)]}'
{"doc/source/configuration/policy-concepts.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f4b2bc6d9668b60f1f34d5d29c9fd7c4e82f412c","unresolved":false,"context_lines":[{"line_number":207,"context_line":"   server or any other project with their token."},{"line_number":208,"context_line":""},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"Nova  supported scope \u0026 Roles"},{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_d26173d5","line":210,"range":{"start_line":210,"start_character":5,"end_line":210,"end_character":6},"updated":"2020-11-09 23:37:27.000000000","message":"extra space","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"93abb3232dcb2285edaff087c3876dddcd60fc0d","unresolved":false,"context_lines":[{"line_number":207,"context_line":"   server or any other project with their token."},{"line_number":208,"context_line":""},{"line_number":209,"context_line":""},{"line_number":210,"context_line":"Nova  supported scope \u0026 Roles"},{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_1233eb15","line":210,"range":{"start_line":210,"start_character":5,"end_line":210,"end_character":6},"in_reply_to":"1f621f24_d26173d5","updated":"2020-11-10 00:32:03.000000000","message":"Done","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f4b2bc6d9668b60f1f34d5d29c9fd7c4e82f412c","unresolved":false,"context_lines":[{"line_number":210,"context_line":"Nova  supported scope \u0026 Roles"},{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"},{"line_number":214,"context_line":"overridden in policy.yaml file but scope are not override-able."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"#. SYSTEM_ADMIN: ``admin`` role on ``system`` scope"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_f2a10ffa","line":213,"range":{"start_line":213,"start_character":38,"end_line":213,"end_character":43},"updated":"2020-11-09 23:37:27.000000000","message":"scopes?","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f4b2bc6d9668b60f1f34d5d29c9fd7c4e82f412c","unresolved":false,"context_lines":[{"line_number":210,"context_line":"Nova  supported scope \u0026 Roles"},{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"},{"line_number":214,"context_line":"overridden in policy.yaml file but scope are not override-able."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"#. SYSTEM_ADMIN: ``admin`` role on ``system`` scope"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_b25e770f","line":213,"range":{"start_line":213,"start_character":5,"end_line":213,"end_character":12},"updated":"2020-11-09 23:37:27.000000000","message":"supports","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"93abb3232dcb2285edaff087c3876dddcd60fc0d","unresolved":false,"context_lines":[{"line_number":210,"context_line":"Nova  supported scope \u0026 Roles"},{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"},{"line_number":214,"context_line":"overridden in policy.yaml file but scope are not override-able."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"#. SYSTEM_ADMIN: ``admin`` role on ``system`` scope"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_f2374ffe","line":213,"range":{"start_line":213,"start_character":38,"end_line":213,"end_character":43},"in_reply_to":"1f621f24_f2a10ffa","updated":"2020-11-10 00:32:03.000000000","message":"Done","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f4b2bc6d9668b60f1f34d5d29c9fd7c4e82f412c","unresolved":false,"context_lines":[{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"},{"line_number":214,"context_line":"overridden in policy.yaml file but scope are not override-able."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"#. SYSTEM_ADMIN: ``admin`` role on ``system`` scope"},{"line_number":217,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_52a3a300","line":214,"range":{"start_line":214,"start_character":11,"end_line":214,"end_character":13},"updated":"2020-11-09 23:37:27.000000000","message":"in the","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f4b2bc6d9668b60f1f34d5d29c9fd7c4e82f412c","unresolved":false,"context_lines":[{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"},{"line_number":214,"context_line":"overridden in policy.yaml file but scope are not override-able."