)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1106a1bf13ffad5c241a79ce6b4ed4fc156d5710","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Dan Smith \u003cdansmith@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2021-11-05 12:56:08 -0700"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"WIP: Revert project-specific APIs for servers"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This is super rough, but is heading towards what we discussed at PTG"},{"line_number":10,"context_line":"so we can start chipping away at testing."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"47f7ea20_df23c09f","line":7,"range":{"start_line":7,"start_character":12,"end_line":7,"end_character":19},"updated":"2021-11-05 20:15:20.000000000","message":"system*","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a17a4bc1354677a42d5b1795ee57aeb53e8ba1b0","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Dan Smith \u003cdansmith@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2021-11-05 12:56:08 -0700"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"WIP: Revert project-specific APIs for servers"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This is super rough, but is heading towards what we discussed at PTG"},{"line_number":10,"context_line":"so we can start chipping away at testing."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"8f754def_66f5c1be","line":7,"range":{"start_line":7,"start_character":12,"end_line":7,"end_character":19},"in_reply_to":"26d6466e_a8352071","updated":"2021-11-08 16:07:30.000000000","message":"Ack","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ba62b88f41d8737e2ccfb067ba23820b7c7887ee","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Dan Smith \u003cdansmith@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2021-11-05 12:56:08 -0700"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"WIP: Revert project-specific APIs for servers"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This is super rough, but is heading towards what we discussed at PTG"},{"line_number":10,"context_line":"so we can start chipping away at testing."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"26d6466e_a8352071","line":7,"range":{"start_line":7,"start_character":12,"end_line":7,"end_character":19},"in_reply_to":"47f7ea20_df23c09f","updated":"2021-11-06 00:09:38.000000000","message":"I meant project. This is hitting servers, which is a project-specific API, and I\u0027m reverting the changes (i.e. system-related changes) that were made to it.","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"de92d9a9ae05af0a04c13e9bb55512b31ee58bb2","unresolved":true,"context_lines":[{"line_number":25,"context_line":""},{"line_number":26,"context_line":"Finally, we need to pass the roles in our API fixture to be able to"},{"line_number":27,"context_line":"run functional tests with any of those checks in place."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Change-Id: I395d97558c36200a6f6ba7c804ab2a9ac5e51d04"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":10,"id":"b3835694_6a2a762f","line":28,"range":{"start_line":28,"start_character":0,"end_line":28,"end_character":0},"updated":"2021-11-30 20:48:04.000000000","message":"as you know we have BP for this work to track. please add\n\n Partial implement blueprint policy-defaults-refresh-2","commit_id":"660d225b65ce49ebfea87508864a595c04861c15"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"4803f0aaac1fdef2c08f02f2b4616ca09fc564cb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"cf8bf76d_f89f5cf5","updated":"2021-11-05 18:54:04.000000000","message":"This is still very rough, but it passes the servers tests (not flavor extra specs though). Hopefully it\u0027s clear enough to serve as a concrete discussion point.","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6ce5830fd28864e5dc71c9e6e67ccec511863b92","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"9b1f6f58_57b76811","updated":"2021-11-16 18:52:47.000000000","message":"recheck build has no results?","commit_id":"bf95358c3904c68973242623f114f0d326d36e5d"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9ab30db07b648c236a3961aa2b2ec56f385fe161","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"dfbe16be_6f7e6b3b","updated":"2021-11-16 20:28:44.000000000","message":"recheck different \"no results\" job this time","commit_id":"bf95358c3904c68973242623f114f0d326d36e5d"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"cc5d391a5963781e7981330a10bb3735a5d9331d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"1805be47_a015f66e","updated":"2021-11-23 14:01:11.000000000","message":"I am not quite sure about the scope:all bit in the system_scope check, didn\u0027t we say that was going to be removed?","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"3b01512dc93667f48d14887431ec7414651695f4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"189a89fc_0a3f6748","updated":"2022-02-16 11:41:31.000000000","message":"I\u0027ve read this but I don\u0027t feel I have enough knowledge for a +2","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"d6c16cb823ed5254f272de707dce0a49921a9110","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"c62761a8_2e29ca20","updated":"2022-02-14 16:03:07.000000000","message":"Was hard to review, but I don\u0027t see any concerns.","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"828a3e41f3ddd1df3bfb77966b0043e009bf6683","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"4228d066_8e40749d","updated":"2022-02-24 16:41:23.000000000","message":"approving it, this is in good shape.","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b6c0f25968d50e6b3ce0751ca615f2ef28fb73ec","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":12,"id":"2bb291de_216e4621","updated":"2022-01-17 01:38:16.000000000","message":"lgtm, I am covering PROJECT_ADMIN for no legacy rule case in https://review.opendev.org/c/openstack/nova/+/824845/ and rest all looks good.","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"}],"nova/policies/base.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1106a1bf13ffad5c241a79ce6b4ed4fc156d5710","unresolved":true,"context_lines":[{"line_number":131,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":132,"context_line":"    policy.RuleDefault("},{"line_number":133,"context_line":"        name\u003d\"project_member_or_admin\","},{"line_number":134,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:project_member_api\","},{"line_number":135,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\","},{"line_number":136,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":137,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":2,"id":"79914ed8_cd6d45eb","line":134,"updated":"2021-11-05 20:15:20.000000000","message":"This could just be rule:project_member_api since admin implies member and the project check is the same, right?","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5957fddbd0a67f5c25e5ffd8d6f4ddf29b9dbc75","unresolved":true,"context_lines":[{"line_number":131,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":132,"context_line":"    policy.RuleDefault("},{"line_number":133,"context_line":"        name\u003d\"project_member_or_admin\","},{"line_number":134,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:project_member_api\","},{"line_number":135,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\","},{"line_number":136,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":137,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":2,"id":"feb852b3_f6b9f097","line":134,"in_reply_to":"5c738061_7f5f5a91","updated":"2021-11-08 15:21:26.000000000","message":"When I change this, legacy admin fails to be able to do all these things in the no-legacy test. I guess that\u0027s actually correct, huh? :)","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"ba62b88f41d8737e2ccfb067ba23820b7c7887ee","unresolved":true,"context_lines":[{"line_number":131,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":132,"context_line":"    policy.RuleDefault("},{"line_number":133,"context_line":"        name\u003d\"project_member_or_admin\","},{"line_number":134,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:project_member_api\","},{"line_number":135,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\","},{"line_number":136,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":137,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":2,"id":"5c738061_7f5f5a91","line":134,"in_reply_to":"79914ed8_cd6d45eb","updated":"2021-11-06 00:09:38.000000000","message":"Oh, hmm, maybe. I guess these new rules imply the persona roles. I added this early when I was trying to untangle the way nova does this, so maybe I just need to be using PROJECT_MEMBER where I set it to ADMIN_OR_MEMBER.","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a17a4bc1354677a42d5b1795ee57aeb53e8ba1b0","unresolved":true,"context_lines":[{"line_number":131,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":132,"context_line":"    policy.RuleDefault("},{"line_number":133,"context_line":"        name\u003d\"project_member_or_admin\","},{"line_number":134,"context_line":"        check_str\u003d\"rule:project_admin_api or rule:project_member_api\","},{"line_number":135,"context_line":"        description\u003d\"Default rule for Project admin+owner APIs.\","},{"line_number":136,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":137,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":2,"id":"472a040d_eb932b36","line":134,"in_reply_to":"feb852b3_f6b9f097","updated":"2021-11-08 16:07:30.000000000","message":"Legacy admin \u003d\u003d \u0027role:admin\u0027 and no project check, right?