)]}'
{"doc/source/configuration/index.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"5985dc3a9e487895e265371656f3cf646167f99a","unresolved":false,"context_lines":[{"line_number":48,"context_line":"Nova, like most OpenStack projects, uses a policy language to restrict"},{"line_number":49,"context_line":"permissions on REST API actions."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* :doc:`Policy New Defaults \u003cpolicy-new-defaults\u003e`: Nova API policy defines new"},{"line_number":52,"context_line":"  default roles with scope_type capabilities. These new changes improve the"},{"line_number":53,"context_line":"  security level and manageability. New policies are richer in terms of"},{"line_number":54,"context_line":"  handling access at system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_45e21531","line":51,"updated":"2020-04-16 01:51:52.000000000","message":"I think we\u0027ll want to say something about what release the new defaults appear in right? Once this page is no longer \"new\", it will not be clear when new defaults were new.\n\n\"Starting in the Ussuri release, Nova API policy defines new ....\"","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"449ea953464b2f48a11ea3bc35b25888f22ebf2d","unresolved":false,"context_lines":[{"line_number":48,"context_line":"Nova, like most OpenStack projects, uses a policy language to restrict"},{"line_number":49,"context_line":"permissions on REST API actions."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* :doc:`Policy New Defaults \u003cpolicy-new-defaults\u003e`: Nova API policy defines new"},{"line_number":52,"context_line":"  default roles with scope_type capabilities. These new changes improve the"},{"line_number":53,"context_line":"  security level and manageability. New policies are richer in terms of"},{"line_number":54,"context_line":"  handling access at system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_4665f144","line":51,"in_reply_to":"3f4c43b2_45e21531","updated":"2020-04-16 16:29:49.000000000","message":"true, that will be much better. done","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":49,"context_line":"permissions on REST API actions."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* :doc:`Policy New Defaults \u003cpolicy-new-defaults\u003e`: Starting in the Ussuri"},{"line_number":52,"context_line":"  release, Nova API policy defines new default roles with scope_type"},{"line_number":53,"context_line":"  capabilities. These new changes improve the security level and"},{"line_number":54,"context_line":"  manageability. New policies are richer in terms of handling access at"},{"line_number":55,"context_line":"  system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027 roles."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_1e3269a8","line":52,"range":{"start_line":52,"start_character":58,"end_line":52,"end_character":68},"updated":"2020-04-20 17:16:44.000000000","message":"``literal`` (or say \"scope type\")","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":49,"context_line":"permissions on REST API actions."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* :doc:`Policy New Defaults \u003cpolicy-new-defaults\u003e`: Starting in the Ussuri"},{"line_number":52,"context_line":"  release, Nova API policy defines new default roles with scope_type"},{"line_number":53,"context_line":"  capabilities. These new changes improve the security level and"},{"line_number":54,"context_line":"  manageability. New policies are richer in terms of handling access at"},{"line_number":55,"context_line":"  system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027 roles."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c1b0268f","line":52,"range":{"start_line":52,"start_character":58,"end_line":52,"end_character":68},"in_reply_to":"1f493fa4_1e3269a8","updated":"2020-04-20 18:07:19.000000000","message":"done. scope_type is too internal variable here.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":51,"context_line":"* :doc:`Policy New Defaults \u003cpolicy-new-defaults\u003e`: Starting in the Ussuri"},{"line_number":52,"context_line":"  release, Nova API policy defines new default roles with scope_type"},{"line_number":53,"context_line":"  capabilities. These new changes improve the security level and"},{"line_number":54,"context_line":"  manageability. New policies are richer in terms of handling access at"},{"line_number":55,"context_line":"  system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027 roles."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":".. toctree::"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_de1761ed","line":54,"range":{"start_line":54,"start_character":15,"end_line":54,"end_character":33},"updated":"2020-04-20 17:16:44.000000000","message":"as they are","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":51,"context_line":"* :doc:`Policy New Defaults \u003cpolicy-new-defaults\u003e`: Starting in the Ussuri"},{"line_number":52,"context_line":"  release, Nova API policy defines new default roles with scope_type"},{"line_number":53,"context_line":"  capabilities. These new changes improve the security level and"},{"line_number":54,"context_line":"  manageability. New policies are richer in terms of handling access at"},{"line_number":55,"context_line":"  system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027 roles."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":".. toctree::"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_81b73e87","line":54,"range":{"start_line":54,"start_character":15,"end_line":54,"end_character":33},"in_reply_to":"1f493fa4_de1761ed","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":52,"context_line":"  release, Nova API policy defines new default roles with scope_type"},{"line_number":53,"context_line":"  capabilities. These new changes improve the security level and"},{"line_number":54,"context_line":"  manageability. New policies are richer in terms of handling access at"},{"line_number":55,"context_line":"  system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027 roles."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":".. toctree::"},{"line_number":58,"context_line":"   :hidden:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_3ed2c535","line":55,"range":{"start_line":55,"start_character":45,"end_line":55,"end_character":46},"updated":"2020-04-20 17:16:44.000000000","message":"and","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":52,"context_line":"  release, Nova API policy defines new default roles with scope_type"},{"line_number":53,"context_line":"  capabilities. These new changes improve the security level and"},{"line_number":54,"context_line":"  manageability. New policies are richer in terms of handling access at"},{"line_number":55,"context_line":"  system and project level token with \u0027Read\u0027 \u0026 \u0027Write\u0027 roles."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":".. toctree::"},{"line_number":58,"context_line":"   :hidden:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_21c2aaea","line":55,"range":{"start_line":55,"start_character":45,"end_line":55,"end_character":46},"in_reply_to":"1f493fa4_3ed2c535","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"}],"doc/source/configuration/policy-concepts.rst":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"97e4ef56b806a7100c2f057ec98e317090625c9f","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."},{"line_number":27,"context_line":"Please refer to :keystone-doc:`this document \u003c/admin/service-api-protection.html\u003e`"},{"line_number":28,"context_line":"for more information about these new defaults. In addition, keystone supports a new \"system scope\" concept that makes it easier to"},{"line_number":29,"context_line":"protect deployment level resources from project or system level resources. Please"},{"line_number":30,"context_line":"refer to :keystone-doc:`this document \u003c/admin/tokens-overview.html#authorization-scopes\u003e`"},{"line_number":31,"context_line":"and `system scope specification \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_ to understand the scope concept."}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_d3cbb81b","line":28,"range":{"start_line":28,"start_character":99,"end_line":28,"end_character":130},"updated":"2020-04-22 06:40:22.000000000","message":"nit: long line.","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"be6a48ce7089eefe85adfd0c65f07ac9f5cab6bc","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."},{"line_number":27,"context_line":"Please refer to :keystone-doc:`this document \u003c/admin/service-api-protection.html\u003e`"},{"line_number":28,"context_line":"for more information about these new defaults. In addition, keystone supports a new \"system scope\" concept that makes it easier to"},{"line_number":29,"context_line":"protect deployment level resources from project or system level resources. Please"},{"line_number":30,"context_line":"refer to :keystone-doc:`this document \u003c/admin/tokens-overview.html#authorization-scopes\u003e`"},{"line_number":31,"context_line":"and `system scope specification \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_ to understand the scope concept."}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_f9c69316","line":28,"range":{"start_line":28,"start_character":99,"end_line":28,"end_character":130},"in_reply_to":"1f493fa4_d3cbb81b","updated":"2020-04-22 10:31:25.000000000","message":"Yeah, this entire doc could do with being wrapped at 80 characters, I imagine","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a522b3daea7f29f334d8cdb1fe01050eb112be9","unresolved":false,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."},{"line_number":27,"context_line":"Please refer to :keystone-doc:`this document \u003c/admin/service-api-protection.html\u003e`"},{"line_number":28,"context_line":"for more information about these new defaults. In addition, keystone supports a new \"system scope\" concept that makes it easier to"},{"line_number":29,"context_line":"protect deployment level resources from project or system level resources. Please"},{"line_number":30,"context_line":"refer to :keystone-doc:`this document \u003c/admin/tokens-overview.html#authorization-scopes\u003e`"},{"line_number":31,"context_line":"and `system scope specification \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_ to understand the scope concept."}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_57730b81","line":28,"range":{"start_line":28,"start_character":99,"end_line":28,"end_character":130},"in_reply_to":"1f493fa4_f9c69316","updated":"2020-04-22 13:27:23.000000000","message":"Done","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"97e4ef56b806a7100c2f057ec98e317090625c9f","unresolved":false,"context_lines":[{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. note::"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"     The ``scope_type`` of each policy is hardcoded and is not"},{"line_number":58,"context_line":"     not overridable via the policy file."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Nova policies have implemented the scope concept by defining the ``scope_type``"},{"line_number":61,"context_line":"in policies. To know each policy\u0027s ``scope_type``, please refer to the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_13efe084","line":58,"range":{"start_line":57,"start_character":59,"end_line":58,"end_character":8},"updated":"2020-04-22 06:40:22.000000000","message":"double not","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a522b3daea7f29f334d8cdb1fe01050eb112be9","unresolved":false,"context_lines":[{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. note::"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"     The ``scope_type`` of each policy is hardcoded and is not"},{"line_number":58,"context_line":"     not overridable via the policy file."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Nova policies have implemented the scope concept by defining the ``scope_type``"},{"line_number":61,"context_line":"in policies. To know each policy\u0027s ``scope_type``, please refer to the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_3770ff72","line":58,"range":{"start_line":57,"start_character":59,"end_line":58,"end_character":8},"in_reply_to":"1f493fa4_13efe084","updated":"2020-04-22 13:27:23.000000000","message":"Done","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"be6a48ce7089eefe85adfd0c65f07ac9f5cab6bc","unresolved":false,"context_lines":[{"line_number":63,"context_line":"``Intended scope(s)`` in :doc:`Policy Sample File \u003c/configuration/sample-policy\u003e` as"},{"line_number":64,"context_line":"shown in below examples."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"#. ``system`` scope"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"   Policies with a ``scope_type`` of ``system`` means a user with a"},{"line_number":69,"context_line":"   ``system-scoped`` token has permission to access the resource. This can be"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_48f9b27e","line":66,"range":{"start_line":66,"start_character":0,"end_line":66,"end_character":19},"updated":"2020-04-22 10:31:25.000000000","message":"can you change these to rubric too, please?","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a522b3daea7f29f334d8cdb1fe01050eb112be9","unresolved":false,"context_lines":[{"line_number":63,"context_line":"``Intended scope(s)`` in :doc:`Policy Sample File \u003c/configuration/sample-policy\u003e` as"},{"line_number":64,"context_line":"shown in below examples."},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"#. ``system`` scope"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"   Policies with a ``scope_type`` of ``system`` means a user with a"},{"line_number":69,"context_line":"   ``system-scoped`` token has permission to access the resource. This can be"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_776a8780","line":66,"range":{"start_line":66,"start_character":0,"end_line":66,"end_character":19},"in_reply_to":"1f493fa4_48f9b27e","updated":"2020-04-22 13:27:23.000000000","message":"Done","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"97e4ef56b806a7100c2f057ec98e317090625c9f","unresolved":false,"context_lines":[{"line_number":118,"context_line":"Policy scope is disabled by default to allow operators to migrate from"},{"line_number":119,"context_line":"the old policy enforcement system in a graceful way. This can be"},{"line_number":120,"context_line":"enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope`"},{"line_number":121,"context_line":"option to ``False``."},{"line_number":122,"context_line":""},{"line_number":123,"context_line":".. note::"},{"line_number":124,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_7388e4c5","line":121,"range":{"start_line":121,"start_character":12,"end_line":121,"end_character":17},"updated":"2020-04-22 06:40:22.000000000","message":"True","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a522b3daea7f29f334d8cdb1fe01050eb112be9","unresolved":false,"context_lines":[{"line_number":118,"context_line":"Policy scope is disabled by default to allow operators to migrate from"},{"line_number":119,"context_line":"the old policy enforcement system in a graceful way. This can be"},{"line_number":120,"context_line":"enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope`"},{"line_number":121,"context_line":"option to ``False``."},{"line_number":122,"context_line":""},{"line_number":123,"context_line":".. note::"},{"line_number":124,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_d7043bc9","line":121,"range":{"start_line":121,"start_character":12,"end_line":121,"end_character":17},"in_reply_to":"1f493fa4_7388e4c5","updated":"2020-04-22 13:27:23.000000000","message":"ohh, done","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"97e4ef56b806a7100c2f057ec98e317090625c9f","unresolved":false,"context_lines":[{"line_number":190,"context_line":"   and defaulted to reader rules. For exmaple: If you need to let someone audit your"},{"line_number":191,"context_line":"   deployment for security purposes."},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"#. Customize the policy in better way. For example if you will be able"},{"line_number":194,"context_line":"   to provide access to project level user to perform live migration for their"},{"line_number":195,"context_line":"   server or any other project with their token."},{"line_number":196,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_b380ac8d","line":193,"range":{"start_line":193,"start_character":51,"end_line":193,"end_character":53},"updated":"2020-04-22 06:40:22.000000000","message":"not needed","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a522b3daea7f29f334d8cdb1fe01050eb112be9","unresolved":false,"context_lines":[{"line_number":190,"context_line":"   and defaulted to reader rules. For exmaple: If you need to let someone audit your"},{"line_number":191,"context_line":"   deployment for security purposes."},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"#. Customize the policy in better way. For example if you will be able"},{"line_number":194,"context_line":"   to provide access to project level user to perform live migration for their"},{"line_number":195,"context_line":"   server or any other project with their token."},{"line_number":196,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_170fc3e1","line":193,"range":{"start_line":193,"start_character":51,"end_line":193,"end_character":53},"in_reply_to":"1f493fa4_b380ac8d","updated":"2020-04-22 13:27:23.000000000","message":"Done","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"97e4ef56b806a7100c2f057ec98e317090625c9f","unresolved":false,"context_lines":[{"line_number":246,"context_line":"   The :oslo.config:option:`oslo_policy.enforce_new_defaults` flag switches the policy to new"},{"line_number":247,"context_line":"   defaults-only. This flag controls whether or not to use old deprecated defaults when evaluating"},{"line_number":248,"context_line":"   policies. If True, the old deprecated defaults are not evaluated. This means if any existing"},{"line_number":249,"context_line":"   token is allowed for old defaults but is disallowed for new defaults, it will be disallowed."},{"line_number":250,"context_line":"   The default value of this flag is False."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"   .. note:: Before you enable this flag, you need to educate users about the different roles"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_b359cc5b","line":249,"range":{"start_line":249,"start_character":84,"end_line":249,"end_character":94},"updated":"2020-04-22 06:40:22.000000000","message":"rejected","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a522b3daea7f29f334d8cdb1fe01050eb112be9","unresolved":false,"context_lines":[{"line_number":246,"context_line":"   The :oslo.config:option:`oslo_policy.enforce_new_defaults` flag switches the policy to new"},{"line_number":247,"context_line":"   defaults-only. This flag controls whether or not to use old deprecated defaults when evaluating"},{"line_number":248,"context_line":"   policies. If True, the old deprecated defaults are not evaluated. This means if any existing"},{"line_number":249,"context_line":"   token is allowed for old defaults but is disallowed for new defaults, it will be disallowed."},{"line_number":250,"context_line":"   The default value of this flag is False."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"   .. note:: Before you enable this flag, you need to educate users about the different roles"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1f493fa4_57f82bc3","line":249,"range":{"start_line":249,"start_character":84,"end_line":249,"end_character":94},"in_reply_to":"1f493fa4_b359cc5b","updated":"2020-04-22 13:27:23.000000000","message":"Done","commit_id":"80978c6af785c71ab12e5809003800f172658112"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":32,"context_line":":keystone-doc:`this document \u003c/admin/tokens-overview.html#authorization-scopes\u003e`"},{"line_number":33,"context_line":"and `system scope specification \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_ to understand the scope concept."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented"},{"line_number":36,"context_line":"the scope concept and default roles provided by keystone (admin, member,"},{"line_number":37,"context_line":"and reader). Using common roles from keystone reduces the likelihood of"},{"line_number":38,"context_line":"similar, but different, roles implemented across projects or deployments"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_808546b0","line":35,"range":{"start_line":35,"start_character":20,"end_line":35,"end_character":29},"updated":"2020-04-22 17:43:51.000000000","message":"Not sure this is needed or helpful, since other projects Ussuri might not be version 21.0.0","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3fb81446e11ddca50e35f324f8348bb1c9930c11","unresolved":false,"context_lines":[{"line_number":32,"context_line":":keystone-doc:`this document \u003c/admin/tokens-overview.html#authorization-scopes\u003e`"},{"line_number":33,"context_line":"and `system scope specification \u003chttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_ to understand the scope concept."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented"},{"line_number":36,"context_line":"the scope concept and default roles provided by keystone (admin, member,"},{"line_number":37,"context_line":"and reader). Using common roles from keystone reduces the likelihood of"},{"line_number":38,"context_line":"similar, but different, roles implemented across projects or deployments"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_ab402337","line":35,"range":{"start_line":35,"start_character":20,"end_line":35,"end_character":29},"in_reply_to":"1f493fa4_808546b0","updated":"2020-04-22 17:53:46.000000000","message":"ok. done","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":201,"context_line":"Backward Compatibility"},{"line_number":202,"context_line":"----------------------"},{"line_number":203,"context_line":""},{"line_number":204,"context_line":"Backward compatibility with versions prior to 21.0.0 (Queens) is maintained by"},{"line_number":205,"context_line":"supporting the old defaults and disabling the ``scope_type`` feature by default."},{"line_number":206,"context_line":"This means the old defaults and deployments that use them will keep working"},{"line_number":207,"context_line":"as-is. However, we encourage every deployment to switch to new policy."}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_c04c6ec9","line":204,"range":{"start_line":204,"start_character":54,"end_line":204,"end_character":60},"updated":"2020-04-22 17:43:51.000000000","message":"Ussuri?","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3fb81446e11ddca50e35f324f8348bb1c9930c11","unresolved":false,"context_lines":[{"line_number":201,"context_line":"Backward Compatibility"},{"line_number":202,"context_line":"----------------------"},{"line_number":203,"context_line":""},{"line_number":204,"context_line":"Backward compatibility with versions prior to 21.0.0 (Queens) is maintained by"},{"line_number":205,"context_line":"supporting the old defaults and disabling the ``scope_type`` feature by default."},{"line_number":206,"context_line":"This means the old defaults and deployments that use them will keep working"},{"line_number":207,"context_line":"as-is. However, we encourage every deployment to switch to new policy."}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_4b751f95","line":204,"range":{"start_line":204,"start_character":54,"end_line":204,"end_character":60},"in_reply_to":"1f493fa4_c04c6ec9","updated":"2020-04-22 17:53:46.000000000","message":"humm i donot know when i updated this to wrong name. thanks for catching this","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":213,"context_line":"backwards compatibility."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Migration Plan"},{"line_number":216,"context_line":"--------------"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"To have a graceful migration, Nova provides two flags to switch to the new"},{"line_number":219,"context_line":"policy completely. You do not need to overwrite the policy file to adopt the"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_a055e252","line":216,"updated":"2020-04-22 17:43:51.000000000","message":"++ This is exactly the step-by-step doc I was looking for","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":264,"context_line":""},{"line_number":265,"context_line":"#. Check for deprecated policies"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_e021aafd","line":267,"range":{"start_line":267,"start_character":5,"end_line":267,"end_character":8},"updated":"2020-04-22 17:43:51.000000000","message":"few","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3fb81446e11ddca50e35f324f8348bb1c9930c11","unresolved":false,"context_lines":[{"line_number":264,"context_line":""},{"line_number":265,"context_line":"#. Check for deprecated policies"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_2be9b319","line":267,"range":{"start_line":267,"start_character":5,"end_line":267,"end_character":8},"in_reply_to":"1f493fa4_e021aafd","updated":"2020-04-22 17:53:46.000000000","message":"Done","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":265,"context_line":"#. Check for deprecated policies"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."