)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"d62a9bfd0cbcf0e0a125fb87e3be9e8afd18cb50","unresolved":false,"context_lines":[{"line_number":13,"context_line":"oslo policy to verify the context data with context data."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"This commit pass the actual target for os-services API policies"},{"line_number":16,"context_line":"which is empty dict as per their defaults check_str."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"blueprint policy-defaults-refresh"},{"line_number":19,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"3fa7e38b_5b2f4ef4","line":16,"range":{"start_line":16,"start_character":20,"end_line":16,"end_character":52},"updated":"2019-11-21 00:29:14.000000000","message":"Not sure I understand that...\n\nI think its empty because the target is \"system\" rather than any project, so the scope check deals with any target checking that is required here.","commit_id":"f03a711501181caed07b7df7b6cc46d67bf0a15f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"435f756c4f8ee7128a03152a515bb00a1672b483","unresolved":false,"context_lines":[{"line_number":13,"context_line":"oslo policy to verify the context data with context data."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"This commit pass the actual target for os-services API policies"},{"line_number":16,"context_line":"which is empty dict as per their defaults check_str."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"blueprint policy-defaults-refresh"},{"line_number":19,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"3fa7e38b_9506a385","line":16,"range":{"start_line":16,"start_character":20,"end_line":16,"end_character":52},"in_reply_to":"3fa7e38b_5b2f4ef4","updated":"2019-11-26 22:50:35.000000000","message":"yeah. I will explain it with system scope way","commit_id":"f03a711501181caed07b7df7b6cc46d67bf0a15f"}],"nova/api/openstack/compute/services.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"5977ec964e79baee68acb7b89ee505ffeb866cde","unresolved":false,"context_lines":[{"line_number":347,"context_line":"        name"},{"line_number":348,"context_line":"        \"\"\""},{"line_number":349,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":350,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027list\u0027, target\u003d{})"},{"line_number":351,"context_line":"        if api_version_request.is_supported(req, min_version\u003d\u00272.11\u0027):"},{"line_number":352,"context_line":"            _services \u003d self._get_services_list(req, [\u0027forced_down\u0027])"},{"line_number":353,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_5c422f3d","line":350,"range":{"start_line":350,"start_character":64,"end_line":350,"end_character":75},"updated":"2019-12-04 19:17:19.000000000","message":"because of the existing overridden test failing on this change, I have a question before I modify the test.\n\nWith system_scope disabled, operator overriding this rule to project role check (which has project_id as key) will break due to changing the target to empty dict [1]. \n\nIf system_scope is enabled, then we are good to make this target as empty string because operator cannot override the scope_type.\n\nShould we support both target with the condition mentioned below or change the target to actual target when we enable the system_scope by default?\n\ntarget \u003d None\nif oslo_policy.enforce_scope:\n    target \u003d {}\n\n[1] The failed test was overriding this rule from system reader to project \u0027member\u0027 which has the project_id in the check_str and fails to pass the policy because the target we pass here is empty dict. oslo policy would not be able to find the project_id in target and deny the access.","commit_id":"613085b99db20d6d284af93ba219bbcb07c0b34b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"09d3b26c2a3f214f1d1616b6692ffd1e17a8001f","unresolved":false,"context_lines":[{"line_number":347,"context_line":"        name"},{"line_number":348,"context_line":"        \"\"\""},{"line_number":349,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":350,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027list\u0027, target\u003d{})"},{"line_number":351,"context_line":"        if api_version_request.is_supported(req, min_version\u003d\u00272.11\u0027):"},{"line_number":352,"context_line":"            _services \u003d self._get_services_list(req, [\u0027forced_down\u0027])"},{"line_number":353,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_7de774ac","line":350,"range":{"start_line":350,"start_character":64,"end_line":350,"end_character":75},"in_reply_to":"3fa7e38b_3f9d9bba","updated":"2019-12-12 17:36:51.000000000","message":"yeah, we need to make it keep working till enforce_scope is True. let me try to add that logic in policy.py.