)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f8d32da95086a71985e6561559465a9222c0647c","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Support user_id in policy for remote consoles"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"some of Nova API policies allow to use user_id in the policy rule"},{"line_number":10,"context_line":"definitions."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"This patch allows to use \u0027user_id:%(user_id)s\u0027 check (and the like)"},{"line_number":13,"context_line":"in the api access policy for getting URLs for remote consoles."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Thus it is now possibe to limit access to remote cosoles to e.g."},{"line_number":16,"context_line":"only the user that created the instance."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"88917a47_83f41cd0","line":13,"range":{"start_line":9,"start_character":0,"end_line":13,"end_character":62},"updated":"2021-05-19 22:32:15.000000000","message":"To give some background on user level enforcement, in nova we wanted to remove it completely and interesting it was not known things in nova itself that with policy.json rule check string operator can limit the operation at user level. This was not intend from nova at all and came up during v2-\u003ev2.1 implementation. \n\nBut when removing it completely in newton cycle, we got feedback from operator not to break existing deployment and use case and at least keep it for a limited defined server destructive actions. This spec can give you more clarity on discussion and work done to limit the user enforcement\n\n- https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/user-id-based-policy-enforcement.html\n\nAnd as long term when project hierarchy things will be there in OpenStack then we should remove the current user enforcement from each API policy and make it project  level only. But we need to keep those until we have project hierarchy concept.\n\nIn summary, we cannot extend the user enforcement in more policy and should work to remove the existing one instead.","commit_id":"300fecb99aee56028a824c29ca28cf21d226260c"}]}