"        ]),"},{"line_number":355,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":356,"context_line":"        name\u003dSERVERS % \u0027rebuild\u0027,"},{"line_number":357,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":8,"id":"3f4c43b2_d963c6db","line":354,"in_reply_to":"3f4c43b2_c62f7af4","updated":"2020-04-15 00:32:21.000000000","message":"doing in git fetch https://review.opendev.org/openstack/nova refs/changes/04/720104/1 \u0026\u0026 git checkout FETCH_HEAD","commit_id":"1778b3ed556bf336377d158a36a7008bee692a42"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b114cb554fecffde4d93bce326bf25f3d296d5f3","unresolved":false,"context_lines":[{"line_number":95,"context_line":"            }"},{"line_number":96,"context_line":"        ],"},{"line_number":97,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027]),"},{"line_number":98,"context_line":"    # the details in host_status are pretty sensitive, only admins"},{"line_number":99,"context_line":"    # should do that by default."},{"line_number":100,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":101,"context_line":"        SERVERS % \u0027show:host_status\u0027,"},{"line_number":102,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":103,"context_line":"        \"\"\""},{"line_number":104,"context_line":"Show a server with additional host status information."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"This means host_status will be shown irrespective of status value. If showing"},{"line_number":107,"context_line":"only host_status UNKNOWN is desired, use the"},{"line_number":108,"context_line":"``os_compute_api:servers:show:host_status:unknown-only`` policy rule."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Microvision 2.75 added the ``host_status`` attribute in the"},{"line_number":111,"context_line":"``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)``"},{"line_number":112,"context_line":"API responses which are also controlled by this policy rule, like the"},{"line_number":113,"context_line":"``GET /servers*`` APIs."},{"line_number":114,"context_line":"\"\"\","},{"line_number":115,"context_line":"        ["},{"line_number":116,"context_line":"            {"},{"line_number":117,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":118,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027"},{"line_number":119,"context_line":"            },"},{"line_number":120,"context_line":"            {"},{"line_number":121,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":122,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":123,"context_line":"            },"},{"line_number":124,"context_line":"            {"},{"line_number":125,"context_line":"                \u0027method\u0027: \u0027PUT\u0027,"},{"line_number":126,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027"},{"line_number":127,"context_line":"            },"},{"line_number":128,"context_line":"            {"},{"line_number":129,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":130,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (rebuild)\u0027"},{"line_number":131,"context_line":"            }"},{"line_number":132,"context_line":"        ]),"},{"line_number":133,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":134,"context_line":"            SERVERS % \u0027show:host_status:unknown-only\u0027,"},{"line_number":135,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":136,"context_line":"        \"\"\""},{"line_number":137,"context_line":"Show a server with additional host status information, only if host status is"},{"line_number":138,"context_line":"UNKNOWN."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"This policy rule will only be enforced when the"},{"line_number":141,"context_line":"``os_compute_api:servers:show:host_status`` policy rule does not pass for the"},{"line_number":142,"context_line":"request. An example policy configuration could be where the"},{"line_number":143,"context_line":"``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and"},{"line_number":144,"context_line":"the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to"},{"line_number":145,"context_line":"allow everyone."},{"line_number":146,"context_line":"\"\"\","},{"line_number":147,"context_line":"        ["},{"line_number":148,"context_line":"            {"},{"line_number":149,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":150,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027"},{"line_number":151,"context_line":"            },"},{"line_number":152,"context_line":"            {"},{"line_number":153,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":154,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":155,"context_line":"            }"},{"line_number":156,"context_line":"        ]),"},{"line_number":157,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":158,"context_line":"        name\u003dSERVERS % \u0027create\u0027,"},{"line_number":159,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_a36043d0","line":156,"range":{"start_line":98,"start_character":0,"end_line":156,"end_character":11},"updated":"2020-04-15 10:04:53.000000000","message":"Did you miss these intentionally?","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"44cc182b6938de0ee3e123ed0618bc3e86077f8c","unresolved":false,"context_lines":[{"line_number":95,"context_line":"            }"},{"line_number":96,"context_line":"        ],"},{"line_number":97,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027]),"},{"line_number":98,"context_line":"    # the details in host_status are pretty sensitive, only admins"},{"line_number":99,"context_line":"    # should do that by default."