\n\nI think that makes sense if we agree that admin\u0027s must have a token scoped to the project to do the thing on that resource (getting a token scoped token project foo to reboot a server instead of using a token scoped to any project.)","commit_id":"99c1db0639575657962402e9b4ac20a9103de370"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe4a6ee797d98b8d52cd146f1043888aeeb46808","unresolved":true,"context_lines":[{"line_number":56,"context_line":"PROJECT_READER \u003d \u0027rule:project_reader_api\u0027"},{"line_number":57,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d \u0027rule:system_admin_or_owner\u0027"},{"line_number":58,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d \u0027rule:system_or_project_reader\u0027"},{"line_number":59,"context_line":"CONTEXT_ADMIN \u003d \u0027rule:context_is_admin\u0027"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"},{"line_number":62,"context_line":"# with legacy roles::"}],"source_content_type":"text/x-python","patch_set":9,"id":"a6c7882c_ab0bc0cb","line":59,"range":{"start_line":59,"start_character":0,"end_line":59,"end_character":39},"updated":"2021-11-26 01:58:50.000000000","message":"let\u0027s add only \u0027ADMIN\u0027 which will be more clear. I am adding it in the below patch for using in other system admin policies also or you can also rebase on top of that? \n\nhttps://review.opendev.org/c/openstack/nova/+/819389","commit_id":"9cc235f918aa7daf679ac2240e030854babfa6de"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"917da1bf96ca1a3c059edf569a9b5a37a44d6ac5","unresolved":true,"context_lines":[{"line_number":56,"context_line":"PROJECT_READER \u003d \u0027rule:project_reader_api\u0027"},{"line_number":57,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d \u0027rule:system_admin_or_owner\u0027"},{"line_number":58,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d \u0027rule:system_or_project_reader\u0027"},{"line_number":59,"context_line":"CONTEXT_ADMIN \u003d \u0027rule:context_is_admin\u0027"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"},{"line_number":62,"context_line":"# with legacy roles::"}],"source_content_type":"text/x-python","patch_set":9,"id":"ffbc987b_89d85197","line":59,"range":{"start_line":59,"start_character":0,"end_line":59,"end_character":39},"in_reply_to":"a6c7882c_ab0bc0cb","updated":"2021-11-30 20:38:56.000000000","message":"My patch would not work as I thought oslo policy will do embedded ORed for all deprecated rule in hirarchy but that is not what it is now. let\u0027s leave about my patch of adding  \u0027admin\u0027.","commit_id":"9cc235f918aa7daf679ac2240e030854babfa6de"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"917da1bf96ca1a3c059edf569a9b5a37a44d6ac5","unresolved":true,"context_lines":[{"line_number":56,"context_line":"PROJECT_READER \u003d \u0027rule:project_reader_api\u0027"},{"line_number":57,"context_line":"PROJECT_MEMBER_OR_SYSTEM_ADMIN \u003d \u0027rule:system_admin_or_owner\u0027"},{"line_number":58,"context_line":"PROJECT_READER_OR_SYSTEM_READER \u003d \u0027rule:system_or_project_reader\u0027"},{"line_number":59,"context_line":"CONTEXT_ADMIN \u003d \u0027rule:context_is_admin\u0027"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"# NOTE(gmann): Below is the mapping of new roles and scope_types"},{"line_number":62,"context_line":"# with legacy roles::"}],"source_content_type":"text/x-python","patch_set":10,"id":"543216d1_15fecfb1","line":59,"range":{"start_line":59,"start_character":0,"end_line":59,"end_character":14},"updated":"2021-11-30 20:38:56.000000000","message":"let\u0027s name it as ADMIN so that later if we want to rename rule \u0027context_is_admin\u0027 to \u0027admin\u0027 then we can change only in base class.","commit_id":"660d225b65ce49ebfea87508864a595c04861c15"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1d81848d39c4899d57e584f4e460b66ab14396c7","unresolved":true,"context_lines":[{"line_number":89,"context_line":"    policy.RuleDefault("},{"line_number":90,"context_line":"        \"context_is_admin\","},{"line_number":91,"context_line":"        \"role:admin\","},{"line_number":92,"context_line":"        \"Decides what is required for the \u0027is_admin:True\u0027 check to succeed.\"),"},{"line_number":93,"context_line":"    policy.RuleDefault("},{"line_number":94,"context_line":"        \"admin_or_owner\","},{"line_number":95,"context_line":"        \"is_admin:True or project_id:%(project_id)s\","}],"source_content_type":"text/x-python","patch_set":10,"id":"510a59e0_5ffbc2f5","line":92,"range":{"start_line":92,"start_character":75,"end_line":92,"end_character":76},"updated":"2021-11-30 18:57:05.000000000","message":"I thought functional test use fake policy but they do not which is good  - https://github.com/openstack/nova/blob/d630615a02469442fb50ed4aa7e092206a28166a/nova/tests/functional/integrated_helpers.py#L1175\n\nfunctional test failure are valid and because we use real policy there it captured that old token stop working with this change. we have to add the DEPRECATED_ADMIN_POLICY here so that old rule are logical ORed by oslo.policy like it was done in system_admin_api rule L108.","commit_id":"660d225b65ce49ebfea87508864a595c04861c15"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"51cd37a092ce2d77f1fe9e2c0201e656c4dc1ba1","unresolved":true,"context_lines":[{"line_number":91,"context_line":"        \"role:admin\","},{"line_number":92,"context_line":"        \"Decides what is required for the \u0027is_admin:True\u0027 check to succeed.\","},{"line_number":93,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY,"},{"line_number":94,"context_line":"        deprecated_for_removal\u003dTrue,"},{"line_number":95,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":96,"context_line":"        deprecated_since\u003d\u002721.0.0\u0027),"},{"line_number":97,"context_line":"    policy.RuleDefault("},{"line_number":98,"context_line":"        \"admin_or_owner\","},{"line_number":99,"context_line":"        \"is_admin:True or project_id:%(project_id)s\","}],"source_content_type":"text/x-python","patch_set":11,"id":"7d24c8e3_23ae746e","line":96,"range":{"start_line":94,"start_character":0,"end_line":96,"end_character":35},"updated":"2021-11-30 23:46:35.000000000","message":"now we are using this rule for base ADMIN so we should not mark it or removal right? later when legacy rule goes away then we can rename it if needed to \u0027admin\u0027.","commit_id":"a8c27f2435e3379e8d93d754a9c1f5d6636577a8"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"cbcfb00c96927e746459489175e064ed31496506","unresolved":true,"context_lines":[{"line_number":91,"context_line":"        \"role:admin\","},{"line_number":92,"context_line":"        \"Decides what is required for the \u0027is_admin:True\u0027 check to succeed.\","},{"line_number":93,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY,"},{"line_number":94,"context_line":"        deprecated_for_removal\u003dTrue,"},{"line_number":95,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":96,"context_line":"        deprecated_since\u003d\u002721.0.0\u0027),"},{"line_number":97,"context_line":"    policy.RuleDefault("},{"line_number":98,"context_line":"        \"admin_or_owner\","},{"line_number":99,"context_line":"        \"is_admin:True or project_id:%(project_id)s\","}],"source_content_type":"text/x-python","patch_set":11,"id":"c85a6674_3fe93eee","line":96,"range":{"start_line":94,"start_character":0,"end_line":96,"end_character":35},"in_reply_to":"7d24c8e3_23ae746e","updated":"2021-12-01 14:23:58.000000000","message":"Ah, yeah, just copy-pasta.","commit_id":"a8c27f2435e3379e8d93d754a9c1f5d6636577a8"}],"nova/policies/extended_server_attributes.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"d6c16cb823ed5254f272de707dce0a49921a9110","unresolved":true,"context_lines":[{"line_number":24,"context_line":"extended_server_attributes_policies \u003d ["},{"line_number":25,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":26,"context_line":"        name\u003dBASE_POLICY_NAME,"},{"line_number":27,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"},{"line_number":28,"context_line":"        description\u003d\"\"\"Return extended attributes for server."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"This rule will control the visibility for a set of servers attributes:"}],"source_content_type":"text/x-python","patch_set":12,"id":"7db9800b_b5700df8","line":27,"updated":"2022-02-14 16:03:07.000000000","message":"makes sense","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"}],"nova/policies/flavor_extra_specs.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":73,"context_line":"        ],"},{"line_number":74,"context_line":"        scope_types\u003d[\u0027system\u0027]"},{"line_number":75,"context_line":"    ),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dPOLICY_ROOT % \u0027index\u0027,"},{"line_number":78,"context_line":"        check_str\u003dbase.PROJECT_READER,"},{"line_number":79,"context_line":"        description\u003d\"List extra specs for a flavor. Starting with \""},{"line_number":80,"context_line":"        \"microversion 2.47, the flavor used for a server is also returned \""}],"source_content_type":"text/x-python","patch_set":4,"id":"604c6094_b199c100","line":77,"range":{"start_line":76,"start_character":0,"end_line":77,"end_character":35},"updated":"2021-11-12 17:07:45.000000000","message":"we need to split this policy as extra specs in flavor APIs response should (as they can) be seen by system as they can operate flaovr (even get specific flavor extra specs too policy @L31). so we can keep\n\n1. this policy as PROJECT_READER_OR_SYSTEM_READER which will show extra spec in flavor related APIs\n2. new policy as PROJECT_READER which will show extra specs in server response.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"34b25ccd012e9a8d2fbc3510cd5b7716f8a18d6e","unresolved":true,"context_lines":[{"line_number":73,"context_line":"        ],"},{"line_number":74,"context_line":"        scope_types\u003d[\u0027system\u0027]"},{"line_number":75,"context_line":"    ),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dPOLICY_ROOT % \u0027index\u0027,"},{"line_number":78,"context_line":"        check_str\u003dbase.PROJECT_READER,"},{"line_number":79,"context_line":"        description\u003d\"List extra specs for a flavor. Starting with \""},{"line_number":80,"context_line":"        \"microversion 2.47, the flavor used for a server is also returned \""}],"source_content_type":"text/x-python","patch_set":4,"id":"cb97f550_24c6a2d8","line":77,"range":{"start_line":76,"start_character":0,"end_line":77,"end_character":35},"in_reply_to":"604c6094_b199c100","updated":"2021-11-16 17:19:01.000000000","message":"Can we do this in a patch after this one? There\u0027s already a lot of change here and it seems like keeping this to refactor, followed by actual changes might be better.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6f9dfd0d6ed27f4ed4f26793a392cc3e562922e3","unresolved":true,"context_lines":[{"line_number":73,"context_line":"        ],"},{"line_number":74,"context_line":"        scope_types\u003d[\u0027system\u0027]"},{"line_number":75,"context_line":"    ),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dPOLICY_ROOT % \u0027index\u0027,"},{"line_number":78,"context_line":"        check_str\u003dbase.PROJECT_READER,"},{"line_number":79,"context_line":"        description\u003d\"List extra specs for a flavor. Starting with \""},{"line_number":80,"context_line":"        \"microversion 2.47, the flavor used for a server is also returned \""}],"source_content_type":"text/x-python","patch_set":4,"id":"3d917e74_5b08eb03","line":77,"range":{"start_line":76,"start_character":0,"end_line":77,"end_character":35},"in_reply_to":"63d1fee9_8f6d40b0","updated":"2022-02-17 03:50:00.000000000","message":"done in https://review.opendev.org/c/openstack/nova/+/829626/1","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0f2ac485defcde68a6365d12226277fe8d574dfb","unresolved":true,"context_lines":[{"line_number":73,"context_line":"        ],"},{"line_number":74,"context_line":"        scope_types\u003d[\u0027system\u0027]"},{"line_number":75,"context_line":"    ),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dPOLICY_ROOT % \u0027index\u0027,"},{"line_number":78,"context_line":"        check_str\u003dbase.PROJECT_READER,"},{"line_number":79,"context_line":"        description\u003d\"List extra specs for a flavor. Starting with \""},{"line_number":80,"context_line":"        \"microversion 2.47, the flavor used for a server is also returned \""}],"source_content_type":"text/x-python","patch_set":4,"id":"63d1fee9_8f6d40b0","line":77,"range":{"start_line":76,"start_character":0,"end_line":77,"end_character":35},"in_reply_to":"cb97f550_24c6a2d8","updated":"2021-11-16 19:10:39.000000000","message":"+1 on separate one.