)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"13cbff11622bac9eda469c56d10e826a43790b31","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":27,"id":"cba08c62_0aad7460","updated":"2025-10-08 17:09:24.000000000","message":"recheck rabbit host unreachable","commit_id":"bd7615cfc131c0123ec88d4db53267213375bc87"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"b8bd867191b1a694245c53b3e4dc7857df3f2cd7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":28,"id":"ad629e75_514ee62d","updated":"2025-10-10 06:22:42.000000000","message":"recheck guest kernel panic","commit_id":"6f90d39687e841e9c1e1e26191d4913df24c01d2"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bbe74081d2035d57f37d8150c18c030e5db12ea4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":29,"id":"23d870e3_004f061f","updated":"2025-10-15 15:18:42.000000000","message":"recheck keystone service did not start due to segfault\n\n```\ndevstack@keystone.service[38221]: !!! uWSGI process 38221 got Segmentation Fault !!!\n```","commit_id":"d5cd76344541f8b35afe38b2768d3378b2636a51"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"88194d854dff3de2248911ac19ce440611691cec","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":34,"id":"de43f48f_8e2c93de","updated":"2025-11-02 20:01:05.000000000","message":"recheck ERROR oslo.messaging._drivers.impl_rabbit [None req-20d91a44-d66f-4b24-9086-5e71bfbc76d0 None None] Connection failed: timed out (retrying in 29.0 seconds): TimeoutError: timed out","commit_id":"617277bfcb7d36eed648776852a75fcb40f2e68b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"44a608ed8592f2de9c50c3b60ed5a0ba67f24a37","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":37,"id":"28ae6e26_355e73cd","updated":"2025-11-18 17:13:12.000000000","message":"recheck `Timeout waiting for [\u0027network-vif-plugged-6fc83c26-f83f-4b10-aa9a-850460dda6e3\u0027] for instance with vm_state shelved_offloaded and task_state spawning. Event states are: network-vif-plugged-6fc83c26-f83f-4b10-aa9a-850460dda6e3: timed out after 300.00 seconds: nova.exception.InstanceEventTimeout`","commit_id":"0e4c24272c11cdfed671d1496323a6742b714c0c"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"a54e024d661fbe314c50c9b7c0c785d6280c95f3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":38,"id":"7193717a_9ee8263b","updated":"2025-11-21 09:06:49.000000000","message":"I still need to review it again but that\u0027s my first comments","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2fa87fd6a38478e799c1ecc86c1e428433e98609","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":42,"id":"1993690b_cec3e14a","updated":"2025-12-02 21:54:05.000000000","message":"I am +1 for the service user usage. NOTE: I have not reviewed any other part than nova service user so +1.","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"85b6ad291b937b4d305445c4c94f032492ce0539","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":43,"id":"cea7d4b1_faac6ee6","updated":"2026-01-20 15:59:28.000000000","message":"I still want to go through the tests but this is working for me locally","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"467c522dbd78c695a4bf480113f70804e16a8768","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":43,"id":"23268cd4_3f702f0b","updated":"2026-01-14 19:08:49.000000000","message":"Just a couple things so far, only partially through it","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9096fd0953e3f63443c3c8ebb3e1d21b51f173f6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":43,"id":"590a939d_56b7d84e","updated":"2026-01-21 15:16:25.000000000","message":"Okay I went through the tests and I think I\u0027m good with this patch, trusting gmaan on the context stuff. Just that one function defined for no reason (AFAICT?) and otherwise I\u0027m +2.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04338b8509f767ea80adb0782b711fb631e6db85","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":44,"id":"6e234d1f_2c83984a","updated":"2026-01-22 21:23:33.000000000","message":"I am confused on no-vtpm to/from vtpm resize case which I understood from code/comment that it is supported but test case is opposite.  