)]}'
{"nova/network/neutronv2/api.py":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"164ae9d5d2593eea16b82b68a0adfb1e8ea64224","unresolved":false,"context_lines":[{"line_number":341,"context_line":"            search_opts \u003d {\u0027device_id\u0027: instance.uuid,"},{"line_number":342,"context_line":"                           \u0027tenant_id\u0027: instance.project_id,"},{"line_number":343,"context_line":"                           BINDING_HOST_ID: instance.host}"},{"line_number":344,"context_line":"            admin_client \u003d get_client(context, admin\u003dTrue)"},{"line_number":345,"context_line":"            # Now get the port details to process the ports"},{"line_number":346,"context_line":"            # binding profile info."},{"line_number":347,"context_line":"            data \u003d self.list_ports(context, neutron_client\u003dadmin_client,"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_a1092596","line":344,"updated":"2019-07-22 15:07:32.000000000","message":"So Sean and I looked at this last week, but apparently forgot to make any notes, so I\u0027ll summarize here.\n\nWhat\u0027s changing is that list_ports is now being done as admin. This raises a couple of questions:\n- Do we get a different answer (a different set of ports) than when we list_ports as the user? We\u0027re filtering by the instance and tenant anyway.\n- Was this list_ports-as-user acting as a stealth auth check for the flow, the rest of which is using admin? If this code path has appropriate policy checks from the various places where it can be initiated, this is presumably not an issue.","commit_id":"63815f3f4e278f1da3c41aa1ec476a4188291ce6"},{"author":{"_account_id":26286,"name":"huanhongda","email":"hongda.xun@easystack.cn","username":"huanhongda"},"change_message_id":"dfb0726d2a3f81b4e54b5f0fa256746300856beb","unresolved":false,"context_lines":[{"line_number":341,"context_line":"            search_opts \u003d {\u0027device_id\u0027: instance.uuid,"},{"line_number":342,"context_line":"                           \u0027tenant_id\u0027: instance.project_id,"},{"line_number":343,"context_line":"                           BINDING_HOST_ID: instance.host}"},{"line_number":344,"context_line":"            admin_client \u003d get_client(context, admin\u003dTrue)"},{"line_number":345,"context_line":"            # Now get the port details to process the ports"},{"line_number":346,"context_line":"            # binding profile info."},{"line_number":347,"context_line":"            data \u003d self.list_ports(context, neutron_client\u003dadmin_client,"}],"source_content_type":"text/x-python","patch_set":3,"id":"7faddb67_ee538138","line":344,"in_reply_to":"7faddb67_a1092596","updated":"2019-08-08 07:13:02.000000000","message":"Thanks for your review.\n\nThe reply to your questions are as follows:\n\n1. As we are filtering by the instance\u0027s uuid and project id, we will get the same ports as user or admin is doing the list_ports. The user from the context can get all of the ports attached on the instance that he can see.\n\n2. Policy checks have been done in nova-api when nova received a REST call. I think this list_ports-as-user is not a stealth auth check for the flow.","commit_id":"63815f3f4e278f1da3c41aa1ec476a4188291ce6"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"c38393040c61ad59b57dba983cebb85c11b026c2","unresolved":false,"context_lines":[{"line_number":152,"context_line":"        return _ADMIN_AUTH"},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"    if context.auth_token:"},{"line_number":155,"context_line":"        return service_auth.get_auth_plugin(context)"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"    # We did not get a user token and we should not be using"},{"line_number":158,"context_line":"    # an admin token so log an error"}],"source_content_type":"text/x-python","patch_set":4,"id":"7faddb67_36c28fea","line":155,"range":{"start_line":155,"start_character":8,"end_line":155,"end_character":52},"updated":"2019-08-20 17:11:31.000000000","message":"This should have been allowing the long-running operation you were undergoing, without having to be admin.","commit_id":"d15e7d420e80042ea08951a325fa991ff2ee85a9"}]}