\n\nnova-next job is good target for testing scope things but till we are sure all things work, i will add a n-v job with enforce_scope and run only API tests","commit_id":"613085b99db20d6d284af93ba219bbcb07c0b34b"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"798261636a09ae460775ed3bc06833fae0b22d4b","unresolved":false,"context_lines":[{"line_number":347,"context_line":"        name"},{"line_number":348,"context_line":"        \"\"\""},{"line_number":349,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":350,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027list\u0027, target\u003d{})"},{"line_number":351,"context_line":"        if api_version_request.is_supported(req, min_version\u003d\u00272.11\u0027):"},{"line_number":352,"context_line":"            _services \u003d self._get_services_list(req, [\u0027forced_down\u0027])"},{"line_number":353,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_3f9d9bba","line":350,"range":{"start_line":350,"start_character":64,"end_line":350,"end_character":75},"in_reply_to":"3fa7e38b_5c422f3d","updated":"2019-12-10 14:03:02.000000000","message":"Bummer...\n\nSounds like we need deprecated_target here, where the rule is rechecked including the deprecated_target if required. If a rule passes for that reason, we log a warning, similar to the system scope check things.\n\nAlthough your suggestion seems like a simpler way forward, I like it.\n\nIt is really templting to move that logic into here, but I think we need to fix all the targets first:\nhttps://github.com/openstack/nova/blob/5a3ef39539ca112ae0552aef5cbd536338db61b7/nova/policy.py#L185\n\nNova-next job, maybe that we could add enforce_scope \u003d True into that? It would catch us breaking things with suggestions like the above idea :)\n\nClearly we will need a careful release note about the enforce_scope configuration really meaning something now.","commit_id":"613085b99db20d6d284af93ba219bbcb07c0b34b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fc89ce7f51133ca79d9a9bc10d18316e8827b6c5","unresolved":false,"context_lines":[{"line_number":347,"context_line":"        name"},{"line_number":348,"context_line":"        \"\"\""},{"line_number":349,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":350,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027list\u0027, target\u003d{})"},{"line_number":351,"context_line":"        if api_version_request.is_supported(req, min_version\u003d\u00272.11\u0027):"},{"line_number":352,"context_line":"            _services \u003d self._get_services_list(req, [\u0027forced_down\u0027])"},{"line_number":353,"context_line":"        else:"}],"source_content_type":"text/x-python","patch_set":4,"id":"3fa7e38b_80f0c7fd","line":350,"range":{"start_line":350,"start_character":64,"end_line":350,"end_character":75},"in_reply_to":"3fa7e38b_7de774ac","updated":"2019-12-12 17:57:18.000000000","message":"you are right, we need to fix all target first before we move the logic to policy.py otherwise it can break few things.\n\nLet\u0027s add the condition here and later in single set we can move this logic to common place in policy.py.","commit_id":"613085b99db20d6d284af93ba219bbcb07c0b34b"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"117ae9f9f9220b1c0480e2636fd972ebb158cdd5","unresolved":false,"context_lines":[{"line_number":236,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":237,"context_line":"        target \u003d None"},{"line_number":238,"context_line":"        if CONF.oslo_policy.enforce_scope:"},{"line_number":239,"context_line":"            target \u003d {}"},{"line_number":240,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027delete\u0027,"},{"line_number":241,"context_line":"                    target\u003dtarget)"},{"line_number":242,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_96a3b89b","line":239,"updated":"2019-12-20 15:57:58.000000000","message":"I wonder if we could move this into context.can? Any time you pass an empty dict, we default to the regular default unless enforce_scope is true?","commit_id":"342b9b9132167f83b202c08262373870b797b075"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"084e968ca75462f968cdee28154d4ad657e502cc","unresolved":false,"context_lines":[{"line_number":236,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":237,"context_line":"        target \u003d None"},{"line_number":238,"context_line":"        if CONF.oslo_policy.enforce_scope:"},{"line_number":239,"context_line":"            target \u003d {}"},{"line_number":240,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027delete\u0027,"},{"line_number":241,"context_line":"                    target\u003dtarget)"},{"line_number":242,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"3fa7e38b_392d17ae","line":239,"in_reply_to":"3fa7e38b_96a3b89b","updated":"2019-12-20 17:03:35.000000000","message":"I donot remember why i did not added it in policy.py but seems like below condition would not break any override.\n\nif target \u003d\u003d {} and not CONF.oslo_policy.enforce_scope:\n    targt \u003d default_target(context)","commit_id":"342b9b9132167f83b202c08262373870b797b075"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"c9a396af30642744a032a614f40a034f780050ea","unresolved":false,"context_lines":[{"line_number":231,"context_line":"    def delete(self, req, id):"},{"line_number":232,"context_line":"        \"\"\"Deletes the specified service.