I am missing something here?","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"f04cc334d088f9bcda73950b06d99ed6b43d6d65","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":45,"id":"48562ddb_55cf7c0b","updated":"2026-01-23 17:32:15.000000000","message":"Ah, gmann +2d while I had this open, woo","commit_id":"880019baafe23f46e59dee7debadf49b9177dc70"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"86354a74a647c7a8df72c1daa01d0918b1fb8ef5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":45,"id":"73169d1d_eff9748b","updated":"2026-01-23 03:00:39.000000000","message":"recheck create server image test collision (?) two tests `test_create_delete_image` and `test_create_image_specify_multibyte_character_image_name` trying to snapshot at the same time","commit_id":"880019baafe23f46e59dee7debadf49b9177dc70"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"232116b73565020822afcf5b1dc3769d47eea482","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":45,"id":"223c7a13_e6c586ee","updated":"2026-01-23 17:21:40.000000000","message":"this lgtm, thanks for updating and explanation.","commit_id":"880019baafe23f46e59dee7debadf49b9177dc70"}],"nova/compute/api.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"467c522dbd78c695a4bf480113f70804e16a8768","unresolved":true,"context_lines":[{"line_number":4212,"context_line":"            # Resizing to \u0027deployment\u0027 TPM secret security from any other"},{"line_number":4213,"context_line":"            # mode would involve converting key manager service secret"},{"line_number":4214,"context_line":"            # ownership from the user to the Nova service user, and we"},{"line_number":4215,"context_line":"            # don\u0027t support that yet."},{"line_number":4216,"context_line":"            msg \u003d _(\"Resize between \u0027deployment\u0027 TPM secret security and \""},{"line_number":4217,"context_line":"                    \"other TPM secret security modes is not supported.\")"},{"line_number":4218,"context_line":"            raise exception.OperationNotSupportedForVTPM(msg)"}],"source_content_type":"text/x-python","patch_set":43,"id":"db8c2402_9ce577ed","line":4215,"updated":"2026-01-14 19:08:49.000000000","message":"I\u0027m trying to parse this condition and the comment.. The comment says resizing \"to deployment\" isn\u0027t allowed, but it\u0027s not allowed to convert to or from right?\n\nBut also, doesn\u0027t this prevent resizing from no tpm to deployment, and also from deployment to no tpm?\n\nAlso, what about rebuild? Can\u0027t we specify these policies in image meta such that rebuild needs the same sort of check? I can see the tpm image being recreated as part of rebuild, but will we do the cleanup of the secrets? I guess I need to go review the rebuild behaviors when I have a tpm configured...","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bbe0745c24e39c9531c220c96408f413b92c5b62","unresolved":true,"context_lines":[{"line_number":4212,"context_line":"            # Resizing to \u0027deployment\u0027 TPM secret security from any other"},{"line_number":4213,"context_line":"            # mode would involve converting key manager service secret"},{"line_number":4214,"context_line":"            # ownership from the user to the Nova service user, and we"},{"line_number":4215,"context_line":"            # don\u0027t support that yet."},{"line_number":4216,"context_line":"            msg \u003d _(\"Resize between \u0027deployment\u0027 TPM secret security and \""},{"line_number":4217,"context_line":"                    \"other TPM secret security modes is not supported.\")"},{"line_number":4218,"context_line":"            raise exception.OperationNotSupportedForVTPM(msg)"}],"source_content_type":"text/x-python","patch_set":43,"id":"9c94c791_8044c64d","line":4215,"in_reply_to":"3babe9eb_69e804e8","updated":"2026-01-21 23:00:09.000000000","message":"I had intended to publish this comment when I was done with the respin but the service_auth.py refactor took longer. And I think the refactor should be its own patch to avoid making this patch more complicated.\n\nComment from Jan 16: there is indeed a bug here where no TPM \u003d\u003e deployment and deployment \u003d\u003e no TPM are blocked. I have added test coverage and fixed it for the respin.