},{"line_number":100,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":101,"context_line":"        SERVERS % \u0027show:host_status\u0027,"},{"line_number":102,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":103,"context_line":"        \"\"\""},{"line_number":104,"context_line":"Show a server with additional host status information."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"This means host_status will be shown irrespective of status value. If showing"},{"line_number":107,"context_line":"only host_status UNKNOWN is desired, use the"},{"line_number":108,"context_line":"``os_compute_api:servers:show:host_status:unknown-only`` policy rule."},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"Microvision 2.75 added the ``host_status`` attribute in the"},{"line_number":111,"context_line":"``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)``"},{"line_number":112,"context_line":"API responses which are also controlled by this policy rule, like the"},{"line_number":113,"context_line":"``GET /servers*`` APIs."},{"line_number":114,"context_line":"\"\"\","},{"line_number":115,"context_line":"        ["},{"line_number":116,"context_line":"            {"},{"line_number":117,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":118,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027"},{"line_number":119,"context_line":"            },"},{"line_number":120,"context_line":"            {"},{"line_number":121,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":122,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":123,"context_line":"            },"},{"line_number":124,"context_line":"            {"},{"line_number":125,"context_line":"                \u0027method\u0027: \u0027PUT\u0027,"},{"line_number":126,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027"},{"line_number":127,"context_line":"            },"},{"line_number":128,"context_line":"            {"},{"line_number":129,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":130,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (rebuild)\u0027"},{"line_number":131,"context_line":"            }"},{"line_number":132,"context_line":"        ]),"},{"line_number":133,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":134,"context_line":"            SERVERS % \u0027show:host_status:unknown-only\u0027,"},{"line_number":135,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":136,"context_line":"        \"\"\""},{"line_number":137,"context_line":"Show a server with additional host status information, only if host status is"},{"line_number":138,"context_line":"UNKNOWN."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"This policy rule will only be enforced when the"},{"line_number":141,"context_line":"``os_compute_api:servers:show:host_status`` policy rule does not pass for the"},{"line_number":142,"context_line":"request. An example policy configuration could be where the"},{"line_number":143,"context_line":"``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and"},{"line_number":144,"context_line":"the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to"},{"line_number":145,"context_line":"allow everyone."},{"line_number":146,"context_line":"\"\"\","},{"line_number":147,"context_line":"        ["},{"line_number":148,"context_line":"            {"},{"line_number":149,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":150,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027"},{"line_number":151,"context_line":"            },"},{"line_number":152,"context_line":"            {"},{"line_number":153,"context_line":"                \u0027method\u0027: \u0027GET\u0027,"},{"line_number":154,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":155,"context_line":"            }"},{"line_number":156,"context_line":"        ]),"},{"line_number":157,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":158,"context_line":"        name\u003dSERVERS % \u0027create\u0027,"},{"line_number":159,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_97b9feea","line":156,"range":{"start_line":98,"start_character":0,"end_line":156,"end_character":11},"in_reply_to":"3f4c43b2_a36043d0","updated":"2020-04-15 13:21:54.000000000","message":"yeah, to make it easy to review, I have done this with extended attr patch - https://review.opendev.org/#/c/719729/2","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b114cb554fecffde4d93bce326bf25f3d296d5f3","unresolved":false,"context_lines":[{"line_number":182,"context_line":"            }"},{"line_number":183,"context_line":"        ],"},{"line_number":184,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":185,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":186,"context_line":"        REQUESTED_DESTINATION,"},{"line_number":187,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":188,"context_line":"        \"\"\""},{"line_number":189,"context_line":"Create a server on the requested compute service host and/or"},{"line_number":190,"context_line":"hypervisor_hostname."},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"In this case, the requested host and/or hypervisor_hostname is"},{"line_number":193,"context_line":"validated by the scheduler filters unlike the"},{"line_number":194,"context_line":"``os_compute_api:servers:create:forced_host`` rule."