\"\"\""},{"line_number":233,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":234,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027delete\u0027, target\u003d{})"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"        if api_version_request.is_supported("},{"line_number":237,"context_line":"                req, min_version\u003dUUID_FOR_ID_MIN_VERSION):"}],"source_content_type":"text/x-python","patch_set":8,"id":"3fa7e38b_51c73566","line":234,"range":{"start_line":234,"start_character":8,"end_line":234,"end_character":77},"updated":"2020-02-11 20:22:02.000000000","message":"Is there any objection to bumping this down to line 249? Then you\u0027d be able to pass the service as the actual target.","commit_id":"345984144b50487cc6f0d346adbe464452d7404b"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ba2ea0a8cc3d7dac2b4da410c8e37abfe6297ef2","unresolved":false,"context_lines":[{"line_number":231,"context_line":"    def delete(self, req, id):"},{"line_number":232,"context_line":"        \"\"\"Deletes the specified service.\"\"\""},{"line_number":233,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":234,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027delete\u0027, target\u003d{})"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"        if api_version_request.is_supported("},{"line_number":237,"context_line":"                req, min_version\u003dUUID_FOR_ID_MIN_VERSION):"}],"source_content_type":"text/x-python","patch_set":8,"id":"1fa4df85_f0ff80fe","line":234,"range":{"start_line":234,"start_character":8,"end_line":234,"end_character":77},"in_reply_to":"3fa7e38b_14744bcc","updated":"2020-03-02 14:01:11.000000000","message":"yeah, the point here is we don\u0027t want people to break interop with starange policy, so here the target is the \"system\", which we represent and empty dict, regardless.","commit_id":"345984144b50487cc6f0d346adbe464452d7404b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"5f5bce94fb98a1d2ea02487f869c95dce1c53d27","unresolved":false,"context_lines":[{"line_number":231,"context_line":"    def delete(self, req, id):"},{"line_number":232,"context_line":"        \"\"\"Deletes the specified service.\"\"\""},{"line_number":233,"context_line":"        context \u003d req.environ[\u0027nova.context\u0027]"},{"line_number":234,"context_line":"        context.can(services_policies.BASE_POLICY_NAME % \u0027delete\u0027, target\u003d{})"},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"        if api_version_request.is_supported("},{"line_number":237,"context_line":"                req, min_version\u003dUUID_FOR_ID_MIN_VERSION):"}],"source_content_type":"text/x-python","patch_set":8,"id":"3fa7e38b_14744bcc","line":234,"range":{"start_line":234,"start_character":8,"end_line":234,"end_character":77},"in_reply_to":"3fa7e38b_51c73566","updated":"2020-02-11 21:53:09.000000000","message":"we can but default policy does not need that and I do not think anyone will override the policy based on service attributes? \n\nmaybe John know better use case if any operator override in such way.","commit_id":"345984144b50487cc6f0d346adbe464452d7404b"}],"nova/policy.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ba2ea0a8cc3d7dac2b4da410c8e37abfe6297ef2","unresolved":false,"context_lines":[{"line_number":158,"context_line":""},{"line_number":159,"context_line":"    # Legacy fallback for emtpy target from context.can()"},{"line_number":160,"context_line":"    # should be removed once we improve testing and scope checks"},{"line_number":161,"context_line":"    if target is None or target \u003d\u003d {} and not CONF.oslo_policy.enforce_scope:"},{"line_number":162,"context_line":"        target \u003d default_target(context)"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"    try:"}],"source_content_type":"text/x-python","patch_set":8,"id":"1fa4df85_5018d473","line":161,"updated":"2020-03-02 14:01:11.000000000","message":"This is bad... I think we {} to NOT default to the context thing.","commit_id":"345984144b50487cc6f0d346adbe464452d7404b"}],"nova/tests/unit/test_policy.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"ba2ea0a8cc3d7dac2b4da410c8e37abfe6297ef2","unresolved":false,"context_lines":[{"line_number":35,"context_line":"    def setUp(self):"},{"line_number":36,"context_line":"        super(PolicyFileTestCase, self).setUp()"},{"line_number":37,"context_line":"        self.context \u003d context.RequestContext(\u0027fake\u0027, \u0027fake\u0027)"},{"line_number":38,"context_line":"        self.target \u003d {None: None}"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"    def test_modified_policy_reloads(self):"},{"line_number":41,"context_line":"        with utils.tempdir() as tmpdir:"}],"source_content_type":"text/x-python","patch_set":8,"id":"1fa4df85_b02268a3","line":38,"updated":"2020-03-02 14:01:11.000000000","message":"What does that mean?","commit_id":"345984144b50487cc6f0d346adbe464452d7404b"}]}