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":86,"context_line":"                \u0027path\u0027: \u0027/flavors/{flavor_id}/os-extra_specs/\u0027,"},{"line_number":87,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":88,"context_line":"            },"},{"line_number":89,"context_line":"            # Microversion 2.47 operations for servers:"},{"line_number":90,"context_line":"            {"},{"line_number":91,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027,"},{"line_number":92,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":93,"context_line":"            },"},{"line_number":94,"context_line":"            {"},{"line_number":95,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027,"},{"line_number":96,"context_line":"                \u0027method\u0027: \u0027GET\u0027"},{"line_number":97,"context_line":"            },"},{"line_number":98,"context_line":"            {"},{"line_number":99,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}\u0027,"},{"line_number":100,"context_line":"                \u0027method\u0027: \u0027PUT\u0027"},{"line_number":101,"context_line":"            },"},{"line_number":102,"context_line":"            {"},{"line_number":103,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (rebuild)\u0027,"},{"line_number":104,"context_line":"                \u0027method\u0027: \u0027POST\u0027"},{"line_number":105,"context_line":"            },"},{"line_number":106,"context_line":"            # Microversion 2.61 operations for flavors:"},{"line_number":107,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":4,"id":"4b2127a8_d79b21e5","line":104,"range":{"start_line":89,"start_character":0,"end_line":104,"end_character":32},"updated":"2021-11-12 17:07:45.000000000","message":"this part can go under new policy with project-reader access","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"cc5d391a5963781e7981330a10bb3735a5d9331d","unresolved":true,"context_lines":[{"line_number":75,"context_line":"    ),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dPOLICY_ROOT % \u0027index\u0027,"},{"line_number":78,"context_line":"        check_str\u003dbase.PROJECT_READER,"},{"line_number":79,"context_line":"        description\u003d\"List extra specs for a flavor. Starting with \""},{"line_number":80,"context_line":"        \"microversion 2.47, the flavor used for a server is also returned \""},{"line_number":81,"context_line":"        \"in the response when showing server details, updating a server or \""}],"source_content_type":"text/x-python","patch_set":6,"id":"f00f2b21_2c6fbfc8","line":78,"updated":"2021-11-23 14:01:11.000000000","message":"Part of me wonders why we have the project_id check in this rule, as the flavor resource sometimes applies to any project_id, but I feel I need to ingore this for now.\n\nCorrection: I see your comment on the topic now, agreed.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"d6c16cb823ed5254f272de707dce0a49921a9110","unresolved":true,"context_lines":[{"line_number":75,"context_line":"    ),"},{"line_number":76,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":77,"context_line":"        name\u003dPOLICY_ROOT % \u0027index\u0027,"},{"line_number":78,"context_line":"        check_str\u003dbase.PROJECT_READER,"},{"line_number":79,"context_line":"        description\u003d\"List extra specs for a flavor. Starting with \""},{"line_number":80,"context_line":"        \"microversion 2.47, the flavor used for a server is also returned \""},{"line_number":81,"context_line":"        \"in the response when showing server details, updating a server or \""}],"source_content_type":"text/x-python","patch_set":6,"id":"ac5c9193_e4187811","line":78,"in_reply_to":"f00f2b21_2c6fbfc8","updated":"2022-02-14 16:03:07.000000000","message":"This new policy looks good to me.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"905659a6200eeb75dbfab5d075eb4fde2144f8fb","unresolved":true,"context_lines":[{"line_number":37,"context_line":"    ),"},{"line_number":38,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":39,"context_line":"        name\u003dPOLICY_ROOT % \u0027create\u0027,"},{"line_number":40,"context_line":"        check_str\u003dbase.CONTEXT_ADMIN,"},{"line_number":41,"context_line":"        description\u003d\"Create extra specs for a flavor\","},{"line_number":42,"context_line":"        operations\u003d["},{"line_number":43,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":8,"id":"6d8b9dd6_8a8d5156","line":40,"updated":"2021-11-23 21:00:45.000000000","message":"This change broke another test that ensures that this is only doable by admin, because the test context only uses roles\u003dmember,is_admin\u003dTrue.","commit_id":"f9c2ed075c63410ff1ab9aad39eb1bd867a55719"}],"nova/policies/servers.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"969b8383c3b7b54d286c058f89a2fef22315bcf0","unresolved":true,"context_lines":[{"line_number":99,"context_line":"    # should do that by default."},{"line_number":100,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":101,"context_line":"        name\u003dSERVERS % \u0027show:host_status\u0027,"},{"line_number":102,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"},{"line_number":103,"context_line":"        description\u003d\"\"\""},{"line_number":104,"context_line":"Show a server with additional host status information."},{"line_number":105,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"1cb112a5_8c37b1a9","line":102,"updated":"2021-11-10 16:34:16.000000000","message":"This has a project check now, but I think that is correct.","commit_id":"a614fbe28d0ae5269680797bc2a8d3d81af13945"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"632c0e210d0419798b183d9476015a94c7d081dc","unresolved":true,"context_lines":[{"line_number":99,"context_line":"    # should do that by default."},{"line_number":100,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":101,"context_line":"        name\u003dSERVERS % \u0027show:host_status\u0027,"},{"line_number":102,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"},{"line_number":103,"context_line":"        description\u003d\"\"\""},{"line_number":104,"context_line":"Show a server with additional host status information."},{"line_number":105,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"7743aaa5_dac12eee","line":102,"in_reply_to":"1cb112a5_8c37b1a9","updated":"2021-11-10 16:36:05.000000000","message":"I think this means admin on the specific project, which is great: https://github.com/openstack/nova/blob/78d398ad91c7708d2a868ae216284b5bdcdc5ec6/nova/policies/base.py#L118","commit_id":"a614fbe28d0ae5269680797bc2a8d3d81af13945"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"61922e253356dacf0a2cc07b6427eb8b63727fea","unresolved":true,"context_lines":[{"line_number":464,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (trigger_crash_dump)\u0027"},{"line_number":465,"context_line":"            }"},{"line_number":466,"context_line":"        ],"},{"line_number":467,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":468,"context_line":"]"},{"line_number":469,"context_line":""},{"line_number":470,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"4ac47f90_01efb7b2","line":467,"updated":"2021-11-10 16:21:38.000000000","message":"This looks like I expected/hoped, nice.","commit_id":"a614fbe28d0ae5269680797bc2a8d3d81af13945"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":99,"context_line":"    # should do that by default."},{"line_number":100,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":101,"context_line":"        name\u003dSERVERS % \u0027show:host_status\u0027,"},{"line_number":102,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"},{"line_number":103,"context_line":"        description\u003d\"\"\""},{"line_number":104,"context_line":"Show a server with additional host status information."},{"line_number":105,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"94ecdd01_b52aed01","line":102,"range":{"start_line":102,"start_character":23,"end_line":102,"end_character":37},"updated":"2021-11-12 17:07:45.000000000","message":"+1.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":130,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (rebuild)\u0027"},{"line_number":131,"context_line":"            }"},{"line_number":132,"context_line":"        ],"},{"line_number":133,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027]),"},{"line_number":134,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":135,"context_line":"        name\u003dSERVERS % \u0027show:host_status:unknown-only\u0027,"},{"line_number":136,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":4,"id":"a86320ae_9522c3f1","line":133,"range":{"start_line":133,"start_character":21,"end_line":133,"end_character":31},"updated":"2021-11-12 17:07:45.000000000","message":"this too -\u003e [\u0027project\u0027].","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"34b25ccd012e9a8d2fbc3510cd5b7716f8a18d6e","unresolved":true,"context_lines":[{"line_number":130,"context_line":"                \u0027path\u0027: \u0027/servers/{server_id}/action (rebuild)\u0027"},{"line_number":131,"context_line":"            }"},{"line_number":132,"context_line":"        ],"},{"line_number":133,"context_line":"        scope_types\u003d[\u0027system\u0027, \u0027project\u0027]),"},{"line_number":134,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":135,"context_line":"        name\u003dSERVERS % \u0027show:host_status:unknown-only\u0027,"},{"line_number":136,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":4,"id":"76998a29_683f9c96","line":133,"range":{"start_line":133,"start_character":21,"end_line":133,"end_character":31},"in_reply_to":"a86320ae_9522c3f1","updated":"2021-11-16 17:19:01.000000000","message":"Oops, yep, thanks :)","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":177,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":178,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":179,"context_line":"        name\u003dSERVERS % \u0027create:forced_host\u0027,"},{"line_number":180,"context_line":"        # TODO(gmann): We need to make it SYSTEM_ADMIN."