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d2cac99891f93b4291ebb05ab296f821f3e4dda3","unresolved":false,"context_lines":[{"line_number":4212,"context_line":"            # Resizing to \u0027deployment\u0027 TPM secret security from any other"},{"line_number":4213,"context_line":"            # mode would involve converting key manager service secret"},{"line_number":4214,"context_line":"            # ownership from the user to the Nova service user, and we"},{"line_number":4215,"context_line":"            # don\u0027t support that yet."},{"line_number":4216,"context_line":"            msg \u003d _(\"Resize between \u0027deployment\u0027 TPM secret security and \""},{"line_number":4217,"context_line":"                    \"other TPM secret security modes is not supported.\")"},{"line_number":4218,"context_line":"            raise exception.OperationNotSupportedForVTPM(msg)"}],"source_content_type":"text/x-python","patch_set":43,"id":"e42471ef_82d10d74","line":4215,"in_reply_to":"412a8039_02d64eb7","updated":"2026-01-23 17:31:52.000000000","message":"Done","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"aa001547fc02a8be01a9be9888e5825a607af2e8","unresolved":true,"context_lines":[{"line_number":4212,"context_line":"            # Resizing to \u0027deployment\u0027 TPM secret security from any other"},{"line_number":4213,"context_line":"            # mode would involve converting key manager service secret"},{"line_number":4214,"context_line":"            # ownership from the user to the Nova service user, and we"},{"line_number":4215,"context_line":"            # don\u0027t support that yet."},{"line_number":4216,"context_line":"            msg \u003d _(\"Resize between \u0027deployment\u0027 TPM secret security and \""},{"line_number":4217,"context_line":"                    \"other TPM secret security modes is not supported.\")"},{"line_number":4218,"context_line":"            raise exception.OperationNotSupportedForVTPM(msg)"}],"source_content_type":"text/x-python","patch_set":43,"id":"efc53d9e_3fb83ad5","line":4215,"in_reply_to":"9c94c791_8044c64d","updated":"2026-01-22 14:28:37.000000000","message":"You said\n\u003e  there is indeed a bug here where no TPM \u003d\u003e deployment and deployment \u003d\u003e no TPM are blocked. I have added test coverage and fixed it for the respin.\nbut I don\u0027t see a change in the condition to account for that. It seems to me like this still is the pinch point that prevents such a transition, but.. was the fix somewhere else?","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"a7bb5d80e10b0f0f4a6aea63095cfb9b8eb9744c","unresolved":true,"context_lines":[{"line_number":4212,"context_line":"            # Resizing to \u0027deployment\u0027 TPM secret security from any other"},{"line_number":4213,"context_line":"            # mode would involve converting key manager service secret"},{"line_number":4214,"context_line":"            # ownership from the user to the Nova service user, and we"},{"line_number":4215,"context_line":"            # don\u0027t support that yet."},{"line_number":4216,"context_line":"            msg \u003d _(\"Resize between \u0027deployment\u0027 TPM secret security and \""},{"line_number":4217,"context_line":"                    \"other TPM secret security modes is not supported.\")"},{"line_number":4218,"context_line":"            raise exception.OperationNotSupportedForVTPM(msg)"}],"source_content_type":"text/x-python","patch_set":43,"id":"3babe9eb_69e804e8","line":4215,"in_reply_to":"db8c2402_9ce577ed","updated":"2026-01-14 19:32:36.000000000","message":"Yes to or from is not allowed (like in the if-condition) but it isn\u0027t typed here explicitly. It was meant to be additional context of the \"why\" but I can understand the confusion that it doesn\u0027t match exactly the if-condition, so I will make it mirror the condition in the next respin.\n\nI need to check on that. On the surface it looks like yes it would (erroneously) reject no-tpm \u003d\u003e deployment or deployment \u003d\u003e no-tpm. I\u0027ll add test coverage and fix this if it\u0027s wrong.