)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b2e936000ca87e5ceaaff4568e322551a7647fae","unresolved":false,"context_lines":[{"line_number":20,"context_line":"  to new one:"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"   /opt/stack/nova/.tox/py27/local/lib/python2.7/site-packages/oslo_policy/policy.py:665:"},{"line_number":23,"context_line":"UserWarning: Policy \"os_compute_api:os-services\":\"rule:admin_api\" was deprecated"},{"line_number":24,"context_line":"in 20.0.0 in favor of \"compute:services:list\":\"role:reader and system_scope:all\"."},{"line_number":25,"context_line":"Reason: Since Train release, nova API policies are introducing new default roles"},{"line_number":26,"context_line":"with scope_type capabilities. These new changes improve the security level"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"3fa7e38b_db49feb7","line":23,"updated":"2019-11-21 00:43:47.000000000","message":"all very nice, but this is the admin actions api, how does it help here? I am not actually sure we have a solution for this use case here.","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"}],"nova/policies/admin_actions.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b2e936000ca87e5ceaaff4568e322551a7647fae","unresolved":false,"context_lines":[{"line_number":23,"context_line":"DEPRECATED_ADMIN_ACTION_POLICY \u003d policy.DeprecatedRule("},{"line_number":24,"context_line":"    POLICY_ROOT,"},{"line_number":25,"context_line":"    base.RULE_ADMIN_API,"},{"line_number":26,"context_line":")"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":29,"context_line":"Since Train release, nova API policies are introducing new default roles"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_db701e0c","line":26,"updated":"2019-11-21 00:43:47.000000000","message":"I am confused... we are deprecating a policy that never existed?\n\nThis is sure to cause some issues when folks have an existing override, they will get no warnings :/","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"43a5cad7cc338193a2cc683c40a15f9f32b20226","unresolved":false,"context_lines":[{"line_number":23,"context_line":"DEPRECATED_ADMIN_ACTION_POLICY \u003d policy.DeprecatedRule("},{"line_number":24,"context_line":"    POLICY_ROOT,"},{"line_number":25,"context_line":"    base.RULE_ADMIN_API,"},{"line_number":26,"context_line":")"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":29,"context_line":"Since Train release, nova API policies are introducing new default roles"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_d13848ee","line":26,"in_reply_to":"3fa7e38b_8d6e4295","updated":"2020-01-20 15:07:06.000000000","message":"yeah, we can go with step wise\n- make scope enable by default (change default value of [oslo_policy].enforce_scope to True).\n- Deprecate [oslo_policy].enforce_scope\n- Remvoe [oslo_policy].enforce_scope means operator cannot disable scope in any way.","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"89ad916c9a24167650272db4bcc3d60ae5a20271","unresolved":false,"context_lines":[{"line_number":23,"context_line":"DEPRECATED_ADMIN_ACTION_POLICY \u003d policy.DeprecatedRule("},{"line_number":24,"context_line":"    POLICY_ROOT,"},{"line_number":25,"context_line":"    base.RULE_ADMIN_API,"},{"line_number":26,"context_line":")"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":29,"context_line":"Since Train release, nova API policies are introducing new default roles"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_8d6e4295","line":26,"in_reply_to":"3fa7e38b_9775e035","updated":"2020-01-19 06:32:23.000000000","message":"I probably see why John thinks we needn\u0027t deprecated anything here. Since the rule still existing here. We just want to notice the user, there is new feature which enable system scope policy, then notice user update their existing configure. So that isn\u0027t about deprecate thing, maybe we can do that by release note? Sounds like we will keep the legacy way and system scope way. If someday we want to deprecate the legacy way, we can deprecate the `[oslo_policy] enforce_scope` option.","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"17a91aead170b23780a1f6efba4bb3183a0e5584","unresolved":false,"context_lines":[{"line_number":23,"context_line":"DEPRECATED_ADMIN_ACTION_POLICY \u003d policy.DeprecatedRule("},{"line_number":24,"context_line":"    POLICY_ROOT,"},{"line_number":25,"context_line":"    base.RULE_ADMIN_API,"},{"line_number":26,"context_line":")"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":29,"context_line":"Since Train release, nova API policies are introducing new default roles"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_9775e035","line":26,"in_reply_to":"3fa7e38b_db701e0c","updated":"2019-12-04 19:52:09.000000000","message":"ah i need to make it with full string.\n\nrule name is the same here for all rules but this rule needs deprecation because default value is changed. explaining the same in next comment.","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"b2e936000ca87e5ceaaff4568e322551a7647fae","unresolved":false,"context_lines":[{"line_number":34,"context_line":"``nova.conf [oslo_policy] enforce_scope\u003dTrue`` which is False by default."