},{"line_number":271,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_00f5b657","line":268,"range":{"start_line":268,"start_character":52,"end_line":268,"end_character":56},"updated":"2020-04-22 17:43:51.000000000","message":"names","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3fb81446e11ddca50e35f324f8348bb1c9930c11","unresolved":false,"context_lines":[{"line_number":265,"context_line":"#. Check for deprecated policies"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."},{"line_number":271,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_0bee7721","line":268,"range":{"start_line":268,"start_character":52,"end_line":268,"end_character":56},"in_reply_to":"1f493fa4_00f5b657","updated":"2020-04-22 17:53:46.000000000","message":"Done","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":266,"context_line":""},{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"We expect all deployments to migrate to new policy by 23.0.0 release so that"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_a0da02e6","line":269,"range":{"start_line":269,"start_character":32,"end_line":269,"end_character":33},"updated":"2020-04-22 17:43:51.000000000","message":"add a comma","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":266,"context_line":""},{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"We expect all deployments to migrate to new policy by 23.0.0 release so that"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_007e56e3","line":269,"range":{"start_line":269,"start_character":7,"end_line":269,"end_character":17},"updated":"2020-04-22 17:43:51.000000000","message":"overwritten","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3fb81446e11ddca50e35f324f8348bb1c9930c11","unresolved":false,"context_lines":[{"line_number":266,"context_line":""},{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"We expect all deployments to migrate to new policy by 23.0.0 release so that"}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_6bf3bb0b","line":269,"range":{"start_line":269,"start_character":32,"end_line":269,"end_character":33},"in_reply_to":"1f493fa4_a0da02e6","updated":"2020-04-22 17:53:46.000000000","message":"Done","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"856ee043c4213173c1cef7e7e5381390e56b30d2","unresolved":false,"context_lines":[{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"We expect all deployments to migrate to new policy by 23.0.0 release so that"},{"line_number":273,"context_line":"we can remove the support of old policies."}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_e0e40aaf","line":270,"range":{"start_line":270,"start_character":9,"end_line":270,"end_character":15},"updated":"2020-04-22 17:43:51.000000000","message":"policies","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3fb81446e11ddca50e35f324f8348bb1c9930c11","unresolved":false,"context_lines":[{"line_number":267,"context_line":"   A Few policies were made more granular to implement the reader roles. New"},{"line_number":268,"context_line":"   policy names are available to use. If old policy name which are renamed"},{"line_number":269,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":270,"context_line":"   those policy to new policy names."},{"line_number":271,"context_line":""},{"line_number":272,"context_line":"We expect all deployments to migrate to new policy by 23.0.0 release so that"},{"line_number":273,"context_line":"we can remove the support of old policies."}],"source_content_type":"text/x-rst","patch_set":12,"id":"1f493fa4_8bd9e784","line":270,"range":{"start_line":270,"start_character":9,"end_line":270,"end_character":15},"in_reply_to":"1f493fa4_e0e40aaf","updated":"2020-04-22 17:53:46.000000000","message":"Done","commit_id":"78b2ecd17e0be56741af2d0a237eff1d34c8374b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"9474d03bad834aa5b09f2f1a2e164339ce4098de","unresolved":false,"context_lines":[{"line_number":65,"context_line":"``Intended scope(s)`` in :doc:`Policy Sample File \u003c/configuration/sample-policy\u003e`"},{"line_number":66,"context_line":"as shown in below examples."},{"line_number":67,"context_line":""},{"line_number":68,"context_line":".. rubric:: ``system`` scope"},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Policies with a ``scope_type`` of ``system`` means a user with a"},{"line_number":71,"context_line":"``system-scoped`` token has permission to access the resource. This can be"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1f493fa4_e621c2fd","line":68,"range":{"start_line":68,"start_character":23,"end_line":68,"end_character":28},"updated":"2020-04-22 18:56:48.000000000","message":"Bah I just noticed that this","commit_id":"b22abf5217cf4e5c52479da57c9aa90ec41d80a3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"9474d03bad834aa5b09f2f1a2e164339ce4098de","unresolved":false,"context_lines":[{"line_number":81,"context_line":"    # Intended scope(s): system"},{"line_number":82,"context_line":"    #\"os_compute_api:os-hypervisors:list\": \"rule:system_reader_api\""},{"line_number":83,"context_line":""},{"line_number":84,"context_line":".. rubric:: ``project`` Scoped"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Policies with a ``scope_type`` of ``project`` means a user with a"},{"line_number":87,"context_line":"``project-scoped`` token has permission to access the resource. Project-level"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1f493fa4_067e6ee3","line":84,"range":{"start_line":84,"start_character":24,"end_line":84,"end_character":30},"updated":"2020-04-22 18:56:48.000000000","message":"is different than this","commit_id":"b22abf5217cf4e5c52479da57c9aa90ec41d80a3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4e59118ed1a9831de179144313c24c42e600f531","unresolved":false,"context_lines":[{"line_number":81,"context_line":"    # Intended scope(s): system"},{"line_number":82,"context_line":"    #\"os_compute_api:os-hypervisors:list\": \"rule:system_reader_api\""},{"line_number":83,"context_line":""},{"line_number":84,"context_line":".. rubric:: ``project`` Scoped"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Policies with a ``scope_type`` of ``project`` means a user with a"},{"line_number":87,"context_line":"``project-scoped`` token has permission to access the resource. Project-level"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1f493fa4_50578703","line":84,"range":{"start_line":84,"start_character":24,"end_line":84,"end_character":30},"in_reply_to":"1f493fa4_067e6ee3","updated":"2020-04-22 21:20:19.000000000","message":"it should be \u0027scope\u0027, somehow missed it","commit_id":"b22abf5217cf4e5c52479da57c9aa90ec41d80a3"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"9474d03bad834aa5b09f2f1a2e164339ce4098de","unresolved":false,"context_lines":[{"line_number":96,"context_line":"    # Intended scope(s): project"},{"line_number":97,"context_line":"    #\"os_compute_api:os-server-groups:create\": \"rule:project_member_api\""},{"line_number":98,"context_line":""},{"line_number":99,"context_line":".. rubric:: ``system and project`` scoped"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Policies with a ``scope_type`` of ``system and project`` means a user with a"},{"line_number":102,"context_line":"``system-scoped`` or ``project-scoped`` token has permission to access the"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1f493fa4_a66cda36","line":99,"range":{"start_line":99,"start_character":35,"end_line":99,"end_character":41},"updated":"2020-04-22 18:56:48.000000000","message":"which is different from this","commit_id":"b22abf5217cf4e5c52479da57c9aa90ec41d80a3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4e59118ed1a9831de179144313c24c42e600f531","unresolved":false,"context_lines":[{"line_number":96,"context_line":"    # Intended scope(s): project"},{"line_number":97,"context_line":"    #\"os_compute_api:os-server-groups:create\": \"rule:project_member_api\""},{"line_number":98,"context_line":""},{"line_number":99,"context_line":".. rubric:: ``system and project`` scoped"},{"line_number":100,"context_line":""},{"line_number":101,"context_line":"Policies with a ``scope_type`` of ``system and project`` means a user with a"},{"line_number":102,"context_line":"``system-scoped`` or ``project-scoped`` token has permission to access the"}],"source_content_type":"text/x-rst","patch_set":14,"id":"1f493fa4_703d63ba","line":99,"range":{"start_line":99,"start_character":35,"end_line":99,"end_character":41},"in_reply_to":"1f493fa4_a66cda36","updated":"2020-04-22 21:20:19.000000000","message":"ditto","commit_id":"b22abf5217cf4e5c52479da57c9aa90ec41d80a3"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"68746229ea342faccfce29f05d8a61023dc5d629","unresolved":false,"context_lines":[{"line_number":123,"context_line":"enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope`"},{"line_number":124,"context_line":"option to ``True``."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":".. note::"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"  [oslo_policy]"},{"line_number":129,"context_line":"  enforce_scope\u003dTrue"}],"source_content_type":"text/x-rst","patch_set":15,"id":"1f493fa4_447069a6","line":126,"range":{"start_line":126,"start_character":3,"end_line":126,"end_character":7},"updated":"2020-04-23 01:50:47.000000000","message":"nit: code","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a6a90a53399c60be1c2b777f2c0422d8110751b4","unresolved":false,"context_lines":[{"line_number":123,"context_line":"enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope`"},{"line_number":124,"context_line":"option to ``True``."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":".. note::"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"  [oslo_policy]"},{"line_number":129,"context_line":"  enforce_scope\u003dTrue"}],"source_content_type":"text/x-rst","patch_set":15,"id":"1f493fa4_e46415bc","line":126,"range":{"start_line":126,"start_character":3,"end_line":126,"end_character":7},"in_reply_to":"1f493fa4_447069a6","updated":"2020-04-23 02:05:26.000000000","message":"it was code block actually but that was not much appropriate so we changed it to note section.","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"a41169851aca0552513cca3f19f6102879708f29","unresolved":false,"context_lines":[{"line_number":123,"context_line":"enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope`"},{"line_number":124,"context_line":"option to ``True``."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":".. note::"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"  [oslo_policy]"},{"line_number":129,"context_line":"  enforce_scope\u003dTrue"}],"source_content_type":"text/x-rst","patch_set":15,"id":"1f493fa4_e4f4155e","line":126,"range":{"start_line":126,"start_character":3,"end_line":126,"end_character":7},"in_reply_to":"1f493fa4_e46415bc","updated":"2020-04-23 02:52:35.000000000","message":"okay","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"}],"doc/source/configuration/policy-new-defaults.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"5985dc3a9e487895e265371656f3cf646167f99a","unresolved":false,"context_lines":[{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Nova default policies were hard to understand and difficult to use without"},{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_a53799b0","line":6,"updated":"2020-04-16 01:51:52.000000000","message":"This is OK but feels a bit too generic IMHO. That is, it is clearly written by someone who knows everything and not giving info to layperson.\n\nWould be nicer to describe what was hard to understand about them, what was difficult. Add some words that gives an example of what was hard to use and why overriding was necessary. And then add another sentence explaining what is new and why it\u0027s easy and no override necessary.\n\nJust to give users an overview of how it makes life better and give them more temptation to review and try out the new defaults and scope types.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"449ea953464b2f48a11ea3bc35b25888f22ebf2d","unresolved":false,"context_lines":[{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Nova default policies were hard to understand and difficult to use without"},{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_e6da3de7","line":6,"in_reply_to":"3f4c43b2_a53799b0","updated":"2020-04-16 16:29:49.000000000","message":"I see. I will try to put some example here.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_9c84680e","line":8,"range":{"start_line":8,"start_character":56,"end_line":8,"end_character":63},"updated":"2020-04-17 01:38:08.000000000","message":"nit: Instead of providing roles through nova, nova is consuming the default roles provided by keystone (admin, member, and reader).\n\nThe idea of using something common from keystone reduces the likelihood of similar, but different, roles implemented across projects (e.g., a role called observer versus reader versus auditor). This makes it easier to understand who can do what across projects, reduces divergence, and increases interoperability.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_24bc0b68","line":8,"range":{"start_line":8,"start_character":56,"end_line":8,"end_character":63},"in_reply_to":"3f4c43b2_9c84680e","updated":"2020-04-17 16:13:40.000000000","message":"thanks. that is much clear. done","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_26ad4588","line":9,"range":{"start_line":9,"start_character":11,"end_line":9,"end_character":34},"updated":"2020-04-16 17:10:22.000000000","message":"Is scope_type something that I\u0027m expected to know before reading this?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_521ac77c","line":9,"range":{"start_line":9,"start_character":11,"end_line":9,"end_character":34},"in_reply_to":"3f4c43b2_01a75351","updated":"2020-04-16 21:06:59.000000000","message":"I defined it in Scope section at L15 and linked the keystone doc at L19. But here it is like reference before definition :)\n\nI will move or give reference of scope section here","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e32a418f5bb7b0ac690cf3a45f6a61d07d15d8ee","unresolved":false,"context_lines":[{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_01a75351","line":9,"range":{"start_line":9,"start_character":11,"end_line":9,"end_character":34},"in_reply_to":"3f4c43b2_26ad4588","updated":"2020-04-16 17:20:59.000000000","message":"Yes, we should reference the keystone doc here where people can follow the link to read:\n\nhttps://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d1319c473e557a3f4758f65bae1659a4a958931a","unresolved":false,"context_lines":[{"line_number":6,"context_line":"able to run without modifying policy"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_7890854f","line":9,"range":{"start_line":9,"start_character":11,"end_line":9,"end_character":34},"in_reply_to":"3f4c43b2_521ac77c","updated":"2020-04-16 21:18:27.000000000","message":"OK, well at the very least then it needs parentheses that says \"(see the Scope section for more information)\".\n\nBut honestly, I think this doc needs to read much more plainly and concisely. And it need not rewrite keystone docs here. It needs to focus on, what does the operator need to do and provide that in a step-by-step kind of way. Like, what is the problem? How does scope types and granular solve the problem? What does the operator need to do? How does the operator do what needs to be done? And link all of the background docs and tools along the way. That is MHO on how this doc should be presented, otherwise it\u0027s going to confuse a lot of people.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"5985dc3a9e487895e265371656f3cf646167f99a","unresolved":false,"context_lines":[{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Please refer to this `specification`_ for more detail."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_254b892b","line":11,"updated":"2020-04-16 01:51:52.000000000","message":"You could add some concrete examples like mention how the new policies are more granular, enabling more control over API access. You could mention how with scope types, APIs that were previously admin-only could now be accessed by non-admin using appropriately scoped tokens.\n\nThat reminds me, have we tested whether that will work now with new policies? Can we do live-migration as a non-admin for example?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"449ea953464b2f48a11ea3bc35b25888f22ebf2d","unresolved":false,"context_lines":[{"line_number":8,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release Nova policies provide new default"},{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Please refer to this `specification`_ for more detail."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_4698511a","line":11,"in_reply_to":"3f4c43b2_254b892b","updated":"2020-04-16 16:29:49.000000000","message":"ok. I will update.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":9,"context_line":"roles with scope_type capabilities. These new changes improve the security"},{"line_number":10,"context_line":"level and manageability. New policies are richer in terms of handling access"},{"line_number":11,"context_line":"at system and project level token with Read \u0026 Write roles."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Please refer to this `specification`_ for more detail."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Scope"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_06a80975","line":12,"updated":"2020-04-16 17:10:22.000000000","message":"I kinda agree with Mel that this reads more like marketing than technical documentation.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Scope"},{"line_number":16,"context_line":"-----"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"OpenStack Keystone support different type of scope in tokens."},{"line_number":19,"context_line":"Please refer the detail about all `available scope`_"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The scope of the requested Token is checked against the"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_86b539d0","line":18,"range":{"start_line":18,"start_character":19,"end_line":18,"end_character":26},"updated":"2020-04-16 17:10:22.000000000","message":"\"supports\"","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":15,"context_line":"Scope"},{"line_number":16,"context_line":"-----"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"OpenStack Keystone support different type of scope in tokens."},{"line_number":19,"context_line":"Please refer the detail about all `available scope`_"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The scope of the requested Token is checked against the"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_321d7b73","line":18,"range":{"start_line":18,"start_character":19,"end_line":18,"end_character":26},"in_reply_to":"3f4c43b2_86b539d0","updated":"2020-04-16 21:06:59.000000000","message":"Done","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":18,"context_line":"OpenStack Keystone support different type of scope in tokens."},{"line_number":19,"context_line":"Please refer the detail about all `available scope`_"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_46e051cd","line":21,"range":{"start_line":21,"start_character":27,"end_line":21,"end_character":32},"updated":"2020-04-16 17:10:22.000000000","message":"nit: does this need to be capitalized?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":18,"context_line":"OpenStack Keystone support different type of scope in tokens."},{"line_number":19,"context_line":"Please refer the detail about all `available scope`_"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_92144f50","line":21,"range":{"start_line":21,"start_character":27,"end_line":21,"end_character":32},"in_reply_to":"3f4c43b2_46e051cd","updated":"2020-04-16 21:06:59.000000000","message":"Done","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":19,"context_line":"Please refer the detail about all `available scope`_"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":25,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_26c6e549","line":22,"range":{"start_line":22,"start_character":9,"end_line":22,"end_character":18},"updated":"2020-04-16 17:10:22.000000000","message":"\"scope_type\" - again, is this something that I need to understand before reading this doc?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_a6e795e4","line":23,"range":{"start_line":23,"start_character":21,"end_line":23,"end_character":28},"updated":"2020-04-16 17:10:22.000000000","message":"\"supports\"","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_72170353","line":23,"range":{"start_line":23,"start_character":21,"end_line":23,"end_character":28},"in_reply_to":"3f4c43b2_a6e795e4","updated":"2020-04-16 21:06:59.000000000","message":"Done","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- [\u0027system\u0027]"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_662bcdea","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":11},"updated":"2020-04-16 17:10:22.000000000","message":"I\u0027m not sure what this combination means in practice - if we have an \"everything\" scope, does `system` union `project` \u003d\u003d \"everything\"?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- [\u0027system\u0027]"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_7c035c74","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":11},"in_reply_to":"3f4c43b2_662bcdea","updated":"2020-04-17 01:38:08.000000000","message":"The scope denotes which type of token scope the policy needs to evaluate to True or False.\n\nIf you have an API that exposes system-level resources (or resources that might violate tenancy if end-users were to access them), like compute-hypervisors, then you might consider protecting that API with a policy that has scope_types \u003d \u0027system\u0027. Users would need a system-scoped token to access that API (thus proving they\u0027re a system user of some kind, like an admin).\n\nContinuing with the example, this prevents project administrators from accessing the compute hypervisor API since their tokens are scoped to projects, not the system.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":21,"context_line":"The scope of the requested Token is checked against the"},{"line_number":22,"context_line":"policy\u0027s scop_type. Each policy is protected with appropriate"},{"line_number":23,"context_line":"``scope_type``. Nova support two types of ``scope_type`` with their"},{"line_number":24,"context_line":"combination. [\u0027system\u0027], [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"- [\u0027system\u0027]"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_582309a9","line":24,"range":{"start_line":24,"start_character":0,"end_line":24,"end_character":11},"in_reply_to":"3f4c43b2_662bcdea","updated":"2020-04-16 21:06:59.000000000","message":"everything is much wider as keystone has three scope type- \u0027system\u0027, \u0027project\u0027 and \u0027domain\u0027 and defined in link at L19. \n\nfor nova it is \u0027system\u0027 and \u0027project\u0027 only. [\u0027system\u0027, \u0027project\u0027] means any token with system or project scope can access.\n\nI have defined all three combination in below secions","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":27,"context_line":"- [\u0027system\u0027]"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Policy with ``scope_type`` as [\u0027system\u0027] means a user with"},{"line_number":30,"context_line":"``system-scoped`` token has permission to access. This can be"},{"line_number":31,"context_line":"seen as a global role. All the system-level operation\u0027s policies"},{"line_number":32,"context_line":"have defaulted to [\u0027system\u0027] ``scope_type``. For Example GET /os-hypervisors."},{"line_number":33,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_46ca111a","line":30,"range":{"start_line":30,"start_character":28,"end_line":30,"end_character":48},"updated":"2020-04-16 17:10:22.000000000","message":"Not permission, right? It means the policy applies to him, but the policy doesn\u0027t have to be \"allow\" - right? Or am I way off base?