},{"line_number":181,"context_line":"        # PROJECT_ADMIN is added for now because create server"},{"line_number":182,"context_line":"        # policy is project scoped and there is no way to"},{"line_number":183,"context_line":"        # pass the project_id in request body for system scoped"},{"line_number":184,"context_line":"        # roles so that create server for other project with force host."},{"line_number":185,"context_line":"        # To achieve that, we need to update the create server API to"},{"line_number":186,"context_line":"        # accept the project_id for whom the server needs to be created"},{"line_number":187,"context_line":"        # and then change the scope of this policy to system-only"},{"line_number":188,"context_line":"        # Because that is API change it needs to be done with new"},{"line_number":189,"context_line":"        # microversion."},{"line_number":190,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"},{"line_number":191,"context_line":"        description\u003d\"\"\""},{"line_number":192,"context_line":"Create a server on the specified host and/or node."}],"source_content_type":"text/x-python","patch_set":4,"id":"6c2cbb4a_ebfff334","line":189,"range":{"start_line":180,"start_character":0,"end_line":189,"end_character":23},"updated":"2021-11-12 17:07:45.000000000","message":"as we decided on this part (keeping boot server to project only and project admin can get the sanitized host info), please remove this TODO also.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":204,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":205,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":206,"context_line":"        name\u003dREQUESTED_DESTINATION,"},{"line_number":207,"context_line":"        # TODO(gmann): We need to make it SYSTEM_ADMIN."},{"line_number":208,"context_line":"        # PROJECT_ADMIN is added for now because create server"},{"line_number":209,"context_line":"        # policy is project scoped and there is no way to"},{"line_number":210,"context_line":"        # pass the project_id in request body for system scoped"},{"line_number":211,"context_line":"        # roles so that create server for other project with requested"},{"line_number":212,"context_line":"        # destination."},{"line_number":213,"context_line":"        # To achieve that, we need to update the create server API to"},{"line_number":214,"context_line":"        # accept the project_id for whom the server needs to be created"},{"line_number":215,"context_line":"        # and then change the scope of this policy to system-only"},{"line_number":216,"context_line":"        # Because that is API change it needs to be done with new"},{"line_number":217,"context_line":"        # microversion."}],"source_content_type":"text/x-python","patch_set":4,"id":"51626307_31349680","line":214,"range":{"start_line":207,"start_character":3,"end_line":214,"end_character":71},"updated":"2021-11-12 17:07:45.000000000","message":"ditto","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a111c5a0160f7816917af7962ebb1b5d1b9d247d","unresolved":true,"context_lines":[{"line_number":68,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":69,"context_line":"            }"},{"line_number":70,"context_line":"        ],"},{"line_number":71,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":72,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":73,"context_line":"        name\u003dSERVERS % \u0027allow_all_filters\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":7,"id":"b113031d_6b50bbd0","line":71,"updated":"2021-11-23 16:32:19.000000000","message":"Interesting point, should this be system? I am not sure now :/","commit_id":"35e4e9a578f5c4f2ca701536bdb3f55957115b85"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"b4c196ea229f9f122c3e54e4baa0b0aa92ccc46e","unresolved":true,"context_lines":[{"line_number":68,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":69,"context_line":"            }"},{"line_number":70,"context_line":"        ],"},{"line_number":71,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":72,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":73,"context_line":"        name\u003dSERVERS % \u0027allow_all_filters\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":7,"id":"bac721c9_9c8a35f6","line":71,"in_reply_to":"78bbb0e3_5a07b466","updated":"2021-11-23 16:50:35.000000000","message":"Ah I see what you mean. I think it doesn\u0027t matter in this case because we\u0027re not passing a target instance, so that project_id check is ignored.\n\nBut, we could also use rule:context_is_admin here if it makes you feel better and/or is clearer.","commit_id":"35e4e9a578f5c4f2ca701536bdb3f55957115b85"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0b0e9207643bba3e4f0933b1f3dc543a0697bbb7","unresolved":true,"context_lines":[{"line_number":68,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":69,"context_line":"            }"},{"line_number":70,"context_line":"        ],"},{"line_number":71,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":72,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":73,"context_line":"        name\u003dSERVERS % \u0027allow_all_filters\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":7,"id":"78bbb0e3_5a07b466","line":71,"in_reply_to":"b113031d_6b50bbd0","updated":"2021-11-23 16:36:56.000000000","message":"If system can\u0027t see instances, I\u0027m not sure why this should be system. Did you mean project,domain or just domain?","commit_id":"35e4e9a578f5c4f2ca701536bdb3f55957115b85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"5179a34295bedad157e04c6e3517816cf59f61b4","unresolved":true,"context_lines":[{"line_number":68,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":69,"context_line":"            }"},{"line_number":70,"context_line":"        ],"},{"line_number":71,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":72,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":73,"context_line":"        name\u003dSERVERS % \u0027allow_all_filters\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":7,"id":"19c96431_f550c341","line":71,"in_reply_to":"b113031d_6b50bbd0","updated":"2021-11-23 16:34:22.000000000","message":"Or more precisely... why are we checking for a matching project_id in this case?","commit_id":"35e4e9a578f5c4f2ca701536bdb3f55957115b85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"db3d11ae8a275231559c00c20bb2ac6b178ac0c5","unresolved":true,"context_lines":[{"line_number":68,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":69,"context_line":"            }"},{"line_number":70,"context_line":"        ],"},{"line_number":71,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":72,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":73,"context_line":"        name\u003dSERVERS % \u0027allow_all_filters\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":7,"id":"9a71e175_9857f1b1","line":71,"in_reply_to":"b4e7ff59_9cfbe66f","updated":"2021-11-23 18:02:59.000000000","message":"And as a reminder for future me, the next step is domain admin, but lets get the basics in place first.","commit_id":"35e4e9a578f5c4f2ca701536bdb3f55957115b85"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"30947e7396d07f2d61f2fef54481442e674c6b22","unresolved":true,"context_lines":[{"line_number":68,"context_line":"                \u0027path\u0027: \u0027/servers/detail\u0027"},{"line_number":69,"context_line":"            }"},{"line_number":70,"context_line":"        ],"},{"line_number":71,"context_line":"        scope_types\u003d[\u0027project\u0027]),"},{"line_number":72,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":73,"context_line":"        name\u003dSERVERS % \u0027allow_all_filters\u0027,"},{"line_number":74,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"}],"source_content_type":"text/x-python","patch_set":7,"id":"b4e7ff59_9cfbe66f","line":71,"in_reply_to":"bac721c9_9c8a35f6","updated":"2021-11-23 17:52:41.000000000","message":"Ah, yes, I think that is is, rule:cotext_is_admin for clarity.\n\nBut for now, we leave it as project scoped (i.e. any project admin in any project can still list all instances), until we figure out domain scoped.\n\nI think this is the crux of Brian\u0027s issue with the current RBAC goal.","commit_id":"35e4e9a578f5c4f2ca701536bdb3f55957115b85"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"d6c16cb823ed5254f272de707dce0a49921a9110","unresolved":true,"context_lines":[{"line_number":185,"context_line":"        # accept the project_id for whom the server needs to be created"},{"line_number":186,"context_line":"        # and then change the scope of this policy to system-only"},{"line_number":187,"context_line":"        # Because that is API change it needs to be done with new"},{"line_number":188,"context_line":"        # microversion."},{"line_number":189,"context_line":"        check_str\u003dbase.PROJECT_ADMIN,"},{"line_number":190,"context_line":"        description\u003d\"\"\""},{"line_number":191,"context_line":"Create a server on the specified host and/or node."}],"source_content_type":"text/x-python","patch_set":12,"id":"d34b17b3_b9c71357","side":"PARENT","line":188,"updated":"2022-02-14 16:03:07.000000000","message":"glad you remove it","commit_id":"1850097ec177ed1fe03bd14d619a211a8f26d08f"}],"nova/tests/unit/policies/base.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":105,"context_line":"        ])"},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"        # All the project contexts for easy access."},{"line_number":108,"context_line":"        self.all_project_contexts \u003d set(["},{"line_number":109,"context_line":"            self.legacy_admin_context,"},{"line_number":110,"context_line":"            self.project_admin_context, self.project_member_context,"},{"line_number":111,"context_line":"            self.project_reader_context, self.project_foo_context,"},{"line_number":112,"context_line":"            self.other_project_member_context,"},{"line_number":113,"context_line":"            self.other_project_reader_context,"},{"line_number":114,"context_line":"        ])"},{"line_number":115,"context_line":"        # All the system contexts for easy access."},{"line_number":116,"context_line":"        self.all_system_contexts \u003d set(["},{"line_number":117,"context_line":"            self.system_admin_context, self.system_foo_context,"}],"source_content_type":"text/x-python","patch_set":4,"id":"b7209e32_844434f6","line":114,"range":{"start_line":108,"start_character":0,"end_line":114,"end_character":10},"updated":"2021-11-12 17:07:45.000000000","message":"one more set of context we can set like below which can be used in most of the project reader policies. But just an idea and we can do it in next patch too\n        self.within_project_contexts \u003d set([\n            self.legacy_admin_context,\n            self.project_admin_context, self.project_member_context,\n            self.project_reader_context, self.project_foo_context,\n        ])","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":138,"context_line":"            self.policy.set_rules(self.rules_without_deprecation,"},{"line_number":139,"context_line":"                                  overwrite\u003dFalse)"},{"line_number":140,"context_line":""},{"line_number":141,"context_line":"    def common_policy_auth(self, authorized_contexts,"},{"line_number":142,"context_line":"                           rule_name,"},{"line_number":143,"context_line":"                           func, req, *arg, **kwarg):"},{"line_number":144,"context_line":"        \"\"\"Check a policy rule against a set of authorized contexts."