},{"line_number":35,"context_line":"Old policies are marked as deprecated and silently going to be ignored"},{"line_number":36,"context_line":"in nova 22.0.0 (OpenStack V) release"},{"line_number":37,"context_line":"\"\"\""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"admin_actions_policies \u003d ["},{"line_number":40,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_9b614614","line":37,"updated":"2019-11-21 00:43:47.000000000","message":"You know, I am not sure we need to deprecate anything here... doesn\u0027t this \"just work\" for any user that it used to work for, and you get to opt into the scope check via config if you want to, so we don\u0027t need any deprecation here?","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d7306cbed963355a35b791801128612479a5a6d1","unresolved":false,"context_lines":[{"line_number":34,"context_line":"``nova.conf [oslo_policy] enforce_scope\u003dTrue`` which is False by default."},{"line_number":35,"context_line":"Old policies are marked as deprecated and silently going to be ignored"},{"line_number":36,"context_line":"in nova 22.0.0 (OpenStack V) release"},{"line_number":37,"context_line":"\"\"\""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"admin_actions_policies \u003d ["},{"line_number":40,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_9fcfef55","line":37,"in_reply_to":"3fa7e38b_971f20b7","updated":"2019-12-10 14:15:09.000000000","message":"I don\u0027t think we don\u0027t need to update the rule for this case...\n\nUsers opt into the new behaviour by switching the enforce_scope \u003d True, which eventually we will make the default for Nova.\n\nIf we add this rule, it doesn\u0027t really change anything, excpet warning users that override a new rule we just invented, that by definition no one can be overriding it yet. i.e. no one sees any extra info.\n\nAn alternative would be if the rule could check if scopes are enforced or not, and do the right thing. In that case we don\u0027t need to deprecate and \"or\" in the old rule.","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"17a91aead170b23780a1f6efba4bb3183a0e5584","unresolved":false,"context_lines":[{"line_number":34,"context_line":"``nova.conf [oslo_policy] enforce_scope\u003dTrue`` which is False by default."},{"line_number":35,"context_line":"Old policies are marked as deprecated and silently going to be ignored"},{"line_number":36,"context_line":"in nova 22.0.0 (OpenStack V) release"},{"line_number":37,"context_line":"\"\"\""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"admin_actions_policies \u003d ["},{"line_number":40,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_971f20b7","line":37,"in_reply_to":"3fa7e38b_9b614614","updated":"2019-12-04 19:52:09.000000000","message":"on scope_type, you are right we do not need any deprecation warning which can be enabled/disabled via config.\n\nBut by changing the check_str to SYSTEM_ADMIN actually we are changing the check_str from the previous RULE_ADMIN_API value.\nFor deployment where system_scope is disabled, Our system rule contains the special string \u0027system_scope:all\u0027 to avoid the project admin to access this API. \n\nSYSTEM_ADMIN is \u0027role:admin and system_scope:all\u0027.\n\nfor backward compatibility, we need to deprecate the rule with old default RULE_ADMIN_API (here deprecation is for the default value, not the name.) so that old legacy admin token keeps working.","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b30cf29e45df441c130fbf23f2443dd81fb17af9","unresolved":false,"context_lines":[{"line_number":34,"context_line":"``nova.conf [oslo_policy] enforce_scope\u003dTrue`` which is False by default."},{"line_number":35,"context_line":"Old policies are marked as deprecated and silently going to be ignored"},{"line_number":36,"context_line":"in nova 22.0.0 (OpenStack V) release"},{"line_number":37,"context_line":"\"\"\""},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"admin_actions_policies \u003d ["},{"line_number":40,"context_line":"    policy.DocumentedRuleDefault("}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_e07adbb8","line":37,"in_reply_to":"3fa7e38b_9fcfef55","updated":"2019-12-12 18:38:59.000000000","message":"I might not be understanding your point completely but let me rebase this without deprecation with the new tests in base patch. that can give a better idea of what all things keep working.","commit_id":"11b98107a6e2d36387d370bc6d72b5011358b44d"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"464892c479cf9c8f14b5db2e1b57c5d147c53fba","unresolved":false,"context_lines":[{"line_number":26,"context_line":"        name\u003dPOLICY_ROOT % \u0027reset_state\u0027,"},{"line_number":27,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":28,"context_line":"        description\u003d\"Reset the state of a given server\","},{"line_number":29,"context_line":"        operations\u003d["},{"line_number":30,"context_line":"            {"},{"line_number":31,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":32,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (os-resetState)\u0027"}],"source_content_type":"text/x-python","patch_set":6,"id":"3fa7e38b_59914545","line":29,"updated":"2020-01-30 20:57:14.000000000","message":"Patchset 4 was closer to what this should be. It does not matter that the rules in 701624 have deprecation labels. Without the deprecation label here, this rule will suddenly change its meaning without any ability to fall back to its old behavior.","commit_id":"4bc7bb13b87704f1f40dc70636feffd5c1940cde"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b3cea4c9ccb81fced73ffae7d25f87147703b8ff","unresolved":false,"context_lines":[{"line_number":26,"context_line":"        name\u003dPOLICY_ROOT % \u0027reset_state\u0027,"},{"line_number":27,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":28,"context_line":"        description\u003d\"Reset the state of a given server\","},{"line_number":29,"context_line":"        operations\u003d["},{"line_number":30,"context_line":"            {"},{"line_number":31,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":32,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (os-resetState)\u0027"}],"source_content_type":"text/x-python","patch_set":6,"id":"3fa7e38b_56982766","line":29,"in_reply_to":"3fa7e38b_1ff16de0","updated":"2020-01-31 14:22:32.000000000","message":"Actually there is no change in \u0027os_compute_api:os-admin-actions:reset_state\u0027 policy here. RULE_ADMIN_API rule with scope_type as \u0027system\u0027 is the same as SYSTEM_ADMIN. so we are not changing anything here so does not fall under deprecating this policy. This is what John point was in PS4.