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":27,"context_line":"- [\u0027system\u0027]"},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Policy with ``scope_type`` as [\u0027system\u0027] means a user with"},{"line_number":30,"context_line":"``system-scoped`` token has permission to access. This can be"},{"line_number":31,"context_line":"seen as a global role. All the system-level operation\u0027s policies"},{"line_number":32,"context_line":"have defaulted to [\u0027system\u0027] ``scope_type``. For Example GET /os-hypervisors."},{"line_number":33,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_d86439e7","line":30,"range":{"start_line":30,"start_character":28,"end_line":30,"end_character":48},"in_reply_to":"3f4c43b2_46ca111a","updated":"2020-04-16 21:06:59.000000000","message":"it is allowed if scope is \u0027system-scoped\u0027. With scope_type there are two level of check in oslo policy.\n1. scope checks which check scope_type or policy and the requester token\n2. policy roles which is nothing but check_str where defined roles in check_str compared with the requester context","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":34,"context_line":"- [\u0027system\u0027, \u0027project\u0027]"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Policy with ``scope_type`` as [\u0027system\u0027, \u0027project\u0027] means a user with"},{"line_number":37,"context_line":"``system-scoped`` or ``project-scoped`` token has permission to access."},{"line_number":38,"context_line":"All the project-level operation\u0027s policies have defaulted to"},{"line_number":39,"context_line":"[\u0027system\u0027, \u0027project\u0027] ``scope_type``."},{"line_number":40,"context_line":"For Example POST /servers/{server_id}/action (migrate)"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_e121874f","line":37,"range":{"start_line":37,"start_character":50,"end_line":37,"end_character":70},"updated":"2020-04-16 17:10:22.000000000","message":"Same question","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":50,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and their ``Scope Types``"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"``scope_type`` is hardcoded and cannot be overridden via policy file."},{"line_number":53,"context_line":"This feature is disabled by default to allow operators to migrate from"},{"line_number":54,"context_line":"the old policy enforcement system in a graceful way. This can be"},{"line_number":55,"context_line":"enabled via config option in nova.conf in olso_policy section as shown below:"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_41bf9bcf","line":53,"range":{"start_line":53,"start_character":16,"end_line":53,"end_character":24},"updated":"2020-04-16 17:10:22.000000000","message":"Wait, it\u0027s hardcoded but can be disabled? Or is something else disable-able?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":50,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and their ``Scope Types``"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"``scope_type`` is hardcoded and cannot be overridden via policy file."},{"line_number":53,"context_line":"This feature is disabled by default to allow operators to migrate from"},{"line_number":54,"context_line":"the old policy enforcement system in a graceful way. This can be"},{"line_number":55,"context_line":"enabled via config option in nova.conf in olso_policy section as shown below:"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_587f8966","line":53,"range":{"start_line":53,"start_character":16,"end_line":53,"end_character":24},"in_reply_to":"3f4c43b2_41bf9bcf","updated":"2020-04-16 21:06:59.000000000","message":"scope_type is hardcoded but checks on oslo policy side is disabled. so if any policy has scope_type defined and requester token is not with right scope then it would not fail.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":63,"context_line":"New Defaults"},{"line_number":64,"context_line":"------------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Openstack keystone support `new defaults`_"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":69,"context_line":"defaults for each policy."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_81b9a3ea","line":66,"range":{"start_line":66,"start_character":10,"end_line":66,"end_character":18},"updated":"2020-04-16 17:10:22.000000000","message":"nit: you\u0027re capitalized Nova, so I guess \"Keystone\" here? what\u0027s the general standard on this?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":63,"context_line":"New Defaults"},{"line_number":64,"context_line":"------------"},{"line_number":65,"context_line":""},{"line_number":66,"context_line":"Openstack keystone support `new defaults`_"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":69,"context_line":"defaults for each policy."}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_789365a4","line":66,"range":{"start_line":66,"start_character":10,"end_line":66,"end_character":18},"in_reply_to":"3f4c43b2_81b9a3ea","updated":"2020-04-16 21:06:59.000000000","message":"Done","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e32a418f5bb7b0ac690cf3a45f6a61d07d15d8ee","unresolved":false,"context_lines":[{"line_number":66,"context_line":"Openstack keystone support `new defaults`_"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":69,"context_line":"defaults for each policy."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"- Reader"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_4134bbfb","line":69,"updated":"2020-04-16 17:20:59.000000000","message":"I think here we\u0027ll want to briefly describe default roles and reference the keystone docs for more detail:\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":66,"context_line":"Openstack keystone support `new defaults`_"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":69,"context_line":"defaults for each policy."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"- Reader"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_98dd9172","line":69,"in_reply_to":"3f4c43b2_4134bbfb","updated":"2020-04-16 21:06:59.000000000","message":"I linked that at L66at the start of this section","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":68,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":69,"context_line":"defaults for each policy."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"- Reader"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"This provides read-only access to the resources within the ``system`` or"},{"line_number":74,"context_line":"``project``. Policies are defaulted to ``system_reader_api`` and"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_41a4bbb9","line":71,"range":{"start_line":71,"start_character":2,"end_line":71,"end_character":8},"updated":"2020-04-16 17:10:22.000000000","message":"So this is a policy default?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":68,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":69,"context_line":"defaults for each policy."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"- Reader"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"This provides read-only access to the resources within the ``system`` or"},{"line_number":74,"context_line":"``project``. Policies are defaulted to ``system_reader_api`` and"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_b8bb2d0c","line":71,"range":{"start_line":71,"start_character":2,"end_line":71,"end_character":8},"in_reply_to":"3f4c43b2_41a4bbb9","updated":"2020-04-16 21:06:59.000000000","message":"this is one of role we have in our default. I think I should add the exact default which are combination of role with scope level","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"35c8a751d76bdc0a7c8fb501f267bfab7607dcdc","unresolved":false,"context_lines":[{"line_number":74,"context_line":"``project``. Policies are defaulted to ``system_reader_api`` and"},{"line_number":75,"context_line":"``system_or_project_reader``"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"- Member"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"This role is to perform the project level write operation with combination"},{"line_number":80,"context_line":"to the system admin. Policies are defaulted to ``system_admin_or_owner`` and"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_a1abff86","line":77,"range":{"start_line":77,"start_character":2,"end_line":77,"end_character":8},"updated":"2020-04-16 17:10:22.000000000","message":"But this is a role?","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a8dfc25cf82e5b9dd55bbe3396986f19e39c22e6","unresolved":false,"context_lines":[{"line_number":74,"context_line":"``project``. Policies are defaulted to ``system_reader_api`` and"},{"line_number":75,"context_line":"``system_or_project_reader``"},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"- Member"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"This role is to perform the project level write operation with combination"},{"line_number":80,"context_line":"to the system admin. Policies are defaulted to ``system_admin_or_owner`` and"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_984bd129","line":77,"range":{"start_line":77,"start_character":2,"end_line":77,"end_character":8},"in_reply_to":"3f4c43b2_a1abff86","updated":"2020-04-16 21:06:59.000000000","message":"yeah, let me add exact default from nova perspective.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ce2545c8e9b2939ab3c304f85c444d15c14f06d1","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Migration Plan"},{"line_number":106,"context_line":"--------------"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"To have a graceful migration, nova provides two flags to switch to new policy"},{"line_number":109,"context_line":"completely. You do not need to write the policy file to adopt the new policy"},{"line_number":110,"context_line":"defaults. We expect all the deployement to migrate to new policy by 23.0.0"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_862539ae","line":107,"updated":"2020-04-16 15:51:43.000000000","message":"I think this section also needs to explain in detail (1) whether deployers need to set up new roles in keystone to begin using scope types and give or point to instructions (keystone docs?) on how to do that (2) explain that deployers will need to educate end users about how to request scoped tokens from keystone. For example, how will system admin work in the new world? It will no longer work to use the \"admin\" role, right? Instead, end user must request a system admin scoped token to call admin APIs successfully.\n\nThis all needs to be explained in our docs.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"449ea953464b2f48a11ea3bc35b25888f22ebf2d","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":"Migration Plan"},{"line_number":106,"context_line":"--------------"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"To have a graceful migration, nova provides two flags to switch to new policy"},{"line_number":109,"context_line":"completely. You do not need to write the policy file to adopt the new policy"},{"line_number":110,"context_line":"defaults. We expect all the deployement to migrate to new policy by 23.0.0"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_4666912b","line":107,"in_reply_to":"3f4c43b2_862539ae","updated":"2020-04-16 16:29:49.000000000","message":"nice idea. I linked keystone doc in upper section but not enough.  \n\nkeystone bootstrap process they need to re-run to have the implied roles. I think keystone should have the doc there, I will ask lance or keystone team and link here.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"5985dc3a9e487895e265371656f3cf646167f99a","unresolved":false,"context_lines":[{"line_number":132,"context_line":"whether or not to use old deprecated defaults when evaluating policies."},{"line_number":133,"context_line":"If True, the old deprecated defaults are not going to be evaluated. This"},{"line_number":134,"context_line":"means if any existing token is allowed for old defaults but is disallowed"},{"line_number":135,"context_line":"for new defaults, it will be disallowed. "},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"This is false by default and can be enabled via config option in nova.conf"},{"line_number":138,"context_line":"as shown below::"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_a56039a7","line":135,"range":{"start_line":135,"start_character":40,"end_line":135,"end_character":41},"updated":"2020-04-16 01:51:52.000000000","message":"trailing whitespace","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"449ea953464b2f48a11ea3bc35b25888f22ebf2d","unresolved":false,"context_lines":[{"line_number":132,"context_line":"whether or not to use old deprecated defaults when evaluating policies."},{"line_number":133,"context_line":"If True, the old deprecated defaults are not going to be evaluated. This"},{"line_number":134,"context_line":"means if any existing token is allowed for old defaults but is disallowed"},{"line_number":135,"context_line":"for new defaults, it will be disallowed. "},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"This is false by default and can be enabled via config option in nova.conf"},{"line_number":138,"context_line":"as shown below::"}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f4c43b2_269385fc","line":135,"range":{"start_line":135,"start_character":40,"end_line":135,"end_character":41},"in_reply_to":"3f4c43b2_a56039a7","updated":"2020-04-16 16:29:49.000000000","message":"Done","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Nova Policy new defaults"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Nova default policies were hard to understand and difficult to use without"},{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy."},{"line_number":7,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_0e077084","line":4,"range":{"start_line":4,"start_character":22,"end_line":4,"end_character":31},"updated":"2020-04-17 14:39:01.000000000","message":"For someone reading this in the future, or even after their upgrade to U, this won\u0027t hold much meaning. Perhaps you can say \"Prior to the Ussuri release\" ?","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Nova Policy new defaults"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Nova default policies were hard to understand and difficult to use without"},{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy."},{"line_number":7,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_e44fc38f","line":4,"range":{"start_line":4,"start_character":22,"end_line":4,"end_character":31},"in_reply_to":"3f4c43b2_0e077084","updated":"2020-04-17 16:13:40.000000000","message":"sure, done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Few common problems every deployment face with the current defaults:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"#. No global vs project admin. ``admin_only`` is used for the global admin that"},{"line_number":11,"context_line":"   is able to make almost any change to Nova, and see all details of the Nova"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_6ef55483","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":41},"updated":"2020-04-17 14:39:01.000000000","message":"\"Every deployment faces a few common problems\"","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":5,"context_line":"overriding them with appropriate roles. Ideally, most operators should be"},{"line_number":6,"context_line":"able to run without modifying policy."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Few common problems every deployment face with the current defaults:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"#. No global vs project admin. ``admin_only`` is used for the global admin that"},{"line_number":11,"context_line":"   is able to make almost any change to Nova, and see all details of the Nova"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_244a4b7f","line":8,"range":{"start_line":8,"start_character":0,"end_line":8,"end_character":41},"in_reply_to":"3f4c43b2_6ef55483","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":12,"context_line":"   system. The rule passes for any user with an admin role, it doesn’t matter"},{"line_number":13,"context_line":"   which project is used."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"#. ``admin_or_owner`` does not work as expected. In most APIs we use the"},{"line_number":16,"context_line":"   default target, which means this rule will pass for any authenticated user."},{"line_number":17,"context_line":"   The database layer control the project level access for example project A"},{"line_number":18,"context_line":"   can pass the policy and try to access the project B servers which is further"},{"line_number":19,"context_line":"   denied by database layer. This means it is impossible to have a custom role"},{"line_number":20,"context_line":"   that allows a user to perform live-migration of a server in a different"},{"line_number":21,"context_line":"   project to their token, without the user being given the global admin role."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"#. No read-only roles. If you want a ``reader`` role, several APIs share a"},{"line_number":24,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_eeca0418","line":21,"range":{"start_line":15,"start_character":49,"end_line":21,"end_character":78},"updated":"2020-04-17 14:39:01.000000000","message":"It sounds like this is supposed to explain the first sentence, but I don\u0027t think that it does, especially for someone that doesn\u0027t understand the inner workings of nova. I think what you\u0027re trying to say is that the database enforces ownership rules for non-admins, without a view of what the policy is (which can change), is that right?\n\nI think this is supposed to be deployer-focused documentation, which means it needs to make sense to someone not familiar with the internals. This paragraph barely makes sense to me, knowing the the internals. Perhaps something like this would be better:\n\n\"For most APIs, the project authentication happened in a separate component in nova that did not honor changes to policy and thus policy could not override hard-coded in-project checks.\"\n\nIt\u0027s also important (per my comment above) to clearly indicate *when* this was true, so that someone coming in 2022 to figure out policy stuff, finds this document, and reads it as gospel for a new deployment understand that what you\u0027re talking about here is old.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":12,"context_line":"   system. The rule passes for any user with an admin role, it doesn’t matter"},{"line_number":13,"context_line":"   which project is used."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"#. ``admin_or_owner`` does not work as expected. In most APIs we use the"},{"line_number":16,"context_line":"   default target, which means this rule will pass for any authenticated user."},{"line_number":17,"context_line":"   The database layer control the project level access for example project A"},{"line_number":18,"context_line":"   can pass the policy and try to access the project B servers which is further"},{"line_number":19,"context_line":"   denied by database layer. This means it is impossible to have a custom role"},{"line_number":20,"context_line":"   that allows a user to perform live-migration of a server in a different"},{"line_number":21,"context_line":"   project to their token, without the user being given the global admin role."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"#. No read-only roles. If you want a ``reader`` role, several APIs share a"},{"line_number":24,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_eae94d1a","line":21,"range":{"start_line":15,"start_character":49,"end_line":21,"end_character":78},"in_reply_to":"3f4c43b2_eeca0418","updated":"2020-04-17 16:13:40.000000000","message":"I was (still) re-thinking while adding this paragraph. As you know that admin checks in DB are not yet removed so policy new defaults not exactly solved this problem fully. But it solves the problem where the user has access to get the other project\u0027s rescued server but not supposed to unrescue it. With old policy, anyone have access to get server, can unrescue it.  With new policy defaults, it is solved and unrescue policy checks the project_id and fail correctly.\n\nLet me mention that problem which is sovled now and not to mention the DB check things which still exist.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":24,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":25,"context_line":"   granularity for such a role to be added."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"These are the some common issue have been solved with new defaults."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."},{"line_number":30,"context_line":"You can get more information about these new defaults in `new defaults`_"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_6ed6f4c5","line":27,"range":{"start_line":27,"start_character":26,"end_line":27,"end_character":31},"updated":"2020-04-17 14:39:01.000000000","message":"\"issues, which\"","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":24,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":25,"context_line":"   granularity for such a role to be added."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"These are the some common issue have been solved with new defaults."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."},{"line_number":30,"context_line":"You can get more information about these new defaults in `new defaults`_"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_4eeb3878","line":27,"range":{"start_line":27,"start_character":58,"end_line":27,"end_character":66},"updated":"2020-04-17 14:39:01.000000000","message":"I don\u0027t see how the hard-coded database checks could be fixed by just changing policy defaults. So either I misunderstood what you said above, or this needs to change.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":24,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":25,"context_line":"   granularity for such a role to be added."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"These are the some common issue have been solved with new defaults."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."},{"line_number":30,"context_line":"You can get more information about these new defaults in `new defaults`_"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_ca9e11b7","line":27,"range":{"start_line":27,"start_character":26,"end_line":27,"end_character":31},"in_reply_to":"3f4c43b2_6ed6f4c5","updated":"2020-04-17 16:13:40.000000000","message":"You are right. We have not removed the hard-coded is_admin checks from DB which is next step. Let me be explicit on what all problem these new defaults solved.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":31,"context_line":"document."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In addition, Keystone provides the new “system scope” concept to define which"},{"line_number":34,"context_line":"users are global administrators. Please refer `available scope`_ document"},{"line_number":35,"context_line":"and `system scope specification`_ to understand the scope concept."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_6171f0a9","line":34,"range":{"start_line":34,"start_character":10,"end_line":34,"end_character":16},"updated":"2020-04-17 01:38:08.000000000","message":"nit: I tend to shy away from the term \"global\" because it\u0027s easy to think of it as a really big hammer that people can use to do anything.\n\nInstead, I try and communicate the use case behind each scope + role permutation. System administrators aren\u0027t necessarily \"global\" users (they\u0027re still namespaced to a domain), but they\u0027re allowed to work with system-level resources.\n\nI might just say for this particular bit that:\n\nIn addition, keystone supports a new \"system scope\" concept that makes it easier to protect deployment level resources from project or domain level resources.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":31,"context_line":"document."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In addition, Keystone provides the new “system scope” concept to define which"},{"line_number":34,"context_line":"users are global administrators. Please refer `available scope`_ document"},{"line_number":35,"context_line":"and `system scope specification`_ to understand the scope concept."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_4ad8417e","line":34,"range":{"start_line":34,"start_character":10,"end_line":34,"end_character":16},"in_reply_to":"3f4c43b2_6171f0a9","updated":"2020-04-17 16:13:40.000000000","message":"thanks for more clarity. done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":34,"context_line":"users are global administrators. Please refer `available scope`_ document"},{"line_number":35,"context_line":"and `system scope specification`_ to understand the scope concept."