}],"source_content_type":"text/x-python","patch_set":4,"id":"57df594a_18e4af18","line":141,"updated":"2021-11-12 17:07:45.000000000","message":"+1. this is nice idea to make tests more readable and less error prone if we missed to test any valid context","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"59585d1802261c6c7d72490551ecf8550c7a3738","unresolved":true,"context_lines":[{"line_number":183,"context_line":"        def ensure_raises(req, *args, **kwargs):"},{"line_number":184,"context_line":"            exc \u003d self.assertRaises("},{"line_number":185,"context_line":"                exception.PolicyNotAuthorized, func, req, *arg, **kwarg)"},{"line_number":186,"context_line":"            # NOTE(danms): We may need to check a different rule_name"},{"line_number":187,"context_line":"            # as the enforced policy, based on the context we are"},{"line_number":188,"context_line":"            # using. Examples are multi-policy APIs for similar"},{"line_number":189,"context_line":"            # reasons as below. If we are passed a function for"},{"line_number":190,"context_line":"            # rule_name, call it with the context being used to"},{"line_number":191,"context_line":"            # determine the rule_name we should verify."},{"line_number":192,"context_line":"            if callable(rule_name):"},{"line_number":193,"context_line":"                actual_rule_name \u003d rule_name(req.environ[\u0027nova.context\u0027])"},{"line_number":194,"context_line":"            else:"},{"line_number":195,"context_line":"                actual_rule_name \u003d rule_name"},{"line_number":196,"context_line":"            # NOTE(gmann): In case of multi-policy APIs, PolicyNotAuthorized"}],"source_content_type":"text/x-python","patch_set":4,"id":"9b2904ea_a657077b","line":193,"range":{"start_line":186,"start_character":0,"end_line":193,"end_character":73},"updated":"2021-11-12 15:04:54.000000000","message":"Ah, I didn\u0027t know we did this already.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d113fb4cf01cd305e75679684ac1231a9ba1c1a","unresolved":true,"context_lines":[{"line_number":183,"context_line":"        def ensure_raises(req, *args, **kwargs):"},{"line_number":184,"context_line":"            exc \u003d self.assertRaises("},{"line_number":185,"context_line":"                exception.PolicyNotAuthorized, func, req, *arg, **kwarg)"},{"line_number":186,"context_line":"            # NOTE(danms): We may need to check a different rule_name"},{"line_number":187,"context_line":"            # as the enforced policy, based on the context we are"},{"line_number":188,"context_line":"            # using. Examples are multi-policy APIs for similar"},{"line_number":189,"context_line":"            # reasons as below. If we are passed a function for"},{"line_number":190,"context_line":"            # rule_name, call it with the context being used to"},{"line_number":191,"context_line":"            # determine the rule_name we should verify."},{"line_number":192,"context_line":"            if callable(rule_name):"},{"line_number":193,"context_line":"                actual_rule_name \u003d rule_name(req.environ[\u0027nova.context\u0027])"},{"line_number":194,"context_line":"            else:"},{"line_number":195,"context_line":"                actual_rule_name \u003d rule_name"},{"line_number":196,"context_line":"            # NOTE(gmann): In case of multi-policy APIs, PolicyNotAuthorized"}],"source_content_type":"text/x-python","patch_set":4,"id":"81a75ef4_a9ab492a","line":193,"range":{"start_line":186,"start_character":0,"end_line":193,"end_character":73},"in_reply_to":"9b2904ea_a657077b","updated":"2021-11-12 15:24:05.000000000","message":"We don\u0027t, I added it in the patch below this :)","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"cc5d391a5963781e7981330a10bb3735a5d9331d","unresolved":true,"context_lines":[{"line_number":155,"context_line":""},{"line_number":156,"context_line":"        errors \u003d \u0027,\u0027.join(x.user_id for x in new_set - current)"},{"line_number":157,"context_line":"        self.assertEqual(\u0027\u0027, errors,"},{"line_number":158,"context_line":"                         \u0027Attempt to reduce set would add %s\u0027 % errors)"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"        LOG.info(\u0027%s.%s_contexts: removing %s\u0027,"},{"line_number":161,"context_line":"                 self.__class__.__name__,"}],"source_content_type":"text/x-python","patch_set":6,"id":"3e33cc89_bf51af20","line":158,"updated":"2021-11-23 14:01:11.000000000","message":"ah, good call.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"d6c16cb823ed5254f272de707dce0a49921a9110","unresolved":true,"context_lines":[{"line_number":116,"context_line":"        self.all_system_contexts \u003d set(["},{"line_number":117,"context_line":"            self.system_admin_context, self.system_foo_context,"},{"line_number":118,"context_line":"            self.system_member_context, self.system_reader_context,"},{"line_number":119,"context_line":"        ])"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"        if self.without_deprecated_rules:"},{"line_number":122,"context_line":"            # To simulate the new world, remove deprecations by overriding"}],"source_content_type":"text/x-python","patch_set":12,"id":"ddf7c77d_e1958a11","line":119,"updated":"2022-02-14 16:03:07.000000000","message":"all good above","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"}],"nova/tests/unit/policies/test_flavor_extra_specs.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"2ee0285497285edc9991e8f393031a8466622c4c","unresolved":true,"context_lines":[{"line_number":353,"context_line":"        self.all_authorized_contexts.remove(self.system_foo_context)"},{"line_number":354,"context_line":"        self.all_authorized_contexts.remove(self.project_foo_context)"},{"line_number":355,"context_line":"        self.all_system_authorized_contexts.remove(self.system_foo_context)"},{"line_number":356,"context_line":"        self.all_project_authorized_contexts.remove(self.project_foo_context)"}],"source_content_type":"text/x-python","patch_set":3,"id":"7138886c_b00aee2c","line":356,"updated":"2021-11-10 16:12:07.000000000","message":"Lets also test (without_deprecated_rules \u003d True) with self.flags(enforce_scope\u003dFalse, group\u003d\"oslo_policy\")","commit_id":"a614fbe28d0ae5269680797bc2a8d3d81af13945"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"cc5d391a5963781e7981330a10bb3735a5d9331d","unresolved":true,"context_lines":[{"line_number":329,"context_line":"        # Scope checking is in effect, so break apart project/system"},{"line_number":330,"context_line":"        # authorization. Note that even for the server tests above, we"},{"line_number":331,"context_line":"        # are technically authorizing against a server-embedded flavor"},{"line_number":332,"context_line":"        # (which has no project affiliation like the actual flavor it"},{"line_number":333,"context_line":"        # came from) and thus the other_project_* contexts are"},{"line_number":334,"context_line":"        # technically valid here. In reality, failure for"},{"line_number":335,"context_line":"        # other_project_* to get the server itself would prevent those"}],"source_content_type":"text/x-python","patch_set":6,"id":"a3249c6a_ab940903","line":332,"updated":"2021-11-23 14:01:11.000000000","message":"Ah, OK, I was wondering about that too.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"cc5d391a5963781e7981330a10bb3735a5d9331d","unresolved":true,"context_lines":[{"line_number":360,"context_line":"            self.project_foo_context,"},{"line_number":361,"context_line":"        ])"},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"        # Disabling legacy rules means we have system_scope:all in the"},{"line_number":364,"context_line":"        # check string, which means we hard-fail with non-system admin"},{"line_number":365,"context_line":"        # contexts, even without scope checking enabled."},{"line_number":366,"context_line":"        self.admin_authorized_contexts \u003d [self.system_admin_context]"}],"source_content_type":"text/x-python","patch_set":6,"id":"5c56aeee_47262a82","line":363,"updated":"2021-11-23 14:01:11.000000000","message":"Didn\u0027t we say we wouldn\u0027t do that anymore for system_admin? Such that project admin will still work until we enable scope checking?\n\nI guess we have to make that change as a follow up, else we probably break all the other unit tests as well?\n\nI am +2 on this, once I get my head around this bit.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fc13d05455375b9851108618efbd3c8c5d2a3b6e","unresolved":true,"context_lines":[{"line_number":360,"context_line":"            self.project_foo_context,"},{"line_number":361,"context_line":"        ])"},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"        # Disabling legacy rules means we have system_scope:all in the"},{"line_number":364,"context_line":"        # check string, which means we hard-fail with non-system admin"},{"line_number":365,"context_line":"        # contexts, even without scope checking enabled."},{"line_number":366,"context_line":"        self.admin_authorized_contexts \u003d [self.system_admin_context]"}],"source_content_type":"text/x-python","patch_set":6,"id":"a84a9df7_c17d967b","line":363,"in_reply_to":"3a11bca5_af7a9d60","updated":"2021-11-23 18:21:36.000000000","message":"so that is next things to do right ? converting all the system policy (system reader also) to system admin and without \u0027system:all\u0027 in check_str so that project admin can do all in system APIs if enforce_scope\u003dFalse (in no scope case, which will prevent project reader to list hosts but project admin can)","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5856158e52d6f9098ff912c8b8c56b858d37de16","unresolved":true,"context_lines":[{"line_number":360,"context_line":"            self.project_foo_context,"},{"line_number":361,"context_line":"        ])"},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"        # Disabling legacy rules means we have system_scope:all in the"},{"line_number":364,"context_line":"        # check string, which means we hard-fail with non-system admin"},{"line_number":365,"context_line":"        # contexts, even without scope checking enabled."