},{"line_number":195,"context_line":"\"\"\","},{"line_number":196,"context_line":"        ["},{"line_number":197,"context_line":"            {"},{"line_number":198,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":199,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":200,"context_line":"            }"},{"line_number":201,"context_line":"        ]),"},{"line_number":202,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":203,"context_line":"        name\u003dSERVERS % \u0027create:attach_volume\u0027,"},{"line_number":204,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_039bf7c8","line":201,"range":{"start_line":185,"start_character":0,"end_line":201,"end_character":11},"updated":"2020-04-15 10:04:53.000000000","message":"Did you miss this intentionally?","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"44cc182b6938de0ee3e123ed0618bc3e86077f8c","unresolved":false,"context_lines":[{"line_number":182,"context_line":"            }"},{"line_number":183,"context_line":"        ],"},{"line_number":184,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":185,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":186,"context_line":"        REQUESTED_DESTINATION,"},{"line_number":187,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":188,"context_line":"        \"\"\""},{"line_number":189,"context_line":"Create a server on the requested compute service host and/or"},{"line_number":190,"context_line":"hypervisor_hostname."},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"In this case, the requested host and/or hypervisor_hostname is"},{"line_number":193,"context_line":"validated by the scheduler filters unlike the"},{"line_number":194,"context_line":"``os_compute_api:servers:create:forced_host`` rule."},{"line_number":195,"context_line":"\"\"\","},{"line_number":196,"context_line":"        ["},{"line_number":197,"context_line":"            {"},{"line_number":198,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":199,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":200,"context_line":"            }"},{"line_number":201,"context_line":"        ]),"},{"line_number":202,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":203,"context_line":"        name\u003dSERVERS % \u0027create:attach_volume\u0027,"},{"line_number":204,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_772ef243","line":201,"range":{"start_line":185,"start_character":0,"end_line":201,"end_character":11},"in_reply_to":"3f4c43b2_039bf7c8","updated":"2020-04-15 13:21:54.000000000","message":"yeah, these are proposed separately in https://review.opendev.org/#/c/720106/2","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b114cb554fecffde4d93bce326bf25f3d296d5f3","unresolved":false,"context_lines":[{"line_number":233,"context_line":"            }"},{"line_number":234,"context_line":"        ],"},{"line_number":235,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":236,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":237,"context_line":"        ZERO_DISK_FLAVOR,"},{"line_number":238,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":239,"context_line":"        \"\"\""},{"line_number":240,"context_line":"This rule controls the compute API validation behavior of creating a server"},{"line_number":241,"context_line":"with a flavor that has 0 disk, indicating the server should be volume-backed."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"For a flavor with disk\u003d0, the root disk will be set to exactly the size of the"},{"line_number":244,"context_line":"image used to deploy the instance. However, in this case the filter_scheduler"},{"line_number":245,"context_line":"cannot select the compute host based on the virtual image size. Therefore, 0"},{"line_number":246,"context_line":"should only be used for volume booted instances or for testing purposes."},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"WARNING: It is a potential security exposure to enable this policy rule"},{"line_number":249,"context_line":"if users can upload their own images since repeated attempts to"},{"line_number":250,"context_line":"create a disk\u003d0 flavor instance with a large image can exhaust"},{"line_number":251,"context_line":"the local disk of the compute (or shared storage cluster). See bug"},{"line_number":252,"context_line":"https://bugs.launchpad.net/nova/+bug/1739646 for details."},{"line_number":253,"context_line":"\"\"\","},{"line_number":254,"context_line":"        ["},{"line_number":255,"context_line":"            {"},{"line_number":256,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":257,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":258,"context_line":"            }"},{"line_number":259,"context_line":"        ]),"},{"line_number":260,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":261,"context_line":"        NETWORK_ATTACH_EXTERNAL,"},{"line_number":262,"context_line":"        \u0027is_admin:True\u0027,"},{"line_number":263,"context_line":"        \"Attach an unshared external network to a server\","},{"line_number":264,"context_line":"        ["},{"line_number":265,"context_line":"            # Create a server with a requested network or port."},{"line_number":266,"context_line":"            {"},{"line_number":267,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":268,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":269,"context_line":"            },"},{"line_number":270,"context_line":"            # Attach a network or port to an existing server."},{"line_number":271,"context_line":"            {"},{"line_number":272,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":273,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/os-interface\u0027"},{"line_number":274,"context_line":"            }"},{"line_number":275,"context_line":"        ]),"},{"line_number":276,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":277,"context_line":"        name\u003dSERVERS % \u0027delete\u0027,"},{"line_number":278,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_63663bf0","line":275,"range":{"start_line":236,"start_character":0,"end_line":275,"end_character":11},"updated":"2020-04-15 10:04:53.000000000","message":"Did you miss these intentionally?","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"44cc182b6938de0ee3e123ed0618bc3e86077f8c","unresolved":false,"context_lines":[{"line_number":233,"context_line":"            }"},{"line_number":234,"context_line":"        ],"},{"line_number":235,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":236,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":237,"context_line":"        ZERO_DISK_FLAVOR,"},{"line_number":238,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":239,"context_line":"        \"\"\""},{"line_number":240,"context_line":"This rule controls the compute API validation behavior of creating a server"},{"line_number":241,"context_line":"with a flavor that has 0 disk, indicating the server should be volume-backed."