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"},{"line_number":38,"context_line":"Keystone new defaults and scope capabilities. Next sections are going"},{"line_number":39,"context_line":"to explain how new defaults and scope concept can solve the problems mentioned"},{"line_number":40,"context_line":"above."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_ee98441c","line":37,"range":{"start_line":37,"start_character":2,"end_line":37,"end_character":3},"updated":"2020-04-17 14:39:01.000000000","message":"the","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":34,"context_line":"users are global administrators. Please refer `available scope`_ document"},{"line_number":35,"context_line":"and `system scope specification`_ to understand the scope concept."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"},{"line_number":38,"context_line":"Keystone new defaults and scope capabilities. Next sections are going"},{"line_number":39,"context_line":"to explain how new defaults and scope concept can solve the problems mentioned"},{"line_number":40,"context_line":"above."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_aae74540","line":37,"range":{"start_line":37,"start_character":2,"end_line":37,"end_character":3},"in_reply_to":"3f4c43b2_ee98441c","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":35,"context_line":"and `system scope specification`_ to understand the scope concept."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"},{"line_number":38,"context_line":"Keystone new defaults and scope capabilities. Next sections are going"},{"line_number":39,"context_line":"to explain how new defaults and scope concept can solve the problems mentioned"},{"line_number":40,"context_line":"above."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_a16ad8af","line":38,"range":{"start_line":38,"start_character":13,"end_line":38,"end_character":21},"updated":"2020-04-17 01:38:08.000000000","message":"nit: the new default roles and scopes provided by keystone.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":35,"context_line":"and `system scope specification`_ to understand the scope concept."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"},{"line_number":38,"context_line":"Keystone new defaults and scope capabilities. Next sections are going"},{"line_number":39,"context_line":"to explain how new defaults and scope concept can solve the problems mentioned"},{"line_number":40,"context_line":"above."},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_ead2ed5b","line":38,"range":{"start_line":38,"start_character":13,"end_line":38,"end_character":21},"in_reply_to":"3f4c43b2_a16ad8af","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"},{"line_number":38,"context_line":"Keystone new defaults and scope capabilities. Next sections are going"},{"line_number":39,"context_line":"to explain how new defaults and scope concept can solve the problems mentioned"},{"line_number":40,"context_line":"above."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Please refer to this `nova specification`_ also for more detail."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_019f4cb4","line":39,"range":{"start_line":39,"start_character":15,"end_line":39,"end_character":45},"updated":"2020-04-17 01:38:08.000000000","message":"nit: these new defaults in nova extend more functionality to end users in a safe and secure way.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":36,"context_line":""},{"line_number":37,"context_line":"In Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the"},{"line_number":38,"context_line":"Keystone new defaults and scope capabilities. Next sections are going"},{"line_number":39,"context_line":"to explain how new defaults and scope concept can solve the problems mentioned"},{"line_number":40,"context_line":"above."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Please refer to this `nova specification`_ also for more detail."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_0ad0f94f","line":39,"range":{"start_line":39,"start_character":15,"end_line":39,"end_character":45},"in_reply_to":"3f4c43b2_019f4cb4","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":44,"context_line":"Scope"},{"line_number":45,"context_line":"-----"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"OpenStack Keystone supports different type of scope in tokens."},{"line_number":48,"context_line":"Please refer the detail about all `available scope`_. Policies"},{"line_number":49,"context_line":"can implement the scope concept with ``scope_type`` variable."},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_2ea34c51","line":47,"range":{"start_line":47,"start_character":38,"end_line":47,"end_character":51},"updated":"2020-04-17 14:39:01.000000000","message":"scopes","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":44,"context_line":"Scope"},{"line_number":45,"context_line":"-----"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"OpenStack Keystone supports different type of scope in tokens."},{"line_number":48,"context_line":"Please refer the detail about all `available scope`_. Policies"},{"line_number":49,"context_line":"can implement the scope concept with ``scope_type`` variable."},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_6ac6dd9c","line":47,"range":{"start_line":47,"start_character":38,"end_line":47,"end_character":51},"in_reply_to":"3f4c43b2_2ea34c51","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":"OpenStack Keystone supports different type of scope in tokens."},{"line_number":48,"context_line":"Please refer the detail about all `available scope`_. Policies"},{"line_number":49,"context_line":"can implement the scope concept with ``scope_type`` variable."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Nova policies implemented the scope concept by defining the ``scope_type``"},{"line_number":52,"context_line":"in policies as:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_8e89c0cb","line":49,"range":{"start_line":49,"start_character":32,"end_line":49,"end_character":36},"updated":"2020-04-17 14:39:01.000000000","message":"\"with the\"","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":45,"context_line":"-----"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"OpenStack Keystone supports different type of scope in tokens."},{"line_number":48,"context_line":"Please refer the detail about all `available scope`_. Policies"},{"line_number":49,"context_line":"can implement the scope concept with ``scope_type`` variable."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Nova policies implemented the scope concept by defining the ``scope_type``"},{"line_number":52,"context_line":"in policies as:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_c18d647c","line":49,"range":{"start_line":48,"start_character":54,"end_line":49,"end_character":61},"updated":"2020-04-17 01:38:08.000000000","message":"++\n\nToken scopes represent the layer of authorization. Policy scope_types represent the layer of authorization required to access an API.\n\nExample:\n\nI have a project-scoped token with the reader role. I can make read-only operations on resources within the project my token is scoped to. Or, I have a system-scoped token with the admin role, I can add new compute hypervisors to my deployment to increase my capacity.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":46,"context_line":""},{"line_number":47,"context_line":"OpenStack Keystone supports different type of scope in tokens."},{"line_number":48,"context_line":"Please refer the detail about all `available scope`_. Policies"},{"line_number":49,"context_line":"can implement the scope concept with ``scope_type`` variable."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Nova policies implemented the scope concept by defining the ``scope_type``"},{"line_number":52,"context_line":"in policies as:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_ca3a9196","line":49,"range":{"start_line":49,"start_character":32,"end_line":49,"end_character":36},"in_reply_to":"3f4c43b2_8e89c0cb","updated":"2020-04-17 16:13:40.000000000","message":"Done.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":48,"context_line":"Please refer the detail about all `available scope`_. Policies"},{"line_number":49,"context_line":"can implement the scope concept with ``scope_type`` variable."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Nova policies implemented the scope concept by defining the ``scope_type``"},{"line_number":52,"context_line":"in policies as:"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"#. ``System`` Scoped"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_ce93c8f9","line":51,"range":{"start_line":51,"start_character":14,"end_line":51,"end_character":25},"updated":"2020-04-17 14:39:01.000000000","message":"\"can implement\"\n\nAlthough this sentence is almost a duplicate of the previous sentence. Maybe remove the previous one?","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":48,"context_line":"Please refer the detail about all `available scope`_. Policies"},{"line_number":49,"context_line":"can implement the scope concept with ``scope_type`` variable."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Nova policies implemented the scope concept by defining the ``scope_type``"},{"line_number":52,"context_line":"in policies as:"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"#. ``System`` Scoped"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_2a5b35f7","line":51,"range":{"start_line":51,"start_character":14,"end_line":51,"end_character":25},"in_reply_to":"3f4c43b2_ce93c8f9","updated":"2020-04-17 16:13:40.000000000","message":"for nova policy I mentioned \u0027implemented\u0027 as we have implemented those.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":51,"context_line":"Nova policies implemented the scope concept by defining the ``scope_type``"},{"line_number":52,"context_line":"in policies as:"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"#. ``System`` Scoped"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"   Policy with ``scope_type`` as ``system`` means a user with"},{"line_number":57,"context_line":"   ``system-scoped`` token has permission to access. This can be"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_0ebf7061","line":54,"range":{"start_line":54,"start_character":14,"end_line":54,"end_character":20},"updated":"2020-04-17 14:39:01.000000000","message":"I think \"Scope\" would be better here.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":51,"context_line":"Nova policies implemented the scope concept by defining the ``scope_type``"},{"line_number":52,"context_line":"in policies as:"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"#. ``System`` Scoped"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"   Policy with ``scope_type`` as ``system`` means a user with"},{"line_number":57,"context_line":"   ``system-scoped`` token has permission to access. This can be"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_0a5e39e5","line":54,"range":{"start_line":54,"start_character":14,"end_line":54,"end_character":20},"in_reply_to":"3f4c43b2_0ebf7061","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"#. ``System`` Scoped"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"   Policy with ``scope_type`` as ``system`` means a user with"},{"line_number":57,"context_line":"   ``system-scoped`` token has permission to access. This can be"},{"line_number":58,"context_line":"   seen as a global role. All the system-level operation\u0027s policies"},{"line_number":59,"context_line":"   have defaulted to [\u0027system\u0027] ``scope_type``."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_2ebcec67","line":56,"range":{"start_line":56,"start_character":3,"end_line":56,"end_character":9},"updated":"2020-04-17 14:39:01.000000000","message":"Policies","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"#. ``System`` Scoped"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"   Policy with ``scope_type`` as ``system`` means a user with"},{"line_number":57,"context_line":"   ``system-scoped`` token has permission to access. This can be"},{"line_number":58,"context_line":"   seen as a global role. All the system-level operation\u0027s policies"},{"line_number":59,"context_line":"   have defaulted to [\u0027system\u0027] ``scope_type``."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_6a741d69","line":56,"range":{"start_line":56,"start_character":3,"end_line":56,"end_character":9},"in_reply_to":"3f4c43b2_2ebcec67","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":70,"context_line":"          Scope Types"},{"line_number":71,"context_line":"             - system"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"          List all hypervisors."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"#. ``System and Project`` Scoped"},{"line_number":76,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_89741a6a","line":73,"updated":"2020-04-17 14:39:01.000000000","message":"I don\u0027t understand this block of (not python btw) stuff. I expected to see a policy.json snippet...","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":70,"context_line":"          Scope Types"},{"line_number":71,"context_line":"             - system"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"          List all hypervisors."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"#. ``System and Project`` Scoped"},{"line_number":76,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_0abab9dc","line":73,"in_reply_to":"3f4c43b2_89741a6a","updated":"2020-04-17 16:13:40.000000000","message":"ah my bad. done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"   Policy with ``scope_type`` as ``system\u0027 and project`` means a user with"},{"line_number":78,"context_line":"   ``system-scoped`` or ``project-scoped`` token has permission to access."},{"line_number":79,"context_line":"   All the system + proejct level operation\u0027s policies have defaulted to"},{"line_number":80,"context_line":"   ``system and project`` ``scope_type``."},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"   For Example POST /servers/{server_id}/action (os-migrateLive)"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_e9083eda","line":79,"range":{"start_line":79,"start_character":18,"end_line":79,"end_character":19},"updated":"2020-04-17 14:39:01.000000000","message":"and","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"   Policy with ``scope_type`` as ``system\u0027 and project`` means a user with"},{"line_number":78,"context_line":"   ``system-scoped`` or ``project-scoped`` token has permission to access."},{"line_number":79,"context_line":"   All the system + proejct level operation\u0027s policies have defaulted to"},{"line_number":80,"context_line":"   ``system and project`` ``scope_type``."},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"   For Example POST /servers/{server_id}/action (os-migrateLive)"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_61f450f3","line":79,"range":{"start_line":79,"start_character":20,"end_line":79,"end_character":27},"updated":"2020-04-17 01:38:08.000000000","message":"project*","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":76,"context_line":""},{"line_number":77,"context_line":"   Policy with ``scope_type`` as ``system\u0027 and project`` means a user with"},{"line_number":78,"context_line":"   ``system-scoped`` or ``project-scoped`` token has permission to access."},{"line_number":79,"context_line":"   All the system + proejct level operation\u0027s policies have defaulted to"},{"line_number":80,"context_line":"   ``system and project`` ``scope_type``."},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"   For Example POST /servers/{server_id}/action (os-migrateLive)"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_4acb2171","line":79,"range":{"start_line":79,"start_character":18,"end_line":79,"end_character":19},"in_reply_to":"3f4c43b2_e9083eda","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":113,"context_line":"             - project"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"          Create a new server group"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"To know each policy\u0027s scope_type, please refer this"},{"line_number":118,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and look"},{"line_number":119,"context_line":"for ``Scope Types``."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_c91c6214","line":116,"updated":"2020-04-17 14:39:01.000000000","message":"Having read these three examples, I\u0027m not sure what you\u0027re trying to demonstrate. Are you giving three examples of api calls with a different scope, one each of system, project+system, and project? Does the deployer control this or are these hard-coded into the API?","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":113,"context_line":"             - project"},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"          Create a new server group"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"To know each policy\u0027s scope_type, please refer this"},{"line_number":118,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and look"},{"line_number":119,"context_line":"for ``Scope Types``."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_aa9f455d","line":116,"in_reply_to":"3f4c43b2_c91c6214","updated":"2020-04-17 16:13:40.000000000","message":"they are hard-coded. my intent to show these three type of example to teach operator how they can see what all APIs are scoped to which scope so that they can refresh their token accordingly. \n\nLet me add more clarification about these examples.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":118,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and look"},{"line_number":119,"context_line":"for ``Scope Types``."},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"This way the problem of global vs project level admin can be solved. You can"},{"line_number":122,"context_line":"control the information with scope of the users. This means you can"},{"line_number":123,"context_line":"controle that none of the project level role can get the hypervisor"},{"line_number":124,"context_line":"information."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_e1e7c03f","line":121,"range":{"start_line":121,"start_character":24,"end_line":121,"end_character":30},"updated":"2020-04-17 01:38:08.000000000","message":"nit: system?","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":118,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and look"},{"line_number":119,"context_line":"for ``Scope Types``."},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"This way the problem of global vs project level admin can be solved. You can"},{"line_number":122,"context_line":"control the information with scope of the users. This means you can"},{"line_number":123,"context_line":"controle that none of the project level role can get the hypervisor"},{"line_number":124,"context_line":"information."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_8a9a496b","line":121,"range":{"start_line":121,"start_character":24,"end_line":121,"end_character":30},"in_reply_to":"3f4c43b2_e1e7c03f","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":120,"context_line":""},{"line_number":121,"context_line":"This way the problem of global vs project level admin can be solved. You can"},{"line_number":122,"context_line":"control the information with scope of the users. This means you can"},{"line_number":123,"context_line":"controle that none of the project level role can get the hypervisor"},{"line_number":124,"context_line":"information."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":".. note:: ``scope_type`` is not overridable via policy file."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_c1e2842f","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":8},"updated":"2020-04-17 01:38:08.000000000","message":"nit: control*","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":120,"context_line":""},{"line_number":121,"context_line":"This way the problem of global vs project level admin can be solved. You can"},{"line_number":122,"context_line":"control the information with scope of the users. This means you can"},{"line_number":123,"context_line":"controle that none of the project level role can get the hypervisor"},{"line_number":124,"context_line":"information."},{"line_number":125,"context_line":""},{"line_number":126,"context_line":".. note:: ``scope_type`` is not overridable via policy file."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_ca8d7132","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":8},"in_reply_to":"3f4c43b2_c1e2842f","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":138,"context_line":"New Defaults"},{"line_number":139,"context_line":"------------"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"You can refer this document to know about all available defaults"},{"line_number":142,"context_line":"from Keystone `new defaults`_"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_69cb8e71","line":141,"range":{"start_line":141,"start_character":14,"end_line":141,"end_character":18},"updated":"2020-04-17 14:39:01.000000000","message":"\"to this\"","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":138,"context_line":"New Defaults"},{"line_number":139,"context_line":"------------"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"You can refer this document to know about all available defaults"},{"line_number":142,"context_line":"from Keystone `new defaults`_"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_0a88f91c","line":141,"range":{"start_line":141,"start_character":14,"end_line":141,"end_character":18},"in_reply_to":"3f4c43b2_69cb8e71","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":192,"context_line":""},{"line_number":193,"context_line":"      system_admin_or_owner"},{"line_number":194,"context_line":"         Default"},{"line_number":195,"context_line":"            role:admin and system_scope:all or rule:project_member_api"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":""},{"line_number":198,"context_line":"With these new defaults, you can solve the problem of:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_2138889e","line":195,"range":{"start_line":195,"start_character":47,"end_line":195,"end_character":70},"updated":"2020-04-17 01:38:08.000000000","message":"This means ownership is just having the member role on a project, right?","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":192,"context_line":""},{"line_number":193,"context_line":"      system_admin_or_owner"},{"line_number":194,"context_line":"         Default"},{"line_number":195,"context_line":"            role:admin and system_scope:all or rule:project_member_api"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":""},{"line_number":198,"context_line":"With these new defaults, you can solve the problem of:"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_8aa88977","line":195,"range":{"start_line":195,"start_character":47,"end_line":195,"end_character":70},"in_reply_to":"3f4c43b2_2138889e","updated":"2020-04-17 16:13:40.000000000","message":"yeah as shown in L171. let me expand this to have a clear pic","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":197,"context_line":""},{"line_number":198,"context_line":"With these new defaults, you can solve the problem of:"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Providing the read-only access to the user. Polices are made more granular"},{"line_number":201,"context_line":"   and defaulted to reader rules."},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"#. Customize the policy in better way. For example if you will be able"},{"line_number":204,"context_line":"   to provide access to project level user to perform live migration for their"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_61429012","line":201,"range":{"start_line":200,"start_character":3,"end_line":201,"end_character":33},"updated":"2020-04-17 01:38:08.000000000","message":"++\n\nE.g., if you need to let someone audit your deployment for security purposes","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":197,"context_line":""},{"line_number":198,"context_line":"With these new defaults, you can solve the problem of:"},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Providing the read-only access to the user. Polices are made more granular"},{"line_number":201,"context_line":"   and defaulted to reader rules."