},{"line_number":366,"context_line":"        self.admin_authorized_contexts \u003d [self.system_admin_context]"}],"source_content_type":"text/x-python","patch_set":6,"id":"841ff371_9c8fc84e","line":363,"in_reply_to":"5c56aeee_47262a82","updated":"2021-11-23 15:12:17.000000000","message":"Well, my concern was that we kept scope_types\u003dsystem so that the admin doesn\u0027t/can\u0027t make a system api open to project users. I\u0027m not really sure what we should do about the opposite, which is what you\u0027re asking, and since I didn\u0027t have this \"no scope, but also no legacy\" test in here until late, I\u0027m not quite sure what to think.\n\nOn the one hand, if you\u0027re asking for no legacy, then maybe requiring system tokens even with scope checking disabled makes sense? Should we undo the chain of rules that ends up on a system-scope check and just have some check strings that require admin-and-no-project, as well as the admin-and-project-matches?","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a32185bf6ffee30b61cbdce1c9a67848cd97e0bb","unresolved":true,"context_lines":[{"line_number":360,"context_line":"            self.project_foo_context,"},{"line_number":361,"context_line":"        ])"},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"        # Disabling legacy rules means we have system_scope:all in the"},{"line_number":364,"context_line":"        # check string, which means we hard-fail with non-system admin"},{"line_number":365,"context_line":"        # contexts, even without scope checking enabled."},{"line_number":366,"context_line":"        self.admin_authorized_contexts \u003d [self.system_admin_context]"}],"source_content_type":"text/x-python","patch_set":6,"id":"ab4b4f5f_ec0486e3","line":363,"in_reply_to":"841ff371_9c8fc84e","updated":"2021-11-23 15:56:02.000000000","message":"I thought the first step of the transition meant project admin could do system APIs until users opt into the scope check?\n\nI remember system reader being an issue. We don\u0027t want project reader seeing system stuff, so I think we said make those system admin for now.\n\nThe upside of that is only project admins will see any system things, without scope checking on (and without scope checks in the rule string).\n\nHaving said that, I am not against your plan here, but I thought we were going to do something slightly different.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"e0347b7cd20f01e78dda050d30b073b6698f53ac","unresolved":true,"context_lines":[{"line_number":360,"context_line":"            self.project_foo_context,"},{"line_number":361,"context_line":"        ])"},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"        # Disabling legacy rules means we have system_scope:all in the"},{"line_number":364,"context_line":"        # check string, which means we hard-fail with non-system admin"},{"line_number":365,"context_line":"        # contexts, even without scope checking enabled."},{"line_number":366,"context_line":"        self.admin_authorized_contexts \u003d [self.system_admin_context]"}],"source_content_type":"text/x-python","patch_set":6,"id":"3a11bca5_af7a9d60","line":363,"in_reply_to":"96db033d_62118d97","updated":"2021-11-23 16:26:03.000000000","message":"yeah, I think is it.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0a5dfbd80760d408f2bb13fdc76dabcbefac7c67","unresolved":true,"context_lines":[{"line_number":360,"context_line":"            self.project_foo_context,"},{"line_number":361,"context_line":"        ])"},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"        # Disabling legacy rules means we have system_scope:all in the"},{"line_number":364,"context_line":"        # check string, which means we hard-fail with non-system admin"},{"line_number":365,"context_line":"        # contexts, even without scope checking enabled."},{"line_number":366,"context_line":"        self.admin_authorized_contexts \u003d [self.system_admin_context]"}],"source_content_type":"text/x-python","patch_set":6,"id":"d074fa9c_c064e99b","line":363,"in_reply_to":"ab4b4f5f_ec0486e3","updated":"2021-11-23 16:06:46.000000000","message":"Yeah, you\u0027re right about the plan, and I wasn\u0027t saying anything other than that I hadn\u0027t realized this detail about what we were checking until I added this fourth test case and you pointed it out just now.\n\nI think the confusion just comes from the fact that the current state ORs the old and new defaults together making some things work that might not otherwise. That\u0027s a good reason to get out of our current situation of perpetually having two defaults.\n\nWe have context_is_admin already, which is just \"role:admin\" so I guess that\u0027s really what we want those set to. If we use that check string and scope_types\u003dsystem, then it will work for any admin until scope checking is enabled, and after that, just system:admin.\n\nRight?","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"abfe7e24ad7186c2de5351da4aa668f646eebba8","unresolved":true,"context_lines":[{"line_number":360,"context_line":"            self.project_foo_context,"},{"line_number":361,"context_line":"        ])"},{"line_number":362,"context_line":""},{"line_number":363,"context_line":"        # Disabling legacy rules means we have system_scope:all in the"},{"line_number":364,"context_line":"        # check string, which means we hard-fail with non-system admin"},{"line_number":365,"context_line":"        # contexts, even without scope checking enabled."},{"line_number":366,"context_line":"        self.admin_authorized_contexts \u003d [self.system_admin_context]"}],"source_content_type":"text/x-python","patch_set":6,"id":"96db033d_62118d97","line":363,"in_reply_to":"d074fa9c_c064e99b","updated":"2021-11-23 16:16:02.000000000","message":"Yeah, this works:\n\nhttps://termbin.com/2i32\n\nand I think this is what we want right?","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"cc5d391a5963781e7981330a10bb3735a5d9331d","unresolved":true,"context_lines":[{"line_number":381,"context_line":"        self.all_authorized_contexts.remove(self.system_foo_context)"},{"line_number":382,"context_line":"        self.all_authorized_contexts.remove(self.project_foo_context)"},{"line_number":383,"context_line":"        self.all_system_authorized_contexts.remove(self.system_foo_context)"},{"line_number":384,"context_line":"        self.all_project_authorized_contexts.remove(self.project_foo_context)"}],"source_content_type":"text/x-python","patch_set":6,"id":"41d9ba7c_d85a854f","line":384,"updated":"2021-11-23 14:01:11.000000000","message":"I am finding this set arithmatic quite hard to parse, I need to go through the chain to do mental set arithmetic to work out the final list of authorised users. I do get that the differences between the tests is much clearer though. Its probably just me (I have almost no short term working memory).","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5856158e52d6f9098ff912c8b8c56b858d37de16","unresolved":true,"context_lines":[{"line_number":381,"context_line":"        self.all_authorized_contexts.remove(self.system_foo_context)"},{"line_number":382,"context_line":"        self.all_authorized_contexts.remove(self.project_foo_context)"},{"line_number":383,"context_line":"        self.all_system_authorized_contexts.remove(self.system_foo_context)"},{"line_number":384,"context_line":"        self.all_project_authorized_contexts.remove(self.project_foo_context)"}],"source_content_type":"text/x-python","patch_set":6,"id":"a15e522b_8c26c044","line":384,"in_reply_to":"41d9ba7c_d85a854f","updated":"2021-11-23 15:12:17.000000000","message":"Sorry, looks like I forgot to de-math these flavor ones like I did the servers tests. I\u0027ll fix.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"2627066ffd520eda3dc7b76e42f04188ba3a173c","unresolved":true,"context_lines":[{"line_number":381,"context_line":"        self.all_authorized_contexts.remove(self.system_foo_context)"},{"line_number":382,"context_line":"        self.all_authorized_contexts.remove(self.project_foo_context)"},{"line_number":383,"context_line":"        self.all_system_authorized_contexts.remove(self.system_foo_context)"},{"line_number":384,"context_line":"        self.all_project_authorized_contexts.remove(self.project_foo_context)"}],"source_content_type":"text/x-python","patch_set":6,"id":"bac40023_c639f6d7","line":384,"in_reply_to":"a15e522b_8c26c044","updated":"2021-11-23 16:23:24.000000000","message":"ah, no worries, that is a bit easier now, thank you.","commit_id":"718fbe3701f0b1ecda72d8391a91c5f07a66eebd"}],"nova/tests/unit/policies/test_servers.py":[{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"61922e253356dacf0a2cc07b6427eb8b63727fea","unresolved":true,"context_lines":[{"line_number":1243,"context_line":""},{"line_number":1244,"context_line":"        # With scope checking enabled, system admins no longer have"},{"line_number":1245,"context_line":"        # admin-granted project resource access."},{"line_number":1246,"context_line":"        self.project_action_authorized_contexts.remove("},{"line_number":1247,"context_line":"            self.system_admin_context)"},{"line_number":1248,"context_line":""},{"line_number":1249,"context_line":"        # No change from the base behavior here, but we need to"}],"source_content_type":"text/x-python","patch_set":3,"id":"b2bfd197_45580030","line":1246,"updated":"2021-11-10 16:21:38.000000000","message":"This is so much nicer, annoyed we didn\u0027t think of this first time. I like it.","commit_id":"a614fbe28d0ae5269680797bc2a8d3d81af13945"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"59585d1802261c6c7d72490551ecf8550c7a3738","unresolved":true,"context_lines":[{"line_number":200,"context_line":""},{"line_number":201,"context_line":"        self.mock_get_all.side_effect \u003d fake_get_all"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"        if self.system_admin_context in self.project_admin_authorized_contexts:"},{"line_number":204,"context_line":"            check_rule \u003d rule_name"},{"line_number":205,"context_line":"        else:"},{"line_number":206,"context_line":"            check_rule \u003d functools.partial(rule_if_system, rule, rule_name)"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"        self.common_policy_auth(self.project_admin_authorized_contexts,"},{"line_number":209,"context_line":"                                check_rule,"}],"source_content_type":"text/x-python","patch_set":4,"id":"62b46a83_6c9dad0d","line":206,"range":{"start_line":203,"start_character":0,"end_line":206,"end_character":75},"updated":"2021-11-12 15:04:54.000000000","message":"This is a bit horrid... I think I understand what you were talking about on the call now.