)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"a8078728577c19014f301ca99c27fa9a335bc3f1","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9de1f17f_6b36aad8","updated":"2024-02-26 08:04:32.000000000","message":"One question that stayed for me after reading the docs: What about evacuate/live-migration by operators? They would have to be able to read the user secrets in Barbican then, correct?","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"056a1a335d1848027c205e2d5145886fa2d0de03","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"dc9652ab_ad21198b","updated":"2024-02-26 21:58:01.000000000","message":"Will fix typos and add more text when I rebase the stack.","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"cf6b71e5fcd97ec26f3567fd48bcd7fae9fb098c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6d47b8d4_178a029c","in_reply_to":"840843d9_0b00ddda","updated":"2024-02-28 10:54:37.000000000","message":"Done","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"056a1a335d1848027c205e2d5145886fa2d0de03","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"840843d9_0b00ddda","in_reply_to":"9de1f17f_6b36aad8","updated":"2024-02-26 21:58:01.000000000","message":"Yes, that\u0027s correct. The default config in Barbican is to let project members read secrets created by that project. So out-of-the-box, the operator would need to be a project admin (basically whatever would be project member + admin powers) to do things like live migration or any other admin-only APIs.\n\nI\u0027ll try to add some more info to the section about the key permissions to make this clearer.","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"4871addc63a964e2424f06bc4c911ef22acc44f6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e3733b13_82427813","updated":"2024-02-28 10:54:10.000000000","message":"Much clearer to me now, thanks 👍","commit_id":"9a2d582c3c17e69edccd388d26babffbda3b5212"}],"doc/source/admin/ephemeral-encryption.rst":[{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"a8078728577c19014f301ca99c27fa9a335bc3f1","unresolved":true,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Nova will create, retrieve, and delete disk passphrases using the authorization"},{"line_number":33,"context_line":"token of the user calling Nova API. The cloud operator must consider the"},{"line_number":34,"context_line":"implications of secret ownership with regard server actions and who is allowed"},{"line_number":35,"context_line":"to perform them."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"By default, Barbican scopes the ownership of a secret at the project level."}],"source_content_type":"text/x-rst","patch_set":2,"id":"7bbb5fd2_e9cf523e","line":34,"updated":"2024-02-26 08:04:32.000000000","message":"typo: \"with regard server actions\" \"with regard to server actions\"","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"4871addc63a964e2424f06bc4c911ef22acc44f6","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Nova will create, retrieve, and delete disk passphrases using the authorization"},{"line_number":33,"context_line":"token of the user calling Nova API. The cloud operator must consider the"},{"line_number":34,"context_line":"implications of secret ownership with regard server actions and who is allowed"},{"line_number":35,"context_line":"to perform them."},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"By default, Barbican scopes the ownership of a secret at the project level."}],"source_content_type":"text/x-rst","patch_set":2,"id":"99de24f5_5a257213","line":34,"in_reply_to":"7bbb5fd2_e9cf523e","updated":"2024-02-28 10:54:10.000000000","message":"Done","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"a8078728577c19014f301ca99c27fa9a335bc3f1","unresolved":true,"context_lines":[{"line_number":44,"context_line":"of secrets in Barbican using `access control lists`_. Secrets could be made to"},{"line_number":45,"context_line":"be scoped at the user level, for example, instead of the project level. In such"},{"line_number":46,"context_line":"a configuration, a ``project admin`` would **not** be allowed to live migrate"},{"line_number":47,"context_line":"the server of different user in the project."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Required roles"},{"line_number":50,"context_line":"^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":2,"id":"6ea0d789_621b44f2","line":47,"updated":"2024-02-26 08:04:32.000000000","message":"typoe: \"of different user\" -\u003e \"of a different user\"","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"4871addc63a964e2424f06bc4c911ef22acc44f6","unresolved":false,"context_lines":[{"line_number":44,"context_line":"of secrets in Barbican using `access control lists`_. Secrets could be made to"},{"line_number":45,"context_line":"be scoped at the user level, for example, instead of the project level. In such"},{"line_number":46,"context_line":"a configuration, a ``project admin`` would **not** be allowed to live migrate"},{"line_number":47,"context_line":"the server of different user in the project."