},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"#. Customize the policy in better way. For example if you will be able"},{"line_number":204,"context_line":"   to provide access to project level user to perform live migration for their"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_aac62547","line":201,"range":{"start_line":200,"start_character":3,"end_line":201,"end_character":33},"in_reply_to":"3f4c43b2_61429012","updated":"2020-04-17 16:13:40.000000000","message":"thanks. done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":217,"context_line":"We encourage every deployment to switch to new policy. ``scope_type`` will be"},{"line_number":218,"context_line":"enabled by default and old defaults will be removed in the 23.0.0 release."},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"To implement the new defaults reader roles, we had to made few policy more"},{"line_number":221,"context_line":"granular. In that policies are renamed and old names are also suported for"},{"line_number":222,"context_line":"backward compatibility."},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_4985f207","line":220,"range":{"start_line":220,"start_character":47,"end_line":220,"end_character":69},"updated":"2020-04-17 14:39:01.000000000","message":"\"made a few policies\"","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":217,"context_line":"We encourage every deployment to switch to new policy. ``scope_type`` will be"},{"line_number":218,"context_line":"enabled by default and old defaults will be removed in the 23.0.0 release."},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"To implement the new defaults reader roles, we had to made few policy more"},{"line_number":221,"context_line":"granular. In that policies are renamed and old names are also suported for"},{"line_number":222,"context_line":"backward compatibility."},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_8ac1a931","line":220,"range":{"start_line":220,"start_character":47,"end_line":220,"end_character":69},"in_reply_to":"3f4c43b2_4985f207","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Here is step wise guide for migration:"},{"line_number":232,"context_line":""},{"line_number":233,"context_line":"#. Create scopped token:"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"   You need to create the new token with the scope knowledge via below CLI:"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_8146bc20","line":233,"range":{"start_line":233,"start_character":10,"end_line":233,"end_character":17},"updated":"2020-04-17 01:38:08.000000000","message":"scoped*","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Here is step wise guide for migration:"},{"line_number":232,"context_line":""},{"line_number":233,"context_line":"#. Create scopped token:"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"   You need to create the new token with the scope knowledge via below CLI:"},{"line_number":236,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_eaddcd14","line":233,"range":{"start_line":233,"start_character":10,"end_line":233,"end_character":17},"in_reply_to":"3f4c43b2_8146bc20","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":234,"context_line":""},{"line_number":235,"context_line":"   You need to create the new token with the scope knowledge via below CLI:"},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"   - `Create System Scoped Token`_"},{"line_number":238,"context_line":"   - `Create Project Scoped Token`_"},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"#. Create new default roles in keystone if not done:"},{"line_number":241,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_01646cb8","line":238,"range":{"start_line":237,"start_character":0,"end_line":238,"end_character":35},"updated":"2020-04-17 01:38:08.000000000","message":"I sometimes find I get more traction if I explain this in terms of an os-cloud-config or rc file.\n\nUnderstanding how to get tokens scoped to different targets through keystone is important, but most people just want to know what they need in their RC file or os-cloud-config to get things working.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":234,"context_line":""},{"line_number":235,"context_line":"   You need to create the new token with the scope knowledge via below CLI:"},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"   - `Create System Scoped Token`_"},{"line_number":238,"context_line":"   - `Create Project Scoped Token`_"},{"line_number":239,"context_line":""},{"line_number":240,"context_line":"#. Create new default roles in keystone if not done:"},{"line_number":241,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_cd50eb0d","line":238,"range":{"start_line":237,"start_character":0,"end_line":238,"end_character":35},"in_reply_to":"3f4c43b2_01646cb8","updated":"2020-04-17 16:13:40.000000000","message":"ok. I tried to find some doc on keystone side or any blog if you have. I can link that if you can suggest one.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":239,"context_line":""},{"line_number":240,"context_line":"#. Create new default roles in keystone if not done:"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   If you do not have new defaults in Keystone then you can create and re-run"},{"line_number":243,"context_line":"   the `Keystone Bootstrap`_"},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"#. Enable Scope Checks"},{"line_number":246,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_c169e48b","line":243,"range":{"start_line":242,"start_character":0,"end_line":243,"end_character":28},"updated":"2020-04-17 01:38:08.000000000","message":"For context, keystone added this support in Rocky.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":239,"context_line":""},{"line_number":240,"context_line":"#. Create new default roles in keystone if not done:"},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   If you do not have new defaults in Keystone then you can create and re-run"},{"line_number":243,"context_line":"   the `Keystone Bootstrap`_"},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"#. Enable Scope Checks"},{"line_number":246,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_4a3a0134","line":243,"range":{"start_line":242,"start_character":0,"end_line":243,"end_character":28},"in_reply_to":"3f4c43b2_c169e48b","updated":"2020-04-17 16:13:40.000000000","message":"+1, i think good to mention here for operator ease if they are not aware or upgrade with skip release.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"71c6c29c37c7409a2f4738fc4490339261437442","unresolved":false,"context_lines":[{"line_number":281,"context_line":"    get the benefits of new defaults and scope_type together."},{"line_number":282,"context_line":""},{"line_number":283,"context_line":"    Once both flags are true then new default with ``scope_type`` will be"},{"line_number":284,"context_line":"    checked and old tokens will not be supported."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":""},{"line_number":287,"context_line":"#. Policy renamed for granularity"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_6110d002","line":284,"updated":"2020-04-17 01:38:08.000000000","message":"It might be in the deployers best interest to do two things if they decide to take this path.\n\nFirst, they\u0027ll need to audit their users and make sure everyone who needs system-level access has a system role assignment in keystone.\n\nSecond, they\u0027ll need to make sure they educate users about the different scopes they need to use to continue using nova\u0027s API (e.g., set this in your cloud config or RC file).","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":281,"context_line":"    get the benefits of new defaults and scope_type together."},{"line_number":282,"context_line":""},{"line_number":283,"context_line":"    Once both flags are true then new default with ``scope_type`` will be"},{"line_number":284,"context_line":"    checked and old tokens will not be supported."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":""},{"line_number":287,"context_line":"#. Policy renamed for granularity"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_6d3c37c8","line":284,"in_reply_to":"3f4c43b2_6110d002","updated":"2020-04-17 16:13:40.000000000","message":"I see. that is  valid point. Let me clarify these steps also in each flag so that operator know when they can enable them","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":284,"context_line":"    checked and old tokens will not be supported."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":""},{"line_number":287,"context_line":"#. Policy renamed for granularity"},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"   Few policies are made more granular to implement the reader roles. New"},{"line_number":290,"context_line":"   policy names are available to use. If old policy name which are renamed"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_29b6a6da","line":287,"range":{"start_line":287,"start_character":3,"end_line":287,"end_character":33},"updated":"2020-04-17 14:39:01.000000000","message":"This does not sound like a step for the deployer to run. Maybe this should be \"Check for deprecated policies\" ?","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":284,"context_line":"    checked and old tokens will not be supported."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":""},{"line_number":287,"context_line":"#. Policy renamed for granularity"},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"   Few policies are made more granular to implement the reader roles. New"},{"line_number":290,"context_line":"   policy names are available to use. If old policy name which are renamed"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_ea4cad9f","line":287,"range":{"start_line":287,"start_character":3,"end_line":287,"end_character":33},"in_reply_to":"3f4c43b2_29b6a6da","updated":"2020-04-17 16:13:40.000000000","message":"right, thanks.","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f1714fc1582dd1df1d20dc0df27cdde8da9cfd0b","unresolved":false,"context_lines":[{"line_number":291,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":292,"context_line":"   those policy to new policy names."},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"We expect all the deployement to migrate to new policy by 23.0.0"},{"line_number":295,"context_line":"release so that we can remove the support of old policies."},{"line_number":296,"context_line":""},{"line_number":297,"context_line":".. _nova specification: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_a9c11631","line":294,"range":{"start_line":294,"start_character":14,"end_line":294,"end_character":29},"updated":"2020-04-17 14:39:01.000000000","message":"deployments","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a86894ae9117d3e9df09d2f0c4fe30a38d14a6f1","unresolved":false,"context_lines":[{"line_number":291,"context_line":"   are overwriten in policy file then warning will be logged. Please migrate"},{"line_number":292,"context_line":"   those policy to new policy names."},{"line_number":293,"context_line":""},{"line_number":294,"context_line":"We expect all the deployement to migrate to new policy by 23.0.0"},{"line_number":295,"context_line":"release so that we can remove the support of old policies."},{"line_number":296,"context_line":""},{"line_number":297,"context_line":".. _nova specification: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f4c43b2_aa810592","line":294,"range":{"start_line":294,"start_character":14,"end_line":294,"end_character":29},"in_reply_to":"3f4c43b2_a9c11631","updated":"2020-04-17 16:13:40.000000000","message":"Done","commit_id":"0892e4f9cfef131c2a82d5ce04896f8b78174d21"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"49fa7631138ca2d73bff04171fc5b40826ec3d40","unresolved":false,"context_lines":[{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). New defaults it easier to understand who can"},{"line_number":38,"context_line":"do what across projects, reduces divergence, and increases interoperability."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Next sections are going to explain how these new defaults in the Nova can solve the"},{"line_number":41,"context_line":"first two issues mentioned above and extend more functionality to end users in a safe"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f4c43b2_7226aed0","line":38,"range":{"start_line":37,"start_character":40,"end_line":38,"end_character":76},"updated":"2020-04-20 15:33:34.000000000","message":"Something is missing from the sentence for me. Maybe\n\nWith the help of the new defaults it is easier to understand...","commit_id":"507d232ee2ca6eed06463f6e742469bbbf52b135"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c830efcd42d6d79aa3dd16351ef7b78796a1c08f","unresolved":false,"context_lines":[{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). New defaults it easier to understand who can"},{"line_number":38,"context_line":"do what across projects, reduces divergence, and increases interoperability."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Next sections are going to explain how these new defaults in the Nova can solve the"},{"line_number":41,"context_line":"first two issues mentioned above and extend more functionality to end users in a safe"}],"source_content_type":"text/x-rst","patch_set":7,"id":"3f4c43b2_cd6607c2","line":38,"range":{"start_line":37,"start_character":40,"end_line":38,"end_character":76},"in_reply_to":"3f4c43b2_7226aed0","updated":"2020-04-20 15:47:26.000000000","message":"sure.","commit_id":"507d232ee2ca6eed06463f6e742469bbbf52b135"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"1f493fa4_7eb56dee","updated":"2020-04-20 17:16:44.000000000","message":"This belongs in the admin guide (\u0027/admin\u0027). Think of \u0027/configuration\u0027 as merely a reference guide.\n\nIn addition, it would be nice if this read as \"this is how things are\" rather than \"this is how we\u0027ve changed them\". The latter makes sense now, but won\u0027t in a year\u0027s time. Suggestions below.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"1f493fa4_c43f94b3","in_reply_to":"1f493fa4_7eb56dee","updated":"2020-04-20 18:07:19.000000000","message":"/admin directory might not be good place for this as this is more of operator things for configuring the cloud for RBAC etc. I am keeping the ref of this under \u0027policy\u0027 section. or may be under \u0027deployment-considerations\u0027 section?\n\n- https://docs.openstack.org/nova/latest/#deployment-considerations","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Nova Policy new defaults"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Prior to the Ussuri release, Nova default policies were hard to understand"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_be7c1521","line":1,"range":{"start_line":1,"start_character":0,"end_line":1,"end_character":24},"updated":"2020-04-20 17:16:44.000000000","message":"How about:\n\n  Understanding nova policies","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Nova Policy new defaults"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Prior to the Ussuri release, Nova default policies were hard to understand"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_61af9294","line":1,"range":{"start_line":1,"start_character":0,"end_line":1,"end_character":24},"in_reply_to":"1f493fa4_be7c1521","updated":"2020-04-20 18:07:19.000000000","message":"ok. This is more clear for a persistent document, not just this release things.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Nova Policy new defaults"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Prior to the Ussuri release, Nova default policies were hard to understand"},{"line_number":5,"context_line":"and difficult to use without overriding them with appropriate roles."},{"line_number":6,"context_line":"Ideally, most operators should be able to run without modifying policy."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Every deployment faces a few common problems with the current defaults:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"#. No global vs project admin. ``admin_only`` is used for the global admin that"},{"line_number":11,"context_line":"   is able to make almost any change to Nova, and see all details of the Nova"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_3eef6588","line":8,"range":{"start_line":4,"start_character":0,"end_line":8,"end_character":71},"updated":"2020-04-20 17:16:44.000000000","message":"As noted above, I think we\u0027d be better server providing a large description of what policy is here. Could you give a brief introductory paragraph here. Something like:\n\n  Nova supports a rich policy system that has evolved significantly over its\n  lifetime. Initially, this took the form of a large, mostly hand-written\n  ``policy.json`` file but, starting in the Newton (14.0.0) release, policy defaults\n  have been defined in the codebase, requiring the ``policy.json`` file only to\n  override these defaults. In the Ussuri (21.0.0) release, further work was\n  undertaken to address some issues that had been identified:","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Nova Policy new defaults"},{"line_number":2,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"Prior to the Ussuri release, Nova default policies were hard to understand"},{"line_number":5,"context_line":"and difficult to use without overriding them with appropriate roles."},{"line_number":6,"context_line":"Ideally, most operators should be able to run without modifying policy."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Every deployment faces a few common problems with the current defaults:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"#. No global vs project admin. ``admin_only`` is used for the global admin that"},{"line_number":11,"context_line":"   is able to make almost any change to Nova, and see all details of the Nova"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_019e8e62","line":8,"range":{"start_line":4,"start_character":0,"end_line":8,"end_character":71},"in_reply_to":"1f493fa4_3eef6588","updated":"2020-04-20 18:07:19.000000000","message":"thanks. done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Every deployment faces a few common problems with the current defaults:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"#. No global vs project admin. ``admin_only`` is used for the global admin that"},{"line_number":11,"context_line":"   is able to make almost any change to Nova, and see all details of the Nova"},{"line_number":12,"context_line":"   system. The rule passes for any user with an admin role, it doesn’t matter"},{"line_number":13,"context_line":"   which project is used."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_212c6a98","line":10,"range":{"start_line":10,"start_character":33,"end_line":10,"end_character":43},"updated":"2020-04-20 18:00:03.000000000","message":"This is a rule, right (which probably looks like role:admin)?, right? I\u0027d write that as \"The ``admin_only`` rule is [...]\"\n\n\u003clater\u003e Maybe I\u0027m just an ignoramus, but I really feel like there needs to be a \"This document assumes you understand the basics of Nova policy. Those can be found in \u003cdoc X\u003e\" preface.\n\n\u003ceven later\u003e I think https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html might be the \"policy 101\" doc I need.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":7,"context_line":""},{"line_number":8,"context_line":"Every deployment faces a few common problems with the current defaults:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"#. No global vs project admin. ``admin_only`` is used for the global admin that"},{"line_number":11,"context_line":"   is able to make almost any change to Nova, and see all details of the Nova"},{"line_number":12,"context_line":"   system. The rule passes for any user with an admin role, it doesn’t matter"},{"line_number":13,"context_line":"   which project is used."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_246478b9","line":10,"range":{"start_line":10,"start_character":33,"end_line":10,"end_character":43},"in_reply_to":"1f493fa4_212c6a98","updated":"2020-04-20 18:51:04.000000000","message":"done. \n\npolicy-json-file.html night be covering only policy file things but the policy in code information which was done during the newton cycle.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":12,"context_line":"   system. The rule passes for any user with an admin role, it doesn’t matter"},{"line_number":13,"context_line":"   which project is used."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"#. No read-only roles. If you want a ``reader`` role, several APIs share a"},{"line_number":16,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_210aaa89","line":15,"range":{"start_line":15,"start_character":39,"end_line":15,"end_character":45},"updated":"2020-04-20 18:00:03.000000000","message":"Presumably this refers to the reader Keystone scope, but it hasn\u0027t been introduced yet. I\u0027d just rewrite the paragraph as \"All roles come with read and write access. It impossible to grant read-only access to resources.\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":12,"context_line":"   system. The rule passes for any user with an admin role, it doesn’t matter"},{"line_number":13,"context_line":"   which project is used."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"#. No read-only roles. If you want a ``reader`` role, several APIs share a"},{"line_number":16,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e469f08b","line":15,"range":{"start_line":15,"start_character":39,"end_line":15,"end_character":45},"in_reply_to":"1f493fa4_210aaa89","updated":"2020-04-20 18:51:04.000000000","message":"Done. let me reword \u0027reader\u0027 to \u0027read only access\u0027","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":16,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c1f8267e","line":19,"range":{"start_line":19,"start_character":5,"end_line":19,"end_character":19},"updated":"2020-04-20 18:00:03.000000000","message":"This is a rule, right? Rephrase as \"The ``admin_or_owner`` rule [...]\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":16,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_612672ba","line":19,"range":{"start_line":19,"start_character":39,"end_line":19,"end_character":47},"updated":"2020-04-20 18:00:03.000000000","message":"What\u0027s expected? Role `admin` or `owner` is allowed to perform the action?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":16,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_84274c65","line":19,"range":{"start_line":19,"start_character":39,"end_line":19,"end_character":47},"in_reply_to":"1f493fa4_612672ba","updated":"2020-04-20 18:51:04.000000000","message":"this is explained in this paragram like what are the problem with this rule.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":16,"context_line":"   single policy rule for read and write actions, i.e. we don’t have the"},{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_240918dd","line":19,"range":{"start_line":19,"start_character":5,"end_line":19,"end_character":19},"in_reply_to":"1f493fa4_c1f8267e","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c13ae6cb","line":20,"range":{"start_line":20,"start_character":39,"end_line":20,"end_character":62},"updated":"2020-04-20 18:00:03.000000000","message":"In which component? Separate from what - the API?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_414c1676","line":20,"range":{"start_line":20,"start_character":66,"end_line":20,"end_character":70},"updated":"2020-04-20 18:00:03.000000000","message":"nit: I don\u0027t care if it\u0027s \"Nova\" or \"nova\", but pick one and stick with it ;)","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c420344d","line":20,"range":{"start_line":20,"start_character":66,"end_line":20,"end_character":70},"in_reply_to":"1f493fa4_414c1676","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."},{"line_number":23,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_efb42938","line":20,"range":{"start_line":20,"start_character":39,"end_line":20,"end_character":62},"in_reply_to":"1f493fa4_c13ae6cb","updated":"2020-04-20 18:51:04.000000000","message":"yes, let me clearly explained it","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_81561e06","line":21,"range":{"start_line":20,"start_character":76,"end_line":21,"end_character":6},"updated":"2020-04-20 18:00:03.000000000","message":"\"does not\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":17,"context_line":"   granularity for such a role to be added."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"#. ``admin_or_owner`` does not work as expected. For most APIs with ``admin_or_owner``,"},{"line_number":20,"context_line":"   the project authentication happened in a separate component in nova that do"},{"line_number":21,"context_line":"   not honor changes to policy and thus policy could not override hard-coded"},{"line_number":22,"context_line":"   in-project checks."