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"#. SYSTEM_ADMIN: ``admin`` role on ``system`` scope"},{"line_number":217,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_32a8a7d9","line":214,"range":{"start_line":214,"start_character":35,"end_line":214,"end_character":40},"updated":"2020-11-09 23:37:27.000000000","message":"scopes? Or change \"are\" to \"is\"","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"93abb3232dcb2285edaff087c3876dddcd60fc0d","unresolved":false,"context_lines":[{"line_number":211,"context_line":"-----------------------------"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Nova support the below combination of scope and roles where roles can be"},{"line_number":214,"context_line":"overridden in policy.yaml file but scope are not override-able."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"#. SYSTEM_ADMIN: ``admin`` role on ``system`` scope"},{"line_number":217,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_72233fbe","line":214,"range":{"start_line":214,"start_character":11,"end_line":214,"end_character":13},"in_reply_to":"1f621f24_52a3a300","updated":"2020-11-10 00:32:03.000000000","message":"Done","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"f4b2bc6d9668b60f1f34d5d29c9fd7c4e82f412c","unresolved":false,"context_lines":[{"line_number":231,"context_line":"   or ``project`` scope. Such policy rules are scoped as both ``system``"},{"line_number":232,"context_line":"   as well as ``project``."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"   .. note:: As of now, only ``system`` and ``project`` scope are supported in Nova."},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"Backward Compatibility"},{"line_number":237,"context_line":"----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_72969f95","line":234,"range":{"start_line":234,"start_character":56,"end_line":234,"end_character":61},"updated":"2020-11-09 23:37:27.000000000","message":"scopes?","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"93abb3232dcb2285edaff087c3876dddcd60fc0d","unresolved":false,"context_lines":[{"line_number":231,"context_line":"   or ``project`` scope. Such policy rules are scoped as both ``system``"},{"line_number":232,"context_line":"   as well as ``project``."},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"   .. note:: As of now, only ``system`` and ``project`` scope are supported in Nova."},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"Backward Compatibility"},{"line_number":237,"context_line":"----------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"1f621f24_52128363","line":234,"range":{"start_line":234,"start_character":56,"end_line":234,"end_character":61},"in_reply_to":"1f621f24_72969f95","updated":"2020-11-10 00:32:03.000000000","message":"Done","commit_id":"f8187f66b71fb15584b9f7a970f76765f25be7a1"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8b8a215794a2ecd599ce168459abb761273be33b","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"#. SYSTEM_READER: ``reader`` role on ``system`` scope"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"#. PROJECT_ADMIN: ``admin`` role on ``project`` scope"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"#. PROJECT_MEMBER: ``member`` role on ``project`` scope"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_fe3c0894","line":220,"updated":"2020-11-13 01:46:36.000000000","message":"Hm, I had a conversation with sean-k-mooney yesterday and, IIUC, we don\u0027t fully support PROJECT_ADMIN as of yet and doing so would require some changes to make our tenant aggregate affinity behavior work with it (and we support doing this).\n\nI\u0027m not sure whether this means we shouldn\u0027t include this line or we should add more words under this line to clarify the current limitations of our PROJECT_ADMIN support.\n\nI\u0027m adding Sean to this review for comment.","commit_id":"91fdbab337d64d87ce6c099d5a0f9edd7f7ce035"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"cf53df10c1b1f96283d20e7f4320028e51ec75ea","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"#. SYSTEM_READER: ``reader`` role on ``system`` scope"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"#. PROJECT_ADMIN: ``admin`` role on ``project`` scope"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"#. PROJECT_MEMBER: ``member`` role on ``project`` scope"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"61d15a18_e09aa80d","line":220,"in_reply_to":"1f621f24_def2ec99","updated":"2021-06-02 00:56:05.000000000","message":"Yeah sorry, what I meant by \"full support\" is, if a user has the PROJECT_ADMIN role, is it possible for them to do all of the actions you listed? Currently, it is not possible for a user with PROJECT_ADMIN to do action \"force host\" because they have no access to the hypervisor list (and this is why you have the spec [1] to provide a way).