\n\nI guess its only needed in this multiple rule case where the first rule\u0027s scope check blocks the second ever executing?\n\nI wish I could suggest a better way to deal with the case, as I feel like its going to appear in quite a few places :/\n\nWould it be cleaner to test for scope check being enabled? That seems more indepent of the test assertion list, and really we only need to fallback in that case?","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d113fb4cf01cd305e75679684ac1231a9ba1c1a","unresolved":true,"context_lines":[{"line_number":200,"context_line":""},{"line_number":201,"context_line":"        self.mock_get_all.side_effect \u003d fake_get_all"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"        if self.system_admin_context in self.project_admin_authorized_contexts:"},{"line_number":204,"context_line":"            check_rule \u003d rule_name"},{"line_number":205,"context_line":"        else:"},{"line_number":206,"context_line":"            check_rule \u003d functools.partial(rule_if_system, rule, rule_name)"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"        self.common_policy_auth(self.project_admin_authorized_contexts,"},{"line_number":209,"context_line":"                                check_rule,"}],"source_content_type":"text/x-python","patch_set":4,"id":"e01d4615_e5fbffe3","line":206,"range":{"start_line":203,"start_character":0,"end_line":206,"end_character":75},"in_reply_to":"62b46a83_6c9dad0d","updated":"2021-11-12 15:24:05.000000000","message":"I changed this in a few places to use the scope check, because of the new intermediate test class. So yeah, I\u0027ll change the rest and I think the logic should be the same.\n\nBut yeah, it\u0027s just to make sure we assert the right rule in the error message, because we can\u0027t make it not fail on the scope check of the parent rule.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":200,"context_line":""},{"line_number":201,"context_line":"        self.mock_get_all.side_effect \u003d fake_get_all"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"        if self.system_admin_context in self.project_admin_authorized_contexts:"},{"line_number":204,"context_line":"            check_rule \u003d rule_name"},{"line_number":205,"context_line":"        else:"},{"line_number":206,"context_line":"            check_rule \u003d functools.partial(rule_if_system, rule, rule_name)"},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"        self.common_policy_auth(self.project_admin_authorized_contexts,"},{"line_number":209,"context_line":"                                check_rule,"}],"source_content_type":"text/x-python","patch_set":4,"id":"e09eeb6e_2fda044a","line":206,"range":{"start_line":203,"start_character":0,"end_line":206,"end_character":75},"in_reply_to":"e01d4615_e5fbffe3","updated":"2021-11-12 17:07:45.000000000","message":"yeah, if we are doing error message checks then we need to just fail on first one due to scope checks which is what going to happen in real world too.\n\nAnother approach can be - we can skip that error message assert for multi policy (this one https://review.opendev.org/c/openstack/nova/+/816206/4/nova/tests/unit/policies/base.py#196) in favor of L189 which make sure \n1. parent rule will always pass for project scoped and any failure will be from child rule only\n2. for system scoped token it is failing on scope checks so we do not need to know that failed in parent or child rule.\nBUT with this approach, we need to make sure that we allow parent rule to everyone (@) in case of multi policy checks.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":1255,"context_line":""},{"line_number":1256,"context_line":"        # With scope checking enabled, system users no longer have"},{"line_number":1257,"context_line":"        # project access, even to create their own resources."},{"line_number":1258,"context_line":"        self.project_member_authorized_contexts -\u003d self.all_system_contexts"},{"line_number":1259,"context_line":""},{"line_number":1260,"context_line":"        # With scope checking enabled, system admin is no longer an"},{"line_number":1261,"context_line":"        # admin of project resources."}],"source_content_type":"text/x-python","patch_set":4,"id":"67cf44f9_6753645b","line":1258,"range":{"start_line":1258,"start_character":8,"end_line":1258,"end_character":75},"updated":"2021-11-12 17:07:45.000000000","message":"or we can say like below which make it easy to read otherwise I was about to comment on this and then I realized the \u0027-\u0027.\n\nself.project_member_authorized_contexts \u003d all_project_contexts","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":1264,"context_line":""},{"line_number":1265,"context_line":"        # With scope checking enabled, system users also lose access to read"},{"line_number":1266,"context_line":"        # project resources."},{"line_number":1267,"context_line":"        self.everyone_authorized_contexts -\u003d self.all_system_contexts"},{"line_number":1268,"context_line":""},{"line_number":1269,"context_line":""},{"line_number":1270,"context_line":"class ServersNoLegacyNoScopeTest(ServersPolicyTest):"}],"source_content_type":"text/x-python","patch_set":4,"id":"982d87ff_8b799fee","line":1267,"range":{"start_line":1267,"start_character":0,"end_line":1267,"end_character":69},"updated":"2021-11-12 17:07:45.000000000","message":"ditto","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"59585d1802261c6c7d72490551ecf8550c7a3738","unresolved":true,"context_lines":[{"line_number":1267,"context_line":"        self.everyone_authorized_contexts -\u003d self.all_system_contexts"},{"line_number":1268,"context_line":""},{"line_number":1269,"context_line":""},{"line_number":1270,"context_line":"class ServersNoLegacyNoScopeTest(ServersPolicyTest):"},{"line_number":1271,"context_line":"    \"\"\"Test Servers API policies with deprecated rules disabled, but scope"},{"line_number":1272,"context_line":"    checking still disabled."},{"line_number":1273,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"721f20aa_8dd70759","line":1270,"updated":"2021-11-12 15:04:54.000000000","message":"Nit: maybe put this one first, as the other two inherit from each other? Not sure.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d113fb4cf01cd305e75679684ac1231a9ba1c1a","unresolved":true,"context_lines":[{"line_number":1267,"context_line":"        self.everyone_authorized_contexts -\u003d self.all_system_contexts"},{"line_number":1268,"context_line":""},{"line_number":1269,"context_line":""},{"line_number":1270,"context_line":"class ServersNoLegacyNoScopeTest(ServersPolicyTest):"},{"line_number":1271,"context_line":"    \"\"\"Test Servers API policies with deprecated rules disabled, but scope"},{"line_number":1272,"context_line":"    checking still disabled."},{"line_number":1273,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"bb365531_032c8870","line":1270,"in_reply_to":"721f20aa_8dd70759","updated":"2021-11-12 15:24:05.000000000","message":"Sure.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":1267,"context_line":"        self.everyone_authorized_contexts -\u003d self.all_system_contexts"},{"line_number":1268,"context_line":""},{"line_number":1269,"context_line":""},{"line_number":1270,"context_line":"class ServersNoLegacyNoScopeTest(ServersPolicyTest):"},{"line_number":1271,"context_line":"    \"\"\"Test Servers API policies with deprecated rules disabled, but scope"},{"line_number":1272,"context_line":"    checking still disabled."},{"line_number":1273,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":4,"id":"2750650b_515d9412","line":1270,"in_reply_to":"bb365531_032c8870","updated":"2021-11-12 17:07:45.000000000","message":"+1","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":1281,"context_line":"        # resources. We also do not allow admin on other projects"},{"line_number":1282,"context_line":"        # (i.e. legacy_admin), nor system (because it\u0027s admin on no"},{"line_number":1283,"context_line":"        # project)."},{"line_number":1284,"context_line":"        self.project_action_authorized_contexts -\u003d set(["},{"line_number":1285,"context_line":"            self.project_reader_context,"},{"line_number":1286,"context_line":"            self.project_foo_context,"},{"line_number":1287,"context_line":"            self.legacy_admin_context,"},{"line_number":1288,"context_line":"            self.system_admin_context,"},{"line_number":1289,"context_line":"        ])"},{"line_number":1290,"context_line":""},{"line_number":1291,"context_line":"        # The only additional role that can read our resources is our"},{"line_number":1292,"context_line":"        # own project_reader."},{"line_number":1293,"context_line":"        self.project_reader_authorized_contexts \u003d ("}],"source_content_type":"text/x-python","patch_set":4,"id":"6178eea3_96724ab0","line":1290,"range":{"start_line":1284,"start_character":48,"end_line":1290,"end_character":0},"updated":"2021-11-12 17:07:45.000000000","message":"or we can just be explicit here that only project admin and member. current way of substracting make it go back to top and read what all left in self.project_action_authorized_contexts  after all these substract. \n\n self.project_action_authorized_contexts \u003d set([\n            self.project_admin_context, self.project_member_context\n        ])\n\nditto for others too?","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"59585d1802261c6c7d72490551ecf8550c7a3738","unresolved":true,"context_lines":[{"line_number":1306,"context_line":"        # not rejecting them by scope, even though these operations"},{"line_number":1307,"context_line":"        # with those tokens are likely to fail because they have no"},{"line_number":1308,"context_line":"        # project."},{"line_number":1309,"context_line":"        self.project_member_authorized_contexts -\u003d set(["},{"line_number":1310,"context_line":"            self.system_reader_context,"},{"line_number":1311,"context_line":"            self.system_foo_context,"},{"line_number":1312,"context_line":"            self.project_foo_context,"}],"source_content_type":"text/x-python","patch_set":4,"id":"12ef2e9f_a74ab268","line":1309,"updated":"2021-11-12 15:04:54.000000000","message":"I guess if you also enabled scope checks, we end up with the same list?\n\nI guess its a shame its very non-obvious to me if the lists here match the lists in ServersNoLegacyPolicyTest, now we do the set arithmetic style.\n\nIs it worth considering a middle ground here, do the full lists of people, but the massive gain is we don\u0027t need to specify the negative lists anymore.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"3d113fb4cf01cd305e75679684ac1231a9ba1c1a","unresolved":true,"context_lines":[{"line_number":1306,"context_line":"        # not rejecting them by scope, even though these operations"},{"line_number":1307,"context_line":"        # with those tokens are likely to fail because they have no"},{"line_number":1308,"context_line":"        # project."