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Keystone comes with ``admin``, ``member`` and ``reader`` roles by default."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a41d2811","line":21,"range":{"start_line":20,"start_character":76,"end_line":21,"end_character":6},"in_reply_to":"1f493fa4_81561e06","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":26,"context_line":"document."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"In addition, keystone supports a new \"system scope\" concept that makes it easier to"},{"line_number":29,"context_line":"protect deployment level resources from project or system level resources. Please"},{"line_number":30,"context_line":"refer `available scope`_ document and `system scope specification`_ to understand"},{"line_number":31,"context_line":"the scope concept."},{"line_number":32,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e1460250","line":29,"range":{"start_line":29,"start_character":51,"end_line":29,"end_character":73},"updated":"2020-04-20 18:00:03.000000000","message":"Wait, what\u0027s in the system scope - system-level resources, or deployment-level resources?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":26,"context_line":"document."},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"In addition, keystone supports a new \"system scope\" concept that makes it easier to"},{"line_number":29,"context_line":"protect deployment level resources from project or system level resources. Please"},{"line_number":30,"context_line":"refer `available scope`_ document and `system scope specification`_ to understand"},{"line_number":31,"context_line":"the scope concept."},{"line_number":32,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_04f05cc9","line":29,"range":{"start_line":29,"start_character":51,"end_line":29,"end_character":73},"in_reply_to":"1f493fa4_e1460250","updated":"2020-04-20 18:51:04.000000000","message":"these are explained in the links mentioned in the same paragraph.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":27,"context_line":""},{"line_number":28,"context_line":"In addition, keystone supports a new \"system scope\" concept that makes it easier to"},{"line_number":29,"context_line":"protect deployment level resources from project or system level resources. Please"},{"line_number":30,"context_line":"refer `available scope`_ document and `system scope specification`_ to understand"},{"line_number":31,"context_line":"the scope concept."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the scope"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_41753698","line":30,"range":{"start_line":30,"start_character":0,"end_line":30,"end_character":5},"updated":"2020-04-20 18:00:03.000000000","message":"nit: \"refer to the\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":27,"context_line":""},{"line_number":28,"context_line":"In addition, keystone supports a new \"system scope\" concept that makes it easier to"},{"line_number":29,"context_line":"protect deployment level resources from project or system level resources. Please"},{"line_number":30,"context_line":"refer `available scope`_ document and `system scope specification`_ to understand"},{"line_number":31,"context_line":"the scope concept."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the scope"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_44bb84e4","line":30,"range":{"start_line":30,"start_character":0,"end_line":30,"end_character":5},"in_reply_to":"1f493fa4_41753698","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the scope"},{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). With the help of the new defaults it is easier"},{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_817d7e70","line":35,"range":{"start_line":35,"start_character":0,"end_line":35,"end_character":11},"updated":"2020-04-20 18:00:03.000000000","message":"nit: drop this, they\u0027re filler words - \"Using common roles from keystone reduces\" reads better.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the scope"},{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). With the help of the new defaults it is easier"},{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_24c0f850","line":35,"range":{"start_line":35,"start_character":0,"end_line":35,"end_character":11},"in_reply_to":"1f493fa4_817d7e70","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":33,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the scope"},{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). With the help of the new defaults it is easier"},{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"},{"line_number":39,"context_line":"interoperability."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a1651ae4","line":36,"range":{"start_line":36,"start_character":52,"end_line":36,"end_character":62},"updated":"2020-04-20 18:00:03.000000000","message":"\"deployments\" ?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":33,"context_line":"In the Nova 21.0.0 (OpenStack Ussuri) release, Nova policies implemented the scope"},{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). With the help of the new defaults it is easier"},{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"},{"line_number":39,"context_line":"interoperability."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_84b58cf1","line":36,"range":{"start_line":36,"start_character":52,"end_line":36,"end_character":62},"in_reply_to":"1f493fa4_a1651ae4","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). With the help of the new defaults it is easier"},{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"},{"line_number":39,"context_line":"interoperability."},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_3e9485e8","line":37,"range":{"start_line":37,"start_character":0,"end_line":37,"end_character":8},"updated":"2020-04-20 17:16:44.000000000","message":"``literal``","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). With the help of the new defaults it is easier"},{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"},{"line_number":39,"context_line":"interoperability."},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_1e99c91e","line":37,"range":{"start_line":37,"start_character":16,"end_line":37,"end_character":22},"updated":"2020-04-20 17:16:44.000000000","message":"``literal`` (and so on)","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":34,"context_line":"concept and default roles provided by keystone (admin, member, and reader)."},{"line_number":35,"context_line":"The idea of using common roles from keystone reduces the likelihood of similar,"},{"line_number":36,"context_line":"but different, roles implemented across projects or deployment (e.g., a role called"},{"line_number":37,"context_line":"observer versus reader versus auditor). With the help of the new defaults it is easier"},{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"},{"line_number":39,"context_line":"interoperability."},{"line_number":40,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c1a14698","line":37,"range":{"start_line":37,"start_character":0,"end_line":37,"end_character":8},"in_reply_to":"1f493fa4_3e9485e8","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"},{"line_number":39,"context_line":"interoperability."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"Next sections are going to explain how these new defaults in the Nova can solve the"},{"line_number":42,"context_line":"first two issues mentioned above and extend more functionality to end users in a safe"},{"line_number":43,"context_line":"and secure way."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_7e9e0d08","line":41,"range":{"start_line":41,"start_character":0,"end_line":41,"end_character":34},"updated":"2020-04-20 17:16:44.000000000","message":"The below sections explain","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":38,"context_line":"to understand who can do what across projects, reduces divergence, and increases"},{"line_number":39,"context_line":"interoperability."},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"Next sections are going to explain how these new defaults in the Nova can solve the"},{"line_number":42,"context_line":"first two issues mentioned above and extend more functionality to end users in a safe"},{"line_number":43,"context_line":"and secure way."},{"line_number":44,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e1c1e230","line":41,"range":{"start_line":41,"start_character":0,"end_line":41,"end_character":34},"in_reply_to":"1f493fa4_7e9e0d08","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":47,"context_line":"Scope"},{"line_number":48,"context_line":"-----"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"OpenStack Keystone supports different type of scopes in tokens."},{"line_number":51,"context_line":"Please refer the detail about all `available scope`_. Token scopes  represent the"},{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_01e68e45","line":50,"range":{"start_line":50,"start_character":28,"end_line":50,"end_character":52},"updated":"2020-04-20 18:00:03.000000000","message":"nit: just \"different scopes\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":47,"context_line":"Scope"},{"line_number":48,"context_line":"-----"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"OpenStack Keystone supports different type of scopes in tokens."},{"line_number":51,"context_line":"Please refer the detail about all `available scope`_. Token scopes  represent the"},{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a4cb6870","line":50,"range":{"start_line":50,"start_character":28,"end_line":50,"end_character":52},"in_reply_to":"1f493fa4_01e68e45","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":48,"context_line":"-----"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"OpenStack Keystone supports different type of scopes in tokens."},{"line_number":51,"context_line":"Please refer the detail about all `available scope`_. Token scopes  represent the"},{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."},{"line_number":54,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_feaa1d17","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":52},"updated":"2020-04-20 17:16:44.000000000","message":"These are described :keystone-doc:`here \u003c/admin/tokens-overview.html#authorization-scopes\u003e`.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":48,"context_line":"-----"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"OpenStack Keystone supports different type of scopes in tokens."},{"line_number":51,"context_line":"Please refer the detail about all `available scope`_. Token scopes  represent the"},{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."},{"line_number":54,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_dea7614f","line":51,"range":{"start_line":51,"start_character":67,"end_line":51,"end_character":68},"updated":"2020-04-20 17:16:44.000000000","message":"nit","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":48,"context_line":"-----"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"OpenStack Keystone supports different type of scopes in tokens."},{"line_number":51,"context_line":"Please refer the detail about all `available scope`_. Token scopes  represent the"},{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."},{"line_number":54,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_4105367a","line":51,"range":{"start_line":51,"start_character":0,"end_line":51,"end_character":52},"in_reply_to":"1f493fa4_feaa1d17","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":49,"context_line":""},{"line_number":50,"context_line":"OpenStack Keystone supports different type of scopes in tokens."},{"line_number":51,"context_line":"Please refer the detail about all `available scope`_. Token scopes  represent the"},{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. note:: ``scope_type`` is hardcoded in APIs and not overridable via policy file."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_417896f7","line":52,"range":{"start_line":52,"start_character":33,"end_line":52,"end_character":44},"updated":"2020-04-20 18:00:03.000000000","message":"So this is the new thing, right? Previously, a policy was a target and a rule, the rule being some boolean combination of roles. What you\u0027re adding is rules operate on scope as well. I think you need to expand here a bit.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":49,"context_line":""},{"line_number":50,"context_line":"OpenStack Keystone supports different type of scopes in tokens."},{"line_number":51,"context_line":"Please refer the detail about all `available scope`_. Token scopes  represent the"},{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. note:: ``scope_type`` is hardcoded in APIs and not overridable via policy file."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c493145c","line":52,"range":{"start_line":52,"start_character":33,"end_line":52,"end_character":44},"in_reply_to":"1f493fa4_417896f7","updated":"2020-04-20 18:51:04.000000000","message":"Those are explained in keystone doc linked above. I mean if I explain what is scope means in this doc that makes it duplicating the information from keystone doc. I have added the link to keystone spec also which describe the details and history of introducing \u0027scope\u0027.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. note:: ``scope_type`` is hardcoded in APIs and not overridable via policy file."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Nova policies have implemented the scope concept by defining the ``scope_type``"},{"line_number":58,"context_line":"in policies. To know each policy\u0027s ``scope_type``, please refer the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_213bca9c","line":55,"range":{"start_line":55,"start_character":0,"end_line":55,"end_character":82},"updated":"2020-04-20 18:00:03.000000000","message":"Meaning that any one particular API belongs to a single hardcoded scope that cannot be changed, right? So GET /server/details is always in scope `reader` and cannot be changed.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":52,"context_line":"layer of authorization. Policy ``scope_types`` represent the layer of"},{"line_number":53,"context_line":"authorization required to access an API."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. note:: ``scope_type`` is hardcoded in APIs and not overridable via policy file."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Nova policies have implemented the scope concept by defining the ``scope_type``"},{"line_number":58,"context_line":"in policies. To know each policy\u0027s ``scope_type``, please refer the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_049e9c62","line":55,"range":{"start_line":55,"start_character":0,"end_line":55,"end_character":82},"in_reply_to":"1f493fa4_213bca9c","updated":"2020-04-20 18:51:04.000000000","message":"correct.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":55,"context_line":".. note:: ``scope_type`` is hardcoded in APIs and not overridable via policy file."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Nova policies have implemented the scope concept by defining the ``scope_type``"},{"line_number":58,"context_line":"in policies. To know each policy\u0027s ``scope_type``, please refer the"},{"line_number":59,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and look for ``Scope Types`` or"},{"line_number":60,"context_line":"``Intended scope(s)`` in `Policy Sample File`_ as shown in below examples."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_6113120f","line":58,"range":{"start_line":58,"start_character":64,"end_line":58,"end_character":67},"updated":"2020-04-20 18:00:03.000000000","message":"nit: \"to\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":55,"context_line":".. note:: ``scope_type`` is hardcoded in APIs and not overridable via policy file."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Nova policies have implemented the scope concept by defining the ``scope_type``"},{"line_number":58,"context_line":"in policies. To know each policy\u0027s ``scope_type``, please refer the"},{"line_number":59,"context_line":":doc:`Policy Reference \u003c/configuration/policy\u003e` and look for ``Scope Types`` or"},{"line_number":60,"context_line":"``Intended scope(s)`` in `Policy Sample File`_ as shown in below examples."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e49a906c","line":58,"range":{"start_line":58,"start_character":64,"end_line":58,"end_character":67},"in_reply_to":"1f493fa4_6113120f","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"#. ``System`` Scope"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"   Policies with ``scope_type`` as ``system`` means a user with"},{"line_number":65,"context_line":"   ``system-scoped`` token has permission to access. This can be"},{"line_number":66,"context_line":"   seen as a global role. All the system-level operation\u0027s policies"},{"line_number":67,"context_line":"   have defaulted to [\u0027system\u0027] ``scope_type``."},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c16b061d","line":65,"range":{"start_line":64,"start_character":3,"end_line":65,"end_character":52},"updated":"2020-04-20 18:00:03.000000000","message":"Is the scope on the policy, or on the rule? From your previous words, I thought it was in the rule...","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":61,"context_line":""},{"line_number":62,"context_line":"#. ``System`` Scope"},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"   Policies with ``scope_type`` as ``system`` means a user with"},{"line_number":65,"context_line":"   ``system-scoped`` token has permission to access. This can be"},{"line_number":66,"context_line":"   seen as a global role. All the system-level operation\u0027s policies"},{"line_number":67,"context_line":"   have defaulted to [\u0027system\u0027] ``scope_type``."},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a479a830","line":65,"range":{"start_line":64,"start_character":3,"end_line":65,"end_character":52},"in_reply_to":"1f493fa4_c16b061d","updated":"2020-04-20 18:51:04.000000000","message":"policy is nothing but a Rule which has check_str (as set of roles or authorization variables) to compare the requested token, scope_type to compare the scope type of token with some documentation.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":66,"context_line":"   seen as a global role. All the system-level operation\u0027s policies"},{"line_number":67,"context_line":"   have defaulted to [\u0027system\u0027] ``scope_type``."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"   For Example GET /os-hypervisors."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"   .. code-block:: html"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_9e72f9e2","line":69,"range":{"start_line":69,"start_character":3,"end_line":69,"end_character":35},"updated":"2020-04-20 17:16:44.000000000","message":"For example, consider the ``GET /os-hypervisors`` API.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":66,"context_line":"   seen as a global role. All the system-level operation\u0027s policies"},{"line_number":67,"context_line":"   have defaulted to [\u0027system\u0027] ``scope_type``."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"   For Example GET /os-hypervisors."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"   .. code-block:: html"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_01f32ea0","line":69,"range":{"start_line":69,"start_character":3,"end_line":69,"end_character":35},"in_reply_to":"1f493fa4_9e72f9e2","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"   For Example GET /os-hypervisors."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"   .. code-block:: html"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"       # List all hypervisors."},{"line_number":74,"context_line":"       # GET  /os-hypervisors"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_1e50a932","line":71,"range":{"start_line":71,"start_character":19,"end_line":71,"end_character":23},"updated":"2020-04-20 17:16:44.000000000","message":"html? Maybe say \u0027none\u0027 or use \u0027.. code::\u0027 instead of \u0027.. code-block::\u0027","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":68,"context_line":""},{"line_number":69,"context_line":"   For Example GET /os-hypervisors."},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"   .. code-block:: html"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"       # List all hypervisors."},{"line_number":74,"context_line":"       # GET  /os-hypervisors"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_412a56e7","line":71,"range":{"start_line":71,"start_character":19,"end_line":71,"end_character":23},"in_reply_to":"1f493fa4_1e50a932","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":73,"context_line":"       # List all hypervisors."},{"line_number":74,"context_line":"       # GET  /os-hypervisors"},{"line_number":75,"context_line":"       # Intended scope(s): system"},{"line_number":76,"context_line":"       #\"os_compute_api:os-hypervisors:list\": \"rule:system_reader_api\""},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"#. ``System and Project`` Scoped"},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_81273e65","line":76,"range":{"start_line":76,"start_character":52,"end_line":76,"end_character":69},"updated":"2020-04-20 18:00:03.000000000","message":"What\u0027s this rule? Is this something that exists and is well known? Why not spell out what this rule is?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":73,"context_line":"       # List all hypervisors."},{"line_number":74,"context_line":"       # GET  /os-hypervisors"},{"line_number":75,"context_line":"       # Intended scope(s): system"},{"line_number":76,"context_line":"       #\"os_compute_api:os-hypervisors:list\": \"rule:system_reader_api\""},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"#. ``System and Project`` Scoped"},{"line_number":79,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c4caf44d","line":76,"range":{"start_line":76,"start_character":52,"end_line":76,"end_character":69},"in_reply_to":"1f493fa4_81273e65","updated":"2020-04-20 18:51:04.000000000","message":"These are the new default rules as explained in next section.  I provided this example as full snippet of policy.json to have look at what are the scope of this policy.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":77,"context_line":""},{"line_number":78,"context_line":"#. ``System and Project`` Scoped"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"   Policy with ``scope_type`` as ``system\u0027 and project`` means a user with"},{"line_number":81,"context_line":"   ``system-scoped`` or ``project-scoped`` token has permission to access."},{"line_number":82,"context_line":"   All the system and project level operation\u0027s policies have defaulted to"},{"line_number":83,"context_line":"   ``system and project`` ``scope_type``."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_1e3549f8","line":80,"range":{"start_line":80,"start_character":3,"end_line":80,"end_character":9},"updated":"2020-04-20 17:16:44.000000000","message":"Policies","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":77,"context_line":""},{"line_number":78,"context_line":"#. ``System and Project`` Scoped"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"   Policy with ``scope_type`` as ``system\u0027 and project`` means a user with"},{"line_number":81,"context_line":"   ``system-scoped`` or ``project-scoped`` token has permission to access."},{"line_number":82,"context_line":"   All the system and project level operation\u0027s policies have defaulted to"},{"line_number":83,"context_line":"   ``system and project`` ``scope_type``."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_011b2e1b","line":80,"range":{"start_line":80,"start_character":41,"end_line":80,"end_character":43},"updated":"2020-04-20 18:00:03.000000000","message":"nit: extra \u0027","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":77,"context_line":""},{"line_number":78,"context_line":"#. ``System and Project`` Scoped"},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"   Policy with ``scope_type`` as ``system\u0027 and project`` means a user with"},{"line_number":81,"context_line":"   ``system-scoped`` or ``project-scoped`` token has permission to access."},{"line_number":82,"context_line":"   All the system and project level operation\u0027s policies have defaulted to"},{"line_number":83,"context_line":"   ``system and project`` ``scope_type``."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e14442ba","line":80,"range":{"start_line":80,"start_character":3,"end_line":80,"end_character":9},"in_reply_to":"1f493fa4_1e3549f8","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":82,"context_line":"   All the system and project level operation\u0027s policies have defaulted to"},{"line_number":83,"context_line":"   ``system and project`` ``scope_type``."