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"Required roles"},{"line_number":50,"context_line":"^^^^^^^^^^^^^^"}],"source_content_type":"text/x-rst","patch_set":2,"id":"168bc0ae_718ce4cf","line":47,"in_reply_to":"6ea0d789_621b44f2","updated":"2024-02-28 10:54:10.000000000","message":"Done","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"a8078728577c19014f301ca99c27fa9a335bc3f1","unresolved":true,"context_lines":[{"line_number":50,"context_line":"^^^^^^^^^^^^^^"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"By default, in order to create secrets in Barbican, a user must have the"},{"line_number":53,"context_line":"``creator`` role in Keytsone."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. code-block:: console"},{"line_number":56,"context_line":"   :emphasize-lines: 7"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ccc2a068_ab07df9a","line":53,"updated":"2024-02-26 08:04:32.000000000","message":"typo: \"Keytsone\" -\u003e \"Keystone\"","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"4871addc63a964e2424f06bc4c911ef22acc44f6","unresolved":false,"context_lines":[{"line_number":50,"context_line":"^^^^^^^^^^^^^^"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"By default, in order to create secrets in Barbican, a user must have the"},{"line_number":53,"context_line":"``creator`` role in Keytsone."},{"line_number":54,"context_line":""},{"line_number":55,"context_line":".. code-block:: console"},{"line_number":56,"context_line":"   :emphasize-lines: 7"}],"source_content_type":"text/x-rst","patch_set":2,"id":"eaacbc51_1bc595aa","line":53,"in_reply_to":"ccc2a068_ab07df9a","updated":"2024-02-28 10:54:10.000000000","message":"Done","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"a8078728577c19014f301ca99c27fa9a335bc3f1","unresolved":true,"context_lines":[{"line_number":55,"context_line":".. code-block:: console"},{"line_number":56,"context_line":"   :emphasize-lines: 7"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"   $ openstack --os-cloud devstack-admin role list"},{"line_number":59,"context_line":"   +----------------------------------+---------------------------+"},{"line_number":60,"context_line":"   | ID                               | Name                      |"},{"line_number":61,"context_line":"   +----------------------------------+---------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"89f1f0de_86fac56c","line":58,"updated":"2024-02-26 08:04:32.000000000","message":"Should we keep the `--os-cloud devstack-admin` here or should this command rather be without that?","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"4871addc63a964e2424f06bc4c911ef22acc44f6","unresolved":false,"context_lines":[{"line_number":55,"context_line":".. code-block:: console"},{"line_number":56,"context_line":"   :emphasize-lines: 7"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"   $ openstack --os-cloud devstack-admin role list"},{"line_number":59,"context_line":"   +----------------------------------+---------------------------+"},{"line_number":60,"context_line":"   | ID                               | Name                      |"},{"line_number":61,"context_line":"   +----------------------------------+---------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7d845079_66dbafdd","line":58,"in_reply_to":"00325dc6_3a22d180","updated":"2024-02-28 10:54:10.000000000","message":"Done","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"056a1a335d1848027c205e2d5145886fa2d0de03","unresolved":true,"context_lines":[{"line_number":55,"context_line":".. code-block:: console"},{"line_number":56,"context_line":"   :emphasize-lines: 7"},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"   $ openstack --os-cloud devstack-admin role list"},{"line_number":59,"context_line":"   +----------------------------------+---------------------------+"},{"line_number":60,"context_line":"   | ID                               | Name                      |"},{"line_number":61,"context_line":"   +----------------------------------+---------------------------+"}],"source_content_type":"text/x-rst","patch_set":2,"id":"00325dc6_3a22d180","line":58,"in_reply_to":"89f1f0de_86fac56c","updated":"2024-02-26 21:58:01.000000000","message":"Oh nope, I didn\u0027t mean to leave that in there. Thanks","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"},{"author":{"_account_id":26250,"name":"Johannes Kulik","email":"johannes.kulik@sap.com","username":"jkulik"},"change_message_id":"a8078728577c19014f301ca99c27fa9a335bc3f1","unresolved":true,"context_lines":[{"line_number":346,"context_line":"``hw_ephemeral_encryption_secret_uuid`` image property and use it to make a"},{"line_number":347,"context_line":"copy of the image for the local disk being created for the new server. This"},{"line_number":348,"context_line":"means that only users who have permission to access to the"},{"line_number":349,"context_line":"``hw_ephemeral_encryption_secret_uuid`` will be allowed to create servers using"},{"line_number":350,"context_line":"that snapshot."},{"line_number":351,"context_line":""},{"line_number":352,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":2,"id":"55fefb88_afdbab9b","line":349,"updated":"2024-02-26 08:04:32.000000000","message":"typo: \"who have permissions to access to the\" -\u003e \"who have permissions to access the\"","commit_id":"61223a1674616b0ea9e8d1cc3a15600ff3cee1a2"}]}