\n\nI was thinking that since a user with PROJECT_ADMIN is unable to create a server on a specific host because they can\u0027t list the hypervisors, shouldn\u0027t we have a note:: in this doc mentioning that limitation and that it\u0027s being worked on via [1]?\n\nAnd are there any similar limitations in 2. zero disk flavor 3. on requested compute service 4. Attach an unshared external network to a server that should also be noted?\n\n[1] https://review.opendev.org/c/openstack/nova-specs/+/793011","commit_id":"91fdbab337d64d87ce6c099d5a0f9edd7f7ce035"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6bc5431d5119e025a215204bdc18d8edd7b414ee","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"#. SYSTEM_READER: ``reader`` role on ``system`` scope"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"#. PROJECT_ADMIN: ``admin`` role on ``project`` scope"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"#. PROJECT_MEMBER: ``member`` role on ``project`` scope"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1f621f24_def2ec99","line":220,"in_reply_to":"1f621f24_fe3c0894","updated":"2020-11-13 02:28:36.000000000","message":"I did not get completely about full support. PROJECT_ADMIN role will be used to check the access permission at API layer and allow to proceed if permitted. For example, if a project user having an admin role try to create the server on the requested host (or create a server with zero disk flavor) then API check if the user has an admin role in that project then proceed further otherwise 403.\n\nWe use PROJECT_ADMIN for creating a server with 1. force host 2. zero disk flavor 3. on requested compute service 4. Attach an unshared external network to a server","commit_id":"91fdbab337d64d87ce6c099d5a0f9edd7f7ce035"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b67c682c223cbada7d2d67426b29d9f88e6c3c04","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"#. SYSTEM_READER: ``reader`` role on ``system`` scope"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"#. PROJECT_ADMIN: ``admin`` role on ``project`` scope"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"#. PROJECT_MEMBER: ``member`` role on ``project`` scope"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"71ec1d2f_11cdcbf1","line":220,"in_reply_to":"61d15a18_e09aa80d","updated":"2021-06-03 01:18:41.000000000","message":"I see your point and that is important from user perspective who are actually audience of this doc.\n\nI will add the limitation of our defaults policy and later once the 793011 spec is implemented then we can remove/modify that. But having PROJECT_ADMIN listed in this section is good for use cases where system admin send the host name to project admin via other way than API (like via some doc, email etc).\n\nThese limitation applies to 1. force host 2. requested destination\n\n3. zero disk flavor - This is no issue I think, policy is checked to protect from the large image- https://github.com/openstack/nova/blob/c0c2888acaaccfa4266874523f62039cb9e143e0/nova/compute/api.py#L751\n\n4. Attach an unshared external  - It depends on neutron policy for get external network. if they user want to create server with net id then they can get it from neutron as neutron policy for GET external network is SYSTEM_OR_PROJECT_READER[1]. Otherwise requested projects(creating server) networks will be fetched from neutron[2]. so with neutron default policy I do not see any limitation here. Though I need to remove my todo from nova policy file- https://github.com/openstack/nova/blob/cd084aeeb8a2110759912c1b529917a9d3aac555/nova/policies/servers.py#L304\n\n\n[1] https://github.com/openstack/neutron/blob/0bdf3b56e0d4ede2d46eed09a4bb07dd3c00807d/neutron/conf/policies/network.py#L189\n\n[2] https://github.com/openstack/nova/blob/7cabd6dc40196aada7e9dba9382b8ae0c2a4bdb6/nova/network/neutron.py#L891","commit_id":"91fdbab337d64d87ce6c099d5a0f9edd7f7ce035"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"5b93ecea991948d1ec6b26814fe9fed7265aeee8","unresolved":false,"context_lines":[{"line_number":217,"context_line":""},{"line_number":218,"context_line":"#. SYSTEM_READER: ``reader`` role on ``system`` scope"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"#. PROJECT_ADMIN: ``admin`` role on ``project`` scope"},{"line_number":221,"context_line":""},{"line_number":222,"context_line":"#. PROJECT_MEMBER: ``member`` role on ``project`` scope"},{"line_number":223,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"a52f6d4d_2a8d42af","line":220,"in_reply_to":"71ec1d2f_11cdcbf1","updated":"2021-06-03 