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"   For Example POST /servers/{server_id}/action (os-migrateLive)"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"   .. code-block:: html"},{"line_number":88,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_be5ed542","line":85,"range":{"start_line":85,"start_character":3,"end_line":85,"end_character":64},"updated":"2020-04-20 17:16:44.000000000","message":"For example, consider the ``POST /servers/{server_id}/action (os-migrateLive)`` API.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":82,"context_line":"   All the system and project level operation\u0027s policies have defaulted to"},{"line_number":83,"context_line":"   ``system and project`` ``scope_type``."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"   For Example POST /servers/{server_id}/action (os-migrateLive)"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"   .. code-block:: html"},{"line_number":88,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_411376b9","line":85,"range":{"start_line":85,"start_character":3,"end_line":85,"end_character":64},"in_reply_to":"1f493fa4_be5ed542","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":89,"context_line":"       # Live migrate a server to a new host without a reboot"},{"line_number":90,"context_line":"       # POST  /servers/{server_id}/action (os-migrateLive)"},{"line_number":91,"context_line":"       # Intended scope(s): system, project"},{"line_number":92,"context_line":"       #\"os_compute_api:os-migrate-server:migrate_live\": \"rule:system_admin_api\""},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"#. ``Project`` Scoped"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_61e152ff","line":92,"range":{"start_line":92,"start_character":63,"end_line":92,"end_character":79},"updated":"2020-04-20 18:00:03.000000000","message":"Ditto - spell out what this rule is.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"#. ``Project`` Scoped"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"   Policy with ``scope_type`` as ``project`` means a user with"},{"line_number":97,"context_line":"   ``project-scoped`` token have permission to access. Project-level only"},{"line_number":98,"context_line":"   operation\u0027s policies are defaulted to ``project`` ``scope_type``."},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_5e3fd1d5","line":96,"range":{"start_line":96,"start_character":3,"end_line":96,"end_character":9},"updated":"2020-04-20 17:16:44.000000000","message":"Policies","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":93,"context_line":""},{"line_number":94,"context_line":"#. ``Project`` Scoped"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"   Policy with ``scope_type`` as ``project`` means a user with"},{"line_number":97,"context_line":"   ``project-scoped`` token have permission to access. Project-level only"},{"line_number":98,"context_line":"   operation\u0027s policies are defaulted to ``project`` ``scope_type``."},{"line_number":99,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_2118ead1","line":96,"range":{"start_line":96,"start_character":3,"end_line":96,"end_character":9},"in_reply_to":"1f493fa4_5e3fd1d5","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":94,"context_line":"#. ``Project`` Scoped"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"   Policy with ``scope_type`` as ``project`` means a user with"},{"line_number":97,"context_line":"   ``project-scoped`` token have permission to access. Project-level only"},{"line_number":98,"context_line":"   operation\u0027s policies are defaulted to ``project`` ``scope_type``."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"   For Example POST /os-server-groups."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c1e5c60c","line":97,"range":{"start_line":97,"start_character":28,"end_line":97,"end_character":32},"updated":"2020-04-20 18:00:03.000000000","message":"\"has\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":94,"context_line":"#. ``Project`` Scoped"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"   Policy with ``scope_type`` as ``project`` means a user with"},{"line_number":97,"context_line":"   ``project-scoped`` token have permission to access. Project-level only"},{"line_number":98,"context_line":"   operation\u0027s policies are defaulted to ``project`` ``scope_type``."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"   For Example POST /os-server-groups."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a4c7e845","line":97,"range":{"start_line":97,"start_character":28,"end_line":97,"end_character":32},"in_reply_to":"1f493fa4_c1e5c60c","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":97,"context_line":"   ``project-scoped`` token have permission to access. Project-level only"},{"line_number":98,"context_line":"   operation\u0027s policies are defaulted to ``project`` ``scope_type``."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"   For Example POST /os-server-groups."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"   .. code-block:: html"},{"line_number":103,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_de55a11f","line":100,"updated":"2020-04-20 17:16:44.000000000","message":"As above","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":97,"context_line":"   ``project-scoped`` token have permission to access. Project-level only"},{"line_number":98,"context_line":"   operation\u0027s policies are defaulted to ``project`` ``scope_type``."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"   For Example POST /os-server-groups."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"   .. code-block:: html"},{"line_number":103,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_810d7e92","line":100,"in_reply_to":"1f493fa4_de55a11f","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":104,"context_line":"       # Create a new server group"},{"line_number":105,"context_line":"       # POST  /os-server-groups"},{"line_number":106,"context_line":"       # Intended scope(s): project"},{"line_number":107,"context_line":"       #\"os_compute_api:os-server-groups:create\": \"rule:project_member_api\""},{"line_number":108,"context_line":""},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This way the problem of system vs project level admin can be solved. You can"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e14ba2ad","line":107,"range":{"start_line":107,"start_character":56,"end_line":107,"end_character":74},"updated":"2020-04-20 18:00:03.000000000","message":"Ditto - spell it out.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":105,"context_line":"       # POST  /os-server-groups"},{"line_number":106,"context_line":"       # Intended scope(s): project"},{"line_number":107,"context_line":"       #\"os_compute_api:os-server-groups:create\": \"rule:project_member_api\""},{"line_number":108,"context_line":""},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This way the problem of system vs project level admin can be solved. You can"},{"line_number":111,"context_line":"control the information with scope of the users. This means you can"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_de2ac18e","line":108,"updated":"2020-04-20 17:16:44.000000000","message":"nit: extra newline","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":105,"context_line":"       # POST  /os-server-groups"},{"line_number":106,"context_line":"       # Intended scope(s): project"},{"line_number":107,"context_line":"       #\"os_compute_api:os-server-groups:create\": \"rule:project_member_api\""},{"line_number":108,"context_line":""},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This way the problem of system vs project level admin can be solved. You can"},{"line_number":111,"context_line":"control the information with scope of the users. This means you can"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_01216efc","line":108,"in_reply_to":"1f493fa4_de2ac18e","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":112,"context_line":"control that none of the project level role can get the hypervisor"},{"line_number":113,"context_line":"information."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"This feature is disabled by default to allow operators to migrate from"},{"line_number":116,"context_line":"the old policy enforcement system in a graceful way. This can be"},{"line_number":117,"context_line":"enabled via config option in nova.conf\u0027s olso_policy section as shown below:"},{"line_number":118,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_41a096a6","line":115,"range":{"start_line":115,"start_character":0,"end_line":115,"end_character":12},"updated":"2020-04-20 18:00:03.000000000","message":"nit: I\u0027d spell it out - \"Policy scope is disabled by default [...]\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":112,"context_line":"control that none of the project level role can get the hypervisor"},{"line_number":113,"context_line":"information."},{"line_number":114,"context_line":""},{"line_number":115,"context_line":"This feature is disabled by default to allow operators to migrate from"},{"line_number":116,"context_line":"the old policy enforcement system in a graceful way. This can be"},{"line_number":117,"context_line":"enabled via config option in nova.conf\u0027s olso_policy section as shown below:"},{"line_number":118,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_04c5fc3c","line":115,"range":{"start_line":115,"start_character":0,"end_line":115,"end_character":12},"in_reply_to":"1f493fa4_41a096a6","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":114,"context_line":""},{"line_number":115,"context_line":"This feature is disabled by default to allow operators to migrate from"},{"line_number":116,"context_line":"the old policy enforcement system in a graceful way. This can be"},{"line_number":117,"context_line":"enabled via config option in nova.conf\u0027s olso_policy section as shown below:"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":".. code-block:: ini"},{"line_number":120,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_7e13ad67","line":117,"range":{"start_line":117,"start_character":0,"end_line":117,"end_character":76},"updated":"2020-04-20 17:16:44.000000000","message":"enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope` option to ``False``.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":119,"context_line":".. code-block:: ini"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"  [oslo_policy]"},{"line_number":122,"context_line":"  enforce_scope\u003dTrue"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"New Defaults"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_61baf2de","line":122,"range":{"start_line":122,"start_character":0,"end_line":122,"end_character":20},"updated":"2020-04-20 18:00:03.000000000","message":"So what happens when operators turn this on? Does anyone lose access to things they previously (perhaps erroneously) had access to? Does anyone *gain* access to anything?\n\n\u003clater\u003e Ah, you talk about this further down - maybe mention a sentence here quick?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":122,"context_line":"  enforce_scope\u003dTrue"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"New Defaults"},{"line_number":126,"context_line":"------------"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"You can refer to this document to know about all available defaults"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_610dd236","line":125,"range":{"start_line":125,"start_character":0,"end_line":125,"end_character":12},"updated":"2020-04-20 17:16:44.000000000","message":"Roles\n-----","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":131,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":132,"context_line":"defaults for each policy."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"#. **Reader Roles**"},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"   This provides read-only access to the resources within the ``system`` or"},{"line_number":137,"context_line":"   ``project``. Nova policies are defaulted to below rules:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a137dae3","line":134,"range":{"start_line":134,"start_character":0,"end_line":134,"end_character":19},"updated":"2020-04-20 17:16:44.000000000","message":"Instead of using a bullet list, could you use titles or \u0027.. rubric:\u0027 (a title without an anchor)? It\u0027ll be easier read. Don\u0027t forget to dedent the below.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":131,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":132,"context_line":"defaults for each policy."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"#. **Reader Roles**"},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"   This provides read-only access to the resources within the ``system`` or"},{"line_number":137,"context_line":"   ``project``. Nova policies are defaulted to below rules:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_21f46a5b","line":134,"range":{"start_line":134,"start_character":12,"end_line":134,"end_character":17},"updated":"2020-04-20 18:00:03.000000000","message":"These are rules, not roles. \"Reader\" is a role. \"system_reader_api\" is a rule.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":131,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":132,"context_line":"defaults for each policy."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"#. **Reader Roles**"},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"   This provides read-only access to the resources within the ``system`` or"},{"line_number":137,"context_line":"   ``project``. Nova policies are defaulted to below rules:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a4688821","line":134,"range":{"start_line":134,"start_character":12,"end_line":134,"end_character":17},"in_reply_to":"1f493fa4_21f46a5b","updated":"2020-04-20 18:51:04.000000000","message":"correct but \u0027system_reader_api\u0027 is one of the rule which is categorized under reader role. role having the read only access at different level of scope of token.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":131,"context_line":"Along with the ``scope_type`` feature, Nova policy defines new"},{"line_number":132,"context_line":"defaults for each policy."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"#. **Reader Roles**"},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"   This provides read-only access to the resources within the ``system`` or"},{"line_number":137,"context_line":"   ``project``. Nova policies are defaulted to below rules:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_21990a1f","line":134,"range":{"start_line":134,"start_character":0,"end_line":134,"end_character":19},"in_reply_to":"1f493fa4_a137dae3","updated":"2020-04-20 18:07:19.000000000","message":"ok, I changed these to literal to be consistent with scope types.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":136,"context_line":"   This provides read-only access to the resources within the ``system`` or"},{"line_number":137,"context_line":"   ``project``. Nova policies are defaulted to below rules:"},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"   .. code-block:: html"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"      system_reader_api"},{"line_number":142,"context_line":"         Default"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_0135eeda","line":139,"range":{"start_line":139,"start_character":19,"end_line":139,"end_character":23},"updated":"2020-04-20 17:16:44.000000000","message":"none of \u0027.. code:\u0027","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":140,"context_line":""},{"line_number":141,"context_line":"      system_reader_api"},{"line_number":142,"context_line":"         Default"},{"line_number":143,"context_line":"            role:reader and system_scope:all"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"      system_or_project_reader"},{"line_number":146,"context_line":"         Default"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_41eff686","line":143,"range":{"start_line":143,"start_character":41,"end_line":143,"end_character":44},"updated":"2020-04-20 18:00:03.000000000","message":"What\u0027s \"all\"?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":140,"context_line":""},{"line_number":141,"context_line":"      system_reader_api"},{"line_number":142,"context_line":"         Default"},{"line_number":143,"context_line":"            role:reader and system_scope:all"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"      system_or_project_reader"},{"line_number":146,"context_line":"         Default"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c48794b6","line":143,"range":{"start_line":143,"start_character":41,"end_line":143,"end_character":44},"in_reply_to":"1f493fa4_41eff686","updated":"2020-04-20 18:51:04.000000000","message":"\u0027all\u0027 is kept in these rules so that system reader can be differentiated from project level reader. These are kept until scope_type is enabled by default.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":146,"context_line":"         Default"},{"line_number":147,"context_line":"            (rule:system_reader_api) or (role:reader and project_id:%(project_id)s)"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. **Member Roles**"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"   This role is to perform the project level write operation with combination"},{"line_number":152,"context_line":"   to the system admin. Nova policies are defaulted to below rules:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c102e63e","line":149,"range":{"start_line":149,"start_character":0,"end_line":149,"end_character":19},"updated":"2020-04-20 18:00:03.000000000","message":"Ditto - unless I gravely misunderstood something, \"project_member_api\" and \"system_admin_or_owner\" are rules, not roles.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":146,"context_line":"         Default"},{"line_number":147,"context_line":"            (rule:system_reader_api) or (role:reader and project_id:%(project_id)s)"},{"line_number":148,"context_line":""},{"line_number":149,"context_line":"#. **Member Roles**"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"   This role is to perform the project level write operation with combination"},{"line_number":152,"context_line":"   to the system admin. Nova policies are defaulted to below rules:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_24f4785b","line":149,"range":{"start_line":149,"start_character":0,"end_line":149,"end_character":19},"in_reply_to":"1f493fa4_c102e63e","updated":"2020-04-20 18:51:04.000000000","message":"true but they are under the Member role. and the rule like project_member_api is an example of member role with extra project_id","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":160,"context_line":"      system_admin_or_owner"},{"line_number":161,"context_line":"         Default"},{"line_number":162,"context_line":"            (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"#. **Admin Roles**"},{"line_number":166,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_41fed605","line":163,"updated":"2020-04-20 17:16:44.000000000","message":"nit: newline","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":160,"context_line":"      system_admin_or_owner"},{"line_number":161,"context_line":"         Default"},{"line_number":162,"context_line":"            (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"#. **Admin Roles**"},{"line_number":166,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_01768e07","line":163,"in_reply_to":"1f493fa4_41fed605","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":162,"context_line":"            (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"#. **Admin Roles**"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":"   This role is to perform the admin level write operation at system as well"},{"line_number":168,"context_line":"   as at project-level operations. Nova policies are defaulted to below rules:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a1ffda32","line":165,"range":{"start_line":165,"start_character":0,"end_line":165,"end_character":18},"updated":"2020-04-20 18:00:03.000000000","message":"Ditto again.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":180,"context_line":"      system_admin_or_owner"},{"line_number":181,"context_line":"         Default"},{"line_number":182,"context_line":"            (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"},{"line_number":183,"context_line":""},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"With these new defaults, you can solve the problem of:"},{"line_number":186,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_2103ca0f","line":183,"updated":"2020-04-20 17:16:44.000000000","message":"nit: newline","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":180,"context_line":"      system_admin_or_owner"},{"line_number":181,"context_line":"         Default"},{"line_number":182,"context_line":"            (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"},{"line_number":183,"context_line":""},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"With these new defaults, you can solve the problem of:"},{"line_number":186,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e1728211","line":183,"in_reply_to":"1f493fa4_2103ca0f","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":205,"context_line":"We encourage every deployment to switch to new policy. ``scope_type`` will be"},{"line_number":206,"context_line":"enabled by default and old defaults will be removed in the 23.0.0 release."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"To implement the new defaults reader roles, we made a few policies more"},{"line_number":209,"context_line":"granular. In that policies are renamed and old names are also suported for"},{"line_number":210,"context_line":"backward compatibility."},{"line_number":211,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_61bcb269","line":208,"range":{"start_line":208,"start_character":21,"end_line":208,"end_character":29},"updated":"2020-04-20 18:00:03.000000000","message":"nit: defaults or default?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":205,"context_line":"We encourage every deployment to switch to new policy. ``scope_type`` will be"},{"line_number":206,"context_line":"enabled by default and old defaults will be removed in the 23.0.0 release."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"To implement the new defaults reader roles, we made a few policies more"},{"line_number":209,"context_line":"granular. In that policies are renamed and old names are also suported for"},{"line_number":210,"context_line":"backward compatibility."},{"line_number":211,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_04921cf7","line":208,"range":{"start_line":208,"start_character":21,"end_line":208,"end_character":29},"in_reply_to":"1f493fa4_61bcb269","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":205,"context_line":"We encourage every deployment to switch to new policy. ``scope_type`` will be"},{"line_number":206,"context_line":"enabled by default and old defaults will be removed in the 23.0.0 release."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"To implement the new defaults reader roles, we made a few policies more"},{"line_number":209,"context_line":"granular. In that policies are renamed and old names are also suported for"},{"line_number":210,"context_line":"backward compatibility."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Migration Plan"},{"line_number":213,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e1a7224f","line":210,"range":{"start_line":208,"start_character":44,"end_line":210,"end_character":23},"updated":"2020-04-20 18:00:03.000000000","message":"nit: this is a bit clunky - how about\n\n[...] some policies needed to become granular. They have been renamed, with the old names still supported for backwards compatibility.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":205,"context_line":"We encourage every deployment to switch to new policy. ``scope_type`` will be"},{"line_number":206,"context_line":"enabled by default and old defaults will be removed in the 23.0.0 release."},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"To implement the new defaults reader roles, we made a few policies more"},{"line_number":209,"context_line":"granular. In that policies are renamed and old names are also suported for"},{"line_number":210,"context_line":"backward compatibility."