},{"line_number":1309,"context_line":"        self.project_member_authorized_contexts -\u003d set(["},{"line_number":1310,"context_line":"            self.system_reader_context,"},{"line_number":1311,"context_line":"            self.system_foo_context,"},{"line_number":1312,"context_line":"            self.project_foo_context,"}],"source_content_type":"text/x-python","patch_set":4,"id":"d598470d_0199dcf5","line":1309,"in_reply_to":"12ef2e9f_a74ab268","updated":"2021-11-12 15:24:05.000000000","message":"Well, I can do full lists, but you trade some work. If everything specifies full lists, then it\u0027s harder to \"eye diff\" what is different between the two cases. It\u0027s easier to say \"okay this is who can do this in this test\" but it\u0027s harder to suss out the differences.\n\nOnce we stop having all these ways to configure it, then it definitely makes sense to make it all declarative like the base case. It just seems easier to grok the *differences* like this, which seems the most important thing at the moment. But, if people would rather see full lists, then I can do that instead.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"23dbc0cd4c915cc00eb081c028074e155db296a9","unresolved":true,"context_lines":[{"line_number":1306,"context_line":"        # not rejecting them by scope, even though these operations"},{"line_number":1307,"context_line":"        # with those tokens are likely to fail because they have no"},{"line_number":1308,"context_line":"        # project."},{"line_number":1309,"context_line":"        self.project_member_authorized_contexts -\u003d set(["},{"line_number":1310,"context_line":"            self.system_reader_context,"},{"line_number":1311,"context_line":"            self.system_foo_context,"},{"line_number":1312,"context_line":"            self.project_foo_context,"}],"source_content_type":"text/x-python","patch_set":4,"id":"5f9263ad_2f2bc811","line":1309,"in_reply_to":"85a8c8d5_1fe32679","updated":"2021-11-16 16:54:14.000000000","message":"I\u0027m working on this now, making these declarative instead of just math. I\u0027m hoping a compromise between the two will suffice. Instead of something like this:\n\n self.existing_set - set([one, two])\n\nI\u0027m going to do:\n\n self.existing_set \u003d self.all_project_contexts - set([one, two])\n\nBasically, not giving up on the set math because it makes it much easier to reason, but at least not depending on what is set in the parent so it\u0027s easier to look at a single line and determine the full ... set.\n\nAlso, I\u0027m going to make those changes with a helper, which will log the difference from the parent\u0027s version *and* ensure that no subclass is *expanding* permission, which I think we should always be able to assert.\n\nDoes that sound reasonable?","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fe683912d4c5446e7a1f2ed694fe6b5355f74aa1","unresolved":true,"context_lines":[{"line_number":1306,"context_line":"        # not rejecting them by scope, even though these operations"},{"line_number":1307,"context_line":"        # with those tokens are likely to fail because they have no"},{"line_number":1308,"context_line":"        # project."},{"line_number":1309,"context_line":"        self.project_member_authorized_contexts -\u003d set(["},{"line_number":1310,"context_line":"            self.system_reader_context,"},{"line_number":1311,"context_line":"            self.system_foo_context,"},{"line_number":1312,"context_line":"            self.project_foo_context,"}],"source_content_type":"text/x-python","patch_set":4,"id":"85a8c8d5_1fe32679","line":1309,"in_reply_to":"d598470d_0199dcf5","updated":"2021-11-12 17:07:45.000000000","message":"yeah, I gave same comment before reaching here. I think full list will give easy to ready about what all can do in this configuration.","commit_id":"443bf9bf1b4ad9f4838c6e8039991379cd6b8ff2"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"7df66c078473b251d019f95df71c2e26c05b9e17","unresolved":true,"context_lines":[{"line_number":163,"context_line":"        self.cross_cell_authorized_contexts \u003d []"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"    # FIXME(danms): This should probably be in the base class so we"},{"line_number":166,"context_line":"    # can pattern everything else after it."},{"line_number":167,"context_line":"    def reduce_set(self, name, new_set):"},{"line_number":168,"context_line":"        \"\"\"Reduce a named set of contexts in a subclass."},{"line_number":169,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"e3d65bb6_37527e6c","line":166,"updated":"2021-11-16 17:22:52.000000000","message":"John and Gmann, looking specifically for your opinion on this. I think this addresses my concern over wanting the set math to be actual math (and have each subclass reduce the current too-large set of authorized users at each phase). But, it hopefully addresses your concerns over wanting each case below to declare the full set for easier reading.\n\nIf this looks okay I\u0027ll move it to the base class.","commit_id":"bf95358c3904c68973242623f114f0d326d36e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0f2ac485defcde68a6365d12226277fe8d574dfb","unresolved":true,"context_lines":[{"line_number":163,"context_line":"        self.cross_cell_authorized_contexts \u003d []"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"    # FIXME(danms): This should probably be in the base class so we"},{"line_number":166,"context_line":"    # can pattern everything else after it."},{"line_number":167,"context_line":"    def reduce_set(self, name, new_set):"},{"line_number":168,"context_line":"        \"\"\"Reduce a named set of contexts in a subclass."},{"line_number":169,"context_line":""}],"source_content_type":"text/x-python","patch_set":5,"id":"3d1fb75a_3ce98278","line":166,"in_reply_to":"e3d65bb6_37527e6c","updated":"2021-11-16 19:10:39.000000000","message":"+1, thanks. this lgtm. Even it is not an explicit list of access, but it is easy now to understand what all access are disabled which solve the concern i had earlier.","commit_id":"bf95358c3904c68973242623f114f0d326d36e5d"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"7df66c078473b251d019f95df71c2e26c05b9e17","unresolved":true,"context_lines":[{"line_number":1380,"context_line":"                            self.project_foo_context,"},{"line_number":1381,"context_line":"                            self.project_reader_context,"},{"line_number":1382,"context_line":"                            self.other_project_reader_context,"},{"line_number":1383,"context_line":"                        ]))"}],"source_content_type":"text/x-python","patch_set":5,"id":"9ab62fe1_c658e413","line":1383,"updated":"2021-11-16 17:22:52.000000000","message":"Is this okay in terms of wanting this to be declarative? It\u0027s still the full set communicated in this statement: i.e. it doesn\u0027t reference the parent\u0027s set, but does use some of our symbolic \"all project contexts\" and some math to subtract things from that, but it\u0027s all defined here.","commit_id":"bf95358c3904c68973242623f114f0d326d36e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0f2ac485defcde68a6365d12226277fe8d574dfb","unresolved":true,"context_lines":[{"line_number":1380,"context_line":"                            self.project_foo_context,"},{"line_number":1381,"context_line":"                            self.project_reader_context,"},{"line_number":1382,"context_line":"                            self.other_project_reader_context,"},{"line_number":1383,"context_line":"                        ]))"}],"source_content_type":"text/x-python","patch_set":5,"id":"dd558762_30b76d6d","line":1383,"in_reply_to":"9ab62fe1_c658e413","updated":"2021-11-16 19:10:39.000000000","message":"yeah, lgtm.","commit_id":"bf95358c3904c68973242623f114f0d326d36e5d"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b6c0f25968d50e6b3ce0751ca615f2ef28fb73ec","unresolved":true,"context_lines":[{"line_number":37,"context_line":"from nova.tests.unit.policies import base"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"CONF \u003d nova.conf.CONF"},{"line_number":40,"context_line":"LOG \u003d logging.getLogger(__name__)"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"def rule_if_system(system_rule, non_system_rule, context):"}],"source_content_type":"text/x-python","patch_set":12,"id":"72160119_6a02e36b","line":40,"range":{"start_line":40,"start_character":0,"end_line":40,"end_character":33},"updated":"2022-01-17 01:38:16.000000000","message":"I do not think this is used anywhere in this file","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"d6c16cb823ed5254f272de707dce0a49921a9110","unresolved":true,"context_lines":[{"line_number":37,"context_line":"from nova.tests.unit.policies import base"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"CONF \u003d nova.conf.CONF"},{"line_number":40,"context_line":"LOG \u003d logging.getLogger(__name__)"},{"line_number":41,"context_line":""},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"def rule_if_system(system_rule, non_system_rule, context):"}],"source_content_type":"text/x-python","patch_set":12,"id":"a5a888bf_ca0c00df","line":40,"range":{"start_line":40,"start_character":0,"end_line":40,"end_character":33},"in_reply_to":"72160119_6a02e36b","updated":"2022-02-14 16:03:07.000000000","message":"can be done in a FUP, good catch","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b6c0f25968d50e6b3ce0751ca615f2ef28fb73ec","unresolved":true,"context_lines":[{"line_number":1235,"context_line":"        self.reduce_set(\u0027project_action_authorized\u0027, set(["},{"line_number":1236,"context_line":"            self.project_admin_context, self.project_member_context,"},{"line_number":1237,"context_line":"        ]))"},{"line_number":1238,"context_line":""},{"line_number":1239,"context_line":"        # The only additional role that can read our resources is our"},{"line_number":1240,"context_line":"        # own project_reader."},{"line_number":1241,"context_line":"        self.project_reader_authorized_contexts \u003d ("}],"source_content_type":"text/x-python","patch_set":12,"id":"e40d001d_f656b884","line":1238,"range":{"start_line":1238,"start_character":0,"end_line":1238,"end_character":0},"updated":"2022-01-17 01:38:16.000000000","message":"here we should have project_admin_authorized_context also not allow legacy admin to perform things but this patch pass because we have not added project_admmin in self.rules_without_deprecation list in base test class - https://review.opendev.org/c/openstack/nova/+/816206/12/nova/tests/unit/policies/base.py#124\n\nI am adding that and cover this case in https://review.opendev.org/c/openstack/nova/+/824845","commit_id":"d9190912b95b788394864141b709e6e0dd2ebf27"}]}