},{"line_number":242,"context_line":""},{"line_number":243,"context_line":"For a flavor with disk\u003d0, the root disk will be set to exactly the size of the"},{"line_number":244,"context_line":"image used to deploy the instance. However, in this case the filter_scheduler"},{"line_number":245,"context_line":"cannot select the compute host based on the virtual image size. Therefore, 0"},{"line_number":246,"context_line":"should only be used for volume booted instances or for testing purposes."},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"WARNING: It is a potential security exposure to enable this policy rule"},{"line_number":249,"context_line":"if users can upload their own images since repeated attempts to"},{"line_number":250,"context_line":"create a disk\u003d0 flavor instance with a large image can exhaust"},{"line_number":251,"context_line":"the local disk of the compute (or shared storage cluster). See bug"},{"line_number":252,"context_line":"https://bugs.launchpad.net/nova/+bug/1739646 for details."},{"line_number":253,"context_line":"\"\"\","},{"line_number":254,"context_line":"        ["},{"line_number":255,"context_line":"            {"},{"line_number":256,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":257,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":258,"context_line":"            }"},{"line_number":259,"context_line":"        ]),"},{"line_number":260,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":261,"context_line":"        NETWORK_ATTACH_EXTERNAL,"},{"line_number":262,"context_line":"        \u0027is_admin:True\u0027,"},{"line_number":263,"context_line":"        \"Attach an unshared external network to a server\","},{"line_number":264,"context_line":"        ["},{"line_number":265,"context_line":"            # Create a server with a requested network or port."},{"line_number":266,"context_line":"            {"},{"line_number":267,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":268,"context_line":"                \u0027path\u0027: \u0027/servers\u0027"},{"line_number":269,"context_line":"            },"},{"line_number":270,"context_line":"            # Attach a network or port to an existing server."},{"line_number":271,"context_line":"            {"},{"line_number":272,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":273,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/os-interface\u0027"},{"line_number":274,"context_line":"            }"},{"line_number":275,"context_line":"        ]),"},{"line_number":276,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":277,"context_line":"        name\u003dSERVERS % \u0027delete\u0027,"},{"line_number":278,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_37f10acf","line":275,"range":{"start_line":236,"start_character":0,"end_line":275,"end_character":11},"in_reply_to":"3f4c43b2_63663bf0","updated":"2020-04-15 13:21:54.000000000","message":"yeah, these are proposed separately in https://review.opendev.org/#/c/720106/2","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b114cb554fecffde4d93bce326bf25f3d296d5f3","unresolved":false,"context_lines":[{"line_number":339,"context_line":"            }"},{"line_number":340,"context_line":"        ],"},{"line_number":341,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027]),"},{"line_number":342,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":343,"context_line":"        CROSS_CELL_RESIZE,"},{"line_number":344,"context_line":"        base.RULE_NOBODY,"},{"line_number":345,"context_line":"        \"Resize a server across cells. By default, this is disabled for all \""},{"line_number":346,"context_line":"        \"users and recommended to be tested in a deployment for admin users \""},{"line_number":347,"context_line":"        \"before opening it up to non-admin users. Resizing within a cell is \""},{"line_number":348,"context_line":"        \"the default preferred behavior even if this is enabled. \","},{"line_number":349,"context_line":"        ["},{"line_number":350,"context_line":"            {"},{"line_number":351,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":352,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (resize)\u0027"},{"line_number":353,"context_line":"            }"},{"line_number":354,"context_line":"        ]),"},{"line_number":355,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":356,"context_line":"        name\u003dSERVERS % \u0027rebuild\u0027,"},{"line_number":357,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_43705fa6","line":354,"range":{"start_line":342,"start_character":0,"end_line":354,"end_character":11},"updated":"2020-04-15 10:04:53.000000000","message":"did you miss this intentionally?","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"44cc182b6938de0ee3e123ed0618bc3e86077f8c","unresolved":false,"context_lines":[{"line_number":339,"context_line":"            }"},{"line_number":340,"context_line":"        ],"},{"line_number":341,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027]),"},{"line_number":342,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":343,"context_line":"        CROSS_CELL_RESIZE,"},{"line_number":344,"context_line":"        base.RULE_NOBODY,"},{"line_number":345,"context_line":"        \"Resize a server across cells. By default, this is disabled for all \""},{"line_number":346,"context_line":"        \"users and recommended to be tested in a deployment for admin users \""},{"line_number":347,"context_line":"        \"before opening it up to non-admin users. Resizing within a cell is \""},{"line_number":348,"context_line":"        \"the default preferred behavior even if this is enabled. \","},{"line_number":349,"context_line":"        ["},{"line_number":350,"context_line":"            {"},{"line_number":351,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":352,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (resize)\u0027"},{"line_number":353,"context_line":"            }"},{"line_number":354,"context_line":"        ]),"},{"line_number":355,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":356,"context_line":"        name\u003dSERVERS % \u0027rebuild\u0027,"},{"line_number":357,"context_line":"        check_str\u003dRULE_AOO,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_b7dd1a44","line":354,"range":{"start_line":342,"start_character":0,"end_line":354,"end_character":11},"in_reply_to":"3f4c43b2_43705fa6","updated":"2020-04-15 13:21:54.000000000","message":"yeah, these are proposed separately in https://review.opendev.org/#/c/720106/2","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"}],"nova/tests/unit/policies/base.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b114cb554fecffde4d93bce326bf25f3d296d5f3","unresolved":false,"context_lines":[{"line_number":149,"context_line":"        def ensure_raises(req, *args, **kwargs):"},{"line_number":150,"context_line":"            exc \u003d self.assertRaises("},{"line_number":151,"context_line":"                exception.PolicyNotAuthorized, func, req, *arg, **kwarg)"},{"line_number":152,"context_line":"            if rule_name is not None:"},{"line_number":153,"context_line":"                self.assertEqual("},{"line_number":154,"context_line":"                    \"Policy doesn\u0027t allow %s to be performed.\" %"},{"line_number":155,"context_line":"                    rule_name, exc.format_message())"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_43a5ff03","line":152,"updated":"2020-04-15 10:04:53.000000000","message":"A comment for this would be helpful. Are there situations where this would be None??","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"44cc182b6938de0ee3e123ed0618bc3e86077f8c","unresolved":false,"context_lines":[{"line_number":149,"context_line":"        def ensure_raises(req, *args, **kwargs):"},{"line_number":150,"context_line":"            exc \u003d self.assertRaises("},{"line_number":151,"context_line":"                exception.PolicyNotAuthorized, func, req, *arg, **kwarg)"},{"line_number":152,"context_line":"            if rule_name is not None:"},{"line_number":153,"context_line":"                self.assertEqual("},{"line_number":154,"context_line":"                    \"Policy doesn\u0027t allow %s to be performed.\" %"},{"line_number":155,"context_line":"                    rule_name, exc.format_message())"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_379f4a60","line":152,"in_reply_to":"3f4c43b2_43a5ff03","updated":"2020-04-15 13:21:54.000000000","message":"yeah, in case of multi policy where error message can mismatch due to which policy fail for which context.\n\nI will add note in followup- https://review.opendev.org/#/c/717835/","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"}],"nova/tests/unit/policies/test_servers.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b114cb554fecffde4d93bce326bf25f3d296d5f3","unresolved":false,"context_lines":[{"line_number":761,"context_line":"        self.policy.set_rules({rule: \"@\"}, overwrite\u003dFalse)"},{"line_number":762,"context_line":"        mock_create.return_value \u003d ([self.instance], \u0027\u0027)"},{"line_number":763,"context_line":"        mock_az.return_value \u003d (\u0027test\u0027, \u0027host\u0027, None)"},{"line_number":764,"context_line":"        # rule_name \u003d policies.SERVERS % \u0027create:forced_host\u0027"},{"line_number":765,"context_line":"        self.common_policy_check(self.project_admin_authorized_contexts,"},{"line_number":766,"context_line":"                                 self.project_admin_unauthorized_contexts,"},{"line_number":767,"context_line":"                                 None,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_c3b8ef2b","line":764,"updated":"2020-04-15 10:04:53.000000000","message":"Are these intentional?","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"44cc182b6938de0ee3e123ed0618bc3e86077f8c","unresolved":false,"context_lines":[{"line_number":761,"context_line":"        self.policy.set_rules({rule: \"@\"}, overwrite\u003dFalse)"},{"line_number":762,"context_line":"        mock_create.return_value \u003d ([self.instance], \u0027\u0027)"},{"line_number":763,"context_line":"        mock_az.return_value \u003d (\u0027test\u0027, \u0027host\u0027, None)"},{"line_number":764,"context_line":"        # rule_name \u003d policies.SERVERS % \u0027create:forced_host\u0027"},{"line_number":765,"context_line":"        self.common_policy_check(self.project_admin_authorized_contexts,"},{"line_number":766,"context_line":"                                 self.project_admin_unauthorized_contexts,"},{"line_number":767,"context_line":"                                 None,"}],"source_content_type":"text/x-python","patch_set":9,"id":"3f4c43b2_37caaa6c","line":764,"in_reply_to":"3f4c43b2_c3b8ef2b","updated":"2020-04-15 13:21:54.000000000","message":"yeah, we need to pass rule_name as None in base class so that error message mismatch in case of multi-policy can be handled.","commit_id":"b42eddd3e90da621c182d2eae375e4880eb78f24"}]}