},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"Migration Plan"},{"line_number":213,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_44bd4467","line":210,"range":{"start_line":208,"start_character":44,"end_line":210,"end_character":23},"in_reply_to":"1f493fa4_e1a7224f","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":212,"context_line":"Migration Plan"},{"line_number":213,"context_line":"--------------"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"To have a graceful migration, nova provides two flags to switch to new policy"},{"line_number":216,"context_line":"completely. You do not need to overwrite the policy file to adopt the new policy"},{"line_number":217,"context_line":"defaults."},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_816c5e09","line":215,"range":{"start_line":215,"start_character":30,"end_line":215,"end_character":34},"updated":"2020-04-20 18:00:03.000000000","message":"Nova/nova, pick one ;)","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":212,"context_line":"Migration Plan"},{"line_number":213,"context_line":"--------------"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"To have a graceful migration, nova provides two flags to switch to new policy"},{"line_number":216,"context_line":"completely. You do not need to overwrite the policy file to adopt the new policy"},{"line_number":217,"context_line":"defaults."},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_617152e1","line":215,"range":{"start_line":215,"start_character":67,"end_line":215,"end_character":70},"updated":"2020-04-20 18:00:03.000000000","message":"the new","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":212,"context_line":"Migration Plan"},{"line_number":213,"context_line":"--------------"},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"To have a graceful migration, nova provides two flags to switch to new policy"},{"line_number":216,"context_line":"completely. You do not need to overwrite the policy file to adopt the new policy"},{"line_number":217,"context_line":"defaults."},{"line_number":218,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_24c2b8ea","line":215,"range":{"start_line":215,"start_character":30,"end_line":215,"end_character":34},"in_reply_to":"1f493fa4_816c5e09","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"#. Create scoped token:"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"   You need to create the new token with the scope knowledge via below CLI:"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"   - `Create System Scoped Token`_"},{"line_number":226,"context_line":"   - `Create Project Scoped Token`_"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_c175c6ce","line":223,"range":{"start_line":223,"start_character":41,"end_line":223,"end_character":44},"updated":"2020-04-20 18:00:03.000000000","message":"nit: drop this word.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":220,"context_line":""},{"line_number":221,"context_line":"#. Create scoped token:"},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"   You need to create the new token with the scope knowledge via below CLI:"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"   - `Create System Scoped Token`_"},{"line_number":226,"context_line":"   - `Create Project Scoped Token`_"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_84b74c87","line":223,"range":{"start_line":223,"start_character":41,"end_line":223,"end_character":44},"in_reply_to":"1f493fa4_c175c6ce","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":225,"context_line":"   - `Create System Scoped Token`_"},{"line_number":226,"context_line":"   - `Create Project Scoped Token`_"},{"line_number":227,"context_line":""},{"line_number":228,"context_line":"#. Create new default roles in keystone if not done:"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"   If you do not have new defaults in Keystone then you can create and re-run"},{"line_number":231,"context_line":"   the `Keystone Bootstrap`_. Keystone added this support in rocky release."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_2150ea32","line":228,"range":{"start_line":228,"start_character":40,"end_line":228,"end_character":51},"updated":"2020-04-20 18:00:03.000000000","message":"nit: \"if necessary\"","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":225,"context_line":"   - `Create System Scoped Token`_"},{"line_number":226,"context_line":"   - `Create Project Scoped Token`_"},{"line_number":227,"context_line":""},{"line_number":228,"context_line":"#. Create new default roles in keystone if not done:"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"   If you do not have new defaults in Keystone then you can create and re-run"},{"line_number":231,"context_line":"   the `Keystone Bootstrap`_. Keystone added this support in rocky release."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_647160e1","line":228,"range":{"start_line":228,"start_character":40,"end_line":228,"end_character":51},"in_reply_to":"1f493fa4_2150ea32","updated":"2020-04-20 18:51:04.000000000","message":"\"if necessary\" sounds like an optional step but operator has to do this it make sure it was already done.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":232,"context_line":""},{"line_number":233,"context_line":"#. Enable Scope Checks"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"   ``enforce_scope`` flag is to enable the ``scope_type`` features. This option"},{"line_number":236,"context_line":"   controls whether or not to enforce scope when evaluating policies. If True,"},{"line_number":237,"context_line":"   the scope of the token used in the request is compared to the scope_types of"},{"line_number":238,"context_line":"   the policy being enforced. If the scopes do not match, an error will be"},{"line_number":239,"context_line":"   raised. If False, a message will be logged about policies are being invoked"},{"line_number":240,"context_line":"   with mismatching scope."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   This flag is false by default and can be enabled via config option in"},{"line_number":243,"context_line":"   nova.conf as shown below:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_a1207ab2","line":240,"range":{"start_line":235,"start_character":68,"end_line":240,"end_character":26},"updated":"2020-04-20 18:00:03.000000000","message":"Oh I see what you mean. It\u0027s arrived to kinda backwards. I\u0027d say:\n\nThe scope of the token used in the request is always compared to the scope_type of the policy. If the scopes do not match, one of two things can happen. If ``enforce_scope`` is True, the request will be rejected. If ``encore_scope`` is False, an warning will be logged, but the request will be accepted (assuming the rest of the policy passes).","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":232,"context_line":""},{"line_number":233,"context_line":"#. Enable Scope Checks"},{"line_number":234,"context_line":""},{"line_number":235,"context_line":"   ``enforce_scope`` flag is to enable the ``scope_type`` features. This option"},{"line_number":236,"context_line":"   controls whether or not to enforce scope when evaluating policies. If True,"},{"line_number":237,"context_line":"   the scope of the token used in the request is compared to the scope_types of"},{"line_number":238,"context_line":"   the policy being enforced. If the scopes do not match, an error will be"},{"line_number":239,"context_line":"   raised. If False, a message will be logged about policies are being invoked"},{"line_number":240,"context_line":"   with mismatching scope."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   This flag is false by default and can be enabled via config option in"},{"line_number":243,"context_line":"   nova.conf as shown below:"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_4419c486","line":240,"range":{"start_line":235,"start_character":68,"end_line":240,"end_character":26},"in_reply_to":"1f493fa4_a1207ab2","updated":"2020-04-20 18:51:04.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":239,"context_line":"   raised. If False, a message will be logged about policies are being invoked"},{"line_number":240,"context_line":"   with mismatching scope."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   This flag is false by default and can be enabled via config option in"},{"line_number":243,"context_line":"   nova.conf as shown below:"},{"line_number":244,"context_line":""},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"   .. code-block:: ini"},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"      [oslo_policy]"},{"line_number":249,"context_line":"      enforce_scope\u003dTrue"},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"   .. note:: Before you enable this flag, you need to audit your users and make sure everyone"},{"line_number":252,"context_line":"             who needs system-level access has a system role assignment in keystone."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_e103a20e","line":249,"range":{"start_line":242,"start_character":32,"end_line":249,"end_character":24},"updated":"2020-04-20 18:00:03.000000000","message":"Is this really necessary?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":239,"context_line":"   raised. If False, a message will be logged about policies are being invoked"},{"line_number":240,"context_line":"   with mismatching scope."},{"line_number":241,"context_line":""},{"line_number":242,"context_line":"   This flag is false by default and can be enabled via config option in"},{"line_number":243,"context_line":"   nova.conf as shown below:"},{"line_number":244,"context_line":""},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"   .. code-block:: ini"},{"line_number":247,"context_line":""},{"line_number":248,"context_line":"      [oslo_policy]"},{"line_number":249,"context_line":"      enforce_scope\u003dTrue"},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"   .. note:: Before you enable this flag, you need to audit your users and make sure everyone"},{"line_number":252,"context_line":"             who needs system-level access has a system role assignment in keystone."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_4ffefd05","line":249,"range":{"start_line":242,"start_character":32,"end_line":249,"end_character":24},"in_reply_to":"1f493fa4_e103a20e","updated":"2020-04-20 18:51:04.000000000","message":"yeah because this config option is per service and mentioning it how to enable is clear for operator.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":248,"context_line":"      [oslo_policy]"},{"line_number":249,"context_line":"      enforce_scope\u003dTrue"},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"   .. note:: Before you enable this flag, you need to audit your users and make sure everyone"},{"line_number":252,"context_line":"             who needs system-level access has a system role assignment in keystone."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"#. Enable new defaults"},{"line_number":255,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_61183281","line":252,"range":{"start_line":251,"start_character":0,"end_line":252,"end_character":84},"updated":"2020-04-20 18:00:03.000000000","message":"OK, this is damn important. Do we have a callout more important than .. note:: Warning, maybe?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":248,"context_line":"      [oslo_policy]"},{"line_number":249,"context_line":"      enforce_scope\u003dTrue"},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"   .. note:: Before you enable this flag, you need to audit your users and make sure everyone"},{"line_number":252,"context_line":"             who needs system-level access has a system role assignment in keystone."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"#. Enable new defaults"},{"line_number":255,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_cf3a0dcc","line":252,"range":{"start_line":251,"start_character":0,"end_line":252,"end_character":84},"in_reply_to":"1f493fa4_61183281","updated":"2020-04-20 18:51:04.000000000","message":"warning might be ok but here I feel note is enough \n as the expectation is that operators move to new policy instead of keeping them an optional to enable and warn them before they do.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":259,"context_line":"   This means if any existing token is allowed for old defaults but is disallowed"},{"line_number":260,"context_line":"   for new defaults, it will be disallowed."},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"   This is false by default and can be enabled via config option in nova.conf"},{"line_number":263,"context_line":"   as shown below:"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"   .. code-block:: ini"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"      [oslo_policy]"},{"line_number":268,"context_line":"       enforce_new_defaults\u003dTrue"},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"   .. note:: Before you enable this flag, you need to educate users about the different roles"},{"line_number":271,"context_line":"             they need to use to continue using Nova APIs."}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_0107ae1e","line":268,"range":{"start_line":262,"start_character":27,"end_line":268,"end_character":32},"updated":"2020-04-20 18:00:03.000000000","message":"Is this really necessary?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"4e89079861736f87eb52fc55d5edcd7fed209a66","unresolved":false,"context_lines":[{"line_number":267,"context_line":"      [oslo_policy]"},{"line_number":268,"context_line":"       enforce_new_defaults\u003dTrue"},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"   .. note:: Before you enable this flag, you need to educate users about the different roles"},{"line_number":271,"context_line":"             they need to use to continue using Nova APIs."},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"#. Check for deprecated policies"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_8408ec28","line":271,"range":{"start_line":270,"start_character":0,"end_line":271,"end_character":58},"updated":"2020-04-20 18:00:03.000000000","message":"What does that mean? Can the users chose their own roles?","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"513f833e935f3d519c86c9f16cd23eb35f5486e8","unresolved":false,"context_lines":[{"line_number":267,"context_line":"      [oslo_policy]"},{"line_number":268,"context_line":"       enforce_new_defaults\u003dTrue"},{"line_number":269,"context_line":""},{"line_number":270,"context_line":"   .. note:: Before you enable this flag, you need to educate users about the different roles"},{"line_number":271,"context_line":"             they need to use to continue using Nova APIs."},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":"#. Check for deprecated policies"}],"source_content_type":"text/x-rst","patch_set":9,"id":"1f493fa4_2f51f10f","line":271,"range":{"start_line":270,"start_character":0,"end_line":271,"end_character":58},"in_reply_to":"1f493fa4_8408ec28","updated":"2020-04-20 18:51:04.000000000","message":"user cannot use but they can request to operator to assigned them role if they want to perform this operation.","commit_id":"98563dccd4555555bb79e14b81501970b644c301"}],"releasenotes/notes/bp-policy-defaults-refresh-b8e6e2d6b1a7bc21.yaml":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"5985dc3a9e487895e265371656f3cf646167f99a","unresolved":false,"context_lines":[{"line_number":17,"context_line":"    be moved to ``scope_type`` and new defaults in the next release."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    Please refer `Policy New Defaults`_ for detail about policy new defaults"},{"line_number":20,"context_line":"    and migration plan."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"features:"},{"line_number":23,"context_line":"  - |"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3f4c43b2_e55a41f1","line":20,"updated":"2020-04-16 01:51:52.000000000","message":"Not sure we\u0027ll want to add the prelude here, usually the prelude is a separate change. I think bauzas is working on the first draft of the prelude so would be good to sync up with him.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"449ea953464b2f48a11ea3bc35b25888f22ebf2d","unresolved":false,"context_lines":[{"line_number":17,"context_line":"    be moved to ``scope_type`` and new defaults in the next release."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    Please refer `Policy New Defaults`_ for detail about policy new defaults"},{"line_number":20,"context_line":"    and migration plan."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"features:"},{"line_number":23,"context_line":"  - |"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3f4c43b2_867099de","line":20,"in_reply_to":"3f4c43b2_e55a41f1","updated":"2020-04-16 16:29:49.000000000","message":"ACK. I will remove from here and let bauzas to pick text if needed.","commit_id":"65686bf0adb972e73147ab231881bf4e2b0b8257"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":14,"context_line":"    * **Scope**"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"      Each policy is protected with appropriate ``scope_type``. Nova support"},{"line_number":17,"context_line":"      two types of ``sope_type`` with their combination. [\u0027system\u0027],"},{"line_number":18,"context_line":"      [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"1f493fa4_615b122e","line":17,"range":{"start_line":17,"start_character":57,"end_line":17,"end_character":67},"updated":"2020-04-20 17:16:44.000000000","message":"``literal``","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":14,"context_line":"    * **Scope**"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"      Each policy is protected with appropriate ``scope_type``. Nova support"},{"line_number":17,"context_line":"      two types of ``sope_type`` with their combination. [\u0027system\u0027],"},{"line_number":18,"context_line":"      [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":9,"id":"1f493fa4_e17c42b7","line":17,"range":{"start_line":17,"start_character":57,"end_line":17,"end_character":67},"in_reply_to":"1f493fa4_615b122e","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"24ad06314853f7fe845270eed9ab3bcb19917408","unresolved":false,"context_lines":[{"line_number":15,"context_line":""},{"line_number":16,"context_line":"      Each policy is protected with appropriate ``scope_type``. Nova support"},{"line_number":17,"context_line":"      two types of ``sope_type`` with their combination. [\u0027system\u0027],"},{"line_number":18,"context_line":"      [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"      To know each policy scope_type, please refer the \u0027Policy Reference\u0027_"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"1f493fa4_c13f86b3","line":18,"range":{"start_line":18,"start_character":6,"end_line":18,"end_character":44},"updated":"2020-04-20 17:16:44.000000000","message":"ditto","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"33590c56764d11f0681980077f2bc24ab6e5ecae","unresolved":false,"context_lines":[{"line_number":15,"context_line":""},{"line_number":16,"context_line":"      Each policy is protected with appropriate ``scope_type``. Nova support"},{"line_number":17,"context_line":"      two types of ``sope_type`` with their combination. [\u0027system\u0027],"},{"line_number":18,"context_line":"      [\u0027project\u0027] and [\u0027system\u0027, \u0027project\u0027]."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"      To know each policy scope_type, please refer the \u0027Policy Reference\u0027_"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"1f493fa4_414b7686","line":18,"range":{"start_line":18,"start_character":6,"end_line":18,"end_character":44},"in_reply_to":"1f493fa4_c13f86b3","updated":"2020-04-20 18:07:19.000000000","message":"Done","commit_id":"98563dccd4555555bb79e14b81501970b644c301"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"68746229ea342faccfce29f05d8a61023dc5d629","unresolved":false,"context_lines":[{"line_number":18,"context_line":"      two types of ``sope_type`` with their combination. ``[\u0027system\u0027]``,"},{"line_number":19,"context_line":"      ``[\u0027project\u0027]`` and ``[\u0027system\u0027, \u0027project\u0027]``."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"      To know each policy scope_type, please refer the \u0027Policy Reference\u0027_"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"      This feature is disabled by default can be enabled via config option"},{"line_number":24,"context_line":"      ``[oslo_policy]enforce_scope`` in ``nova.conf``"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"1f493fa4_24271db6","line":21,"range":{"start_line":21,"start_character":55,"end_line":21,"end_character":74},"updated":"2020-04-23 01:50:47.000000000","message":"This link does not work.\nIt should be as follows:\n\n  `Policy Reference`_","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a6a90a53399c60be1c2b777f2c0422d8110751b4","unresolved":false,"context_lines":[{"line_number":18,"context_line":"      two types of ``sope_type`` with their combination. ``[\u0027system\u0027]``,"},{"line_number":19,"context_line":"      ``[\u0027project\u0027]`` and ``[\u0027system\u0027, \u0027project\u0027]``."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"      To know each policy scope_type, please refer the \u0027Policy Reference\u0027_"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"      This feature is disabled by default can be enabled via config option"},{"line_number":24,"context_line":"      ``[oslo_policy]enforce_scope`` in ``nova.conf``"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"1f493fa4_440fc9e0","line":21,"range":{"start_line":21,"start_character":55,"end_line":21,"end_character":74},"in_reply_to":"1f493fa4_24271db6","updated":"2020-04-23 02:05:26.000000000","message":"ah, thanks for catching this. done.","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"68746229ea342faccfce29f05d8a61023dc5d629","unresolved":false,"context_lines":[{"line_number":132,"context_line":"    - https://bugs.launchpad.net/nova/+bug/1871665"},{"line_number":133,"context_line":"    - https://bugs.launchpad.net/nova/+bug/1870226"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"    .. _policy-defaults-refresh: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html"},{"line_number":136,"context_line":"    .. _Policy Reference: https://docs.openstack.org/nova/latest/configuration/policy.html"},{"line_number":137,"context_line":"    .. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"1f493fa4_643805d3","line":135,"range":{"start_line":135,"start_character":5,"end_line":135,"end_character":132},"updated":"2020-04-23 01:50:47.000000000","message":"nit:\nI could not find the link in this release note.\nSo it is not necessary.","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a6a90a53399c60be1c2b777f2c0422d8110751b4","unresolved":false,"context_lines":[{"line_number":132,"context_line":"    - https://bugs.launchpad.net/nova/+bug/1871665"},{"line_number":133,"context_line":"    - https://bugs.launchpad.net/nova/+bug/1870226"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"    .. _policy-defaults-refresh: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html"},{"line_number":136,"context_line":"    .. _Policy Reference: https://docs.openstack.org/nova/latest/configuration/policy.html"},{"line_number":137,"context_line":"    .. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"1f493fa4_c45479cd","line":135,"range":{"start_line":135,"start_character":5,"end_line":135,"end_character":132},"in_reply_to":"1f493fa4_643805d3","updated":"2020-04-23 02:05:26.000000000","message":"this link is of this doc so once we merge this patch we can get the correct link. I wanted to avoid changing the reno again to mention the link as I am doing doc also in the same patch.","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"},{"author":{"_account_id":7634,"name":"Takashi Natsume","email":"takanattie@gmail.com","username":"natsumet"},"change_message_id":"a41169851aca0552513cca3f19f6102879708f29","unresolved":false,"context_lines":[{"line_number":132,"context_line":"    - https://bugs.launchpad.net/nova/+bug/1871665"},{"line_number":133,"context_line":"    - https://bugs.launchpad.net/nova/+bug/1870226"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":"    .. _policy-defaults-refresh: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html"},{"line_number":136,"context_line":"    .. _Policy Reference: https://docs.openstack.org/nova/latest/configuration/policy.html"},{"line_number":137,"context_line":"    .. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"1f493fa4_0495c1e4","line":135,"range":{"start_line":135,"start_character":5,"end_line":135,"end_character":132},"in_reply_to":"1f493fa4_c45479cd","updated":"2020-04-23 02:52:35.000000000","message":"This is a just comment that is not displayed?\nOkay.","commit_id":"5bd94b74857d2bf5515203118a16029408494b7f"}]}