\n\nIf there is change in the specific rule then yes we do deprecate like done in - https://review.opendev.org/#/c/648480/23/nova/policies/services.py","commit_id":"4bc7bb13b87704f1f40dc70636feffd5c1940cde"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"f95b21a4b6a2bf88a77811446d506223a2a72c57","unresolved":false,"context_lines":[{"line_number":26,"context_line":"        name\u003dPOLICY_ROOT % \u0027reset_state\u0027,"},{"line_number":27,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":28,"context_line":"        description\u003d\"Reset the state of a given server\","},{"line_number":29,"context_line":"        operations\u003d["},{"line_number":30,"context_line":"            {"},{"line_number":31,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":32,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (os-resetState)\u0027"}],"source_content_type":"text/x-python","patch_set":6,"id":"3fa7e38b_c87b1378","line":29,"in_reply_to":"3fa7e38b_56982766","updated":"2020-01-31 19:16:18.000000000","message":"tldr I think you\u0027re right but I wrote out my thought process for clarity:\n\nRULE_ADMIN_API with scope_type \u0027system\u0027 is only the same as SYSTEM_ADMIN when enforce_scope\u003dtrue. The policy with name \"os_compute_api:os-admin-actions:reset_state\" is changing its check string from \"is_admin:True\" to an effective check string of \"(role:admin and system_scope:all) or (is_admin:True)\". Without the deprecation parameter, the operator isn\u0027t notified of this change and has no opportunity to override this individual rule to opt into the more secure \"role:admin and system_scope:all\" check string.\n\nIf the idea is for the operator to turn on enforce_scope and cut over all the policies at once, then this is probably fine. After thinking about it for a while I think this is probably the right approach.","commit_id":"4bc7bb13b87704f1f40dc70636feffd5c1940cde"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"80bd42a4956881b9d3723867a6973b80377c0e2d","unresolved":false,"context_lines":[{"line_number":26,"context_line":"        name\u003dPOLICY_ROOT % \u0027reset_state\u0027,"},{"line_number":27,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":28,"context_line":"        description\u003d\"Reset the state of a given server\","},{"line_number":29,"context_line":"        operations\u003d["},{"line_number":30,"context_line":"            {"},{"line_number":31,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":32,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (os-resetState)\u0027"}],"source_content_type":"text/x-python","patch_set":6,"id":"3fa7e38b_b95f1973","line":29,"in_reply_to":"3fa7e38b_59914545","updated":"2020-01-30 21:13:04.000000000","message":"but new rule SYSTEM_ADMIN has the deprecated rule of old rule RULE_ADMIN_API so oslo policy will do logical OR with both of them and when os_compute_api:os-admin-actions:%s check_str is checked it will do RuleCheck and take care of both rule (new and deprecated). \n\nThat is why the existing test using old context is working fine[1] otherwise it will fail.\n\nSo instead of deprecating each policy rule, we decided to deprecate base Rule which is being used in every policy rule. \n\n[1] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/tests/unit/policies/test_admin_actions.py","commit_id":"4bc7bb13b87704f1f40dc70636feffd5c1940cde"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"cde49840a40380618a686ac2fcb345126d167745","unresolved":false,"context_lines":[{"line_number":26,"context_line":"        name\u003dPOLICY_ROOT % \u0027reset_state\u0027,"},{"line_number":27,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":28,"context_line":"        description\u003d\"Reset the state of a given server\","},{"line_number":29,"context_line":"        operations\u003d["},{"line_number":30,"context_line":"            {"},{"line_number":31,"context_line":"                \u0027method\u0027: \u0027POST\u0027,"},{"line_number":32,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (os-resetState)\u0027"}],"source_content_type":"text/x-python","patch_set":6,"id":"3fa7e38b_1ff16de0","line":29,"in_reply_to":"3fa7e38b_b95f1973","updated":"2020-01-30 23:20:50.000000000","message":"I see now that you\u0027re correct that it works technically. Unfortunately it doesn\u0027t give the right deprecation warning in the logs. Instead of oslo.policy warning about the \"os_compute_api:os-admin-actions:reset_state\" policy, there are just repetitions of warnings about the \"os_compute_api:os-services\":\"rule:admin_api\" policy. This means the operator doesn\u0027t have the ability to selectively opt into the new behavior on a rule by rule basis because they can\u0027t see what rules are really changing.","commit_id":"4bc7bb13b87704f1f40dc70636feffd5c1940cde"}]}