01:38:52.000000000","message":"removing the TODO for zero disk flavor and Attach an unshared external - https://review.opendev.org/c/openstack/nova/+/794360","commit_id":"91fdbab337d64d87ce6c099d5a0f9edd7f7ce035"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"88c5eacf59d68b17d7a8a81f04b8218c1eceb574","unresolved":true,"context_lines":[{"line_number":329,"context_line":"|                    +----------------------------------+-----------------+                   |"},{"line_number":330,"context_line":"|                    | PROJECT_READER_OR_SYSTEM_READER  | reader          |                   |"},{"line_number":331,"context_line":"+--------------------+----------------------------------+-----------------+-------------------+"},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"We expect all deployments to migrate to new policy by 23.0.0 release so that"},{"line_number":334,"context_line":"we can remove the support of old policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"fc5fb05b_e4c53ba6","line":332,"updated":"2021-06-03 05:14:50.000000000","message":"Did you intend to remove this table when you went from PS2 to PS3? If so, the commit message still mentions adding a table mapping legacy rules to new rules.","commit_id":"91fdbab337d64d87ce6c099d5a0f9edd7f7ce035"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"019b320f867e89a7bf20f5fb6e1c440208f7d0ae","unresolved":true,"context_lines":[{"line_number":329,"context_line":"|                    +----------------------------------+-----------------+                   |"},{"line_number":330,"context_line":"|                    | PROJECT_READER_OR_SYSTEM_READER  | reader          |                   |"},{"line_number":331,"context_line":"+--------------------+----------------------------------+-----------------+-------------------+"},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"We expect all deployments to migrate to new policy by 23.0.0 release so that"},{"line_number":334,"context_line":"we can remove the support of old policies."}],"source_content_type":"text/x-rst","patch_set":2,"id":"27f48517_a65bebb1","line":332,"in_reply_to":"fc5fb05b_e4c53ba6","updated":"2021-06-03 14:34:58.000000000","message":"oh, this is left by mistake, sorry about that. fixed.","commit_id":"91fdbab337d64d87ce6c099d5a0f9edd7f7ce035"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"88c5eacf59d68b17d7a8a81f04b8218c1eceb574","unresolved":true,"context_lines":[{"line_number":228,"context_line":"      To create a server on specific host via force host or requested"},{"line_number":229,"context_line":"      destination, you need to pass the hostname in ``POST /servers``"},{"line_number":230,"context_line":"      API request but there is no way for PROJECT_ADMIN to get the hostname"},{"line_number":231,"context_line":"      via API. This limitation will be addressed in a future release."},{"line_number":232,"context_line":""},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"#. PROJECT_MEMBER: ``member`` role on ``project`` scope"}],"source_content_type":"text/x-rst","patch_set":3,"id":"1855b7df_b6909ad2","line":231,"updated":"2021-06-03 05:14:50.000000000","message":"This note rendered weirdly with much larger font and made it look like a block quote:\n\nhttps://9135f330c682c5482515-1424e0f18ed1d65bb7e7c00bb059b2d8.ssl.cf1.rackcdn.com/762013/3/check/openstack-tox-docs/6b0fc58/docs/configuration/policy-concepts.html#nova-supported-scope-roles\n\nI\u0027m not sure how to fix that. stephenfin can probably help.","commit_id":"353a16c2a275d48872083af50957f4bc23402d67"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"019b320f867e89a7bf20f5fb6e1c440208f7d0ae","unresolved":true,"context_lines":[{"line_number":228,"context_line":"      To create a server on specific host via force host or requested"},{"line_number":229,"context_line":"      destination, you need to pass the hostname in ``POST /servers``"},{"line_number":230,"context_line":"      API request but there is no way for PROJECT_ADMIN to get the hostname"},{"line_number":231,"context_line":"      via API. This limitation will be addressed in a future release."},{"line_number":232,"context_line":""},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"#. PROJECT_MEMBER: ``member`` role on ``project`` scope"}],"source_content_type":"text/x-rst","patch_set":3,"id":"2f33077d_fd936e4f","line":231,"in_reply_to":"1855b7df_b6909ad2","updated":"2021-06-03 14:34:58.000000000","message":"yeah, extra indentation caused that. fixed.","commit_id":"353a16c2a275d48872083af50957f4bc23402d67"}]}