\n\nRebuild has always been blocked in the API for vTPM, thankfully. We could try and make that work \"someday\" in the future but for the current day I think it\u0027s out of scope. It would not be trivial last I thought about it some weeks/months ago.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d299fe6c38e24c56e2f18de98cd1cbc9269e9b15","unresolved":true,"context_lines":[{"line_number":4212,"context_line":"            # Resizing to \u0027deployment\u0027 TPM secret security from any other"},{"line_number":4213,"context_line":"            # mode would involve converting key manager service secret"},{"line_number":4214,"context_line":"            # ownership from the user to the Nova service user, and we"},{"line_number":4215,"context_line":"            # don\u0027t support that yet."},{"line_number":4216,"context_line":"            msg \u003d _(\"Resize between \u0027deployment\u0027 TPM secret security and \""},{"line_number":4217,"context_line":"                    \"other TPM secret security modes is not supported.\")"},{"line_number":4218,"context_line":"            raise exception.OperationNotSupportedForVTPM(msg)"}],"source_content_type":"text/x-python","patch_set":43,"id":"412a8039_02d64eb7","line":4215,"in_reply_to":"efc53d9e_3fb83ad5","updated":"2026-01-22 16:24:57.000000000","message":"I added a comment where the fix is on L4381 i.e. only call this method if the transition is TPM \u003c\u003d\u003e TPM.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5bb634f6dc72cab93f10269417a769fa8948914c","unresolved":true,"context_lines":[{"line_number":4200,"context_line":""},{"line_number":4201,"context_line":"    @staticmethod"},{"line_number":4202,"context_line":"    def _validate_vtpm_secret_security(current_flavor, new_flavor):"},{"line_number":4203,"context_line":"        \"\"\"Block requests that would require secret ownership conversions."},{"line_number":4204,"context_line":""},{"line_number":4205,"context_line":"        TODO(melwitt): Remove this when support for key manager service secret"},{"line_number":4206,"context_line":"        ownership conversions is added."}],"source_content_type":"text/x-python","patch_set":44,"id":"41710cc8_7f0564dc","line":4203,"updated":"2026-01-22 21:42:19.000000000","message":"Okay re-reading your comments and replies a whole bunch of times, I think this is the important bit here. The function name implies to me \"is this allowed\" but the docstring here says \"make sure we\u0027re never converting between types\", which granted is a form of \"is this allowed\" but I was expecting the change to be here in the function I thought was checking if something was allowed. The way this is, the permit-ability is decided kinda here and kinda elsewhere, where we may or may not skip this.\n\nI guess I thought the expectation was that we _would_ be able to convert back and forth to/from deployment and the other types. I know the comment below says \"yet\" but I was just a bit lost in the discontinuity between the four things.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"beb925304bb1522da2e43ad4db4788e4ceb9ac52","unresolved":true,"context_lines":[{"line_number":4200,"context_line":""},{"line_number":4201,"context_line":"    @staticmethod"},{"line_number":4202,"context_line":"    def _validate_vtpm_secret_security(current_flavor, new_flavor):"},{"line_number":4203,"context_line":"        \"\"\"Block requests that would require secret ownership conversions."},{"line_number":4204,"context_line":""},{"line_number":4205,"context_line":"        TODO(melwitt): Remove this when support for key manager service secret"},{"line_number":4206,"context_line":"        ownership conversions is added."}],"source_content_type":"text/x-python","patch_set":44,"id":"fac91936_8b3d8508","line":4203,"in_reply_to":"41710cc8_7f0564dc","updated":"2026-01-22 22:03:59.000000000","message":"Yeah, that\u0027s fair. I guess I was thinking \"you don\u0027t need to validate TPM secret security if there is no TPM so don\u0027t call it\" but since it\u0027s confusing people I will make this also accept image_meta or instance and let it no-op if one of the flavors has no TPM.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ee719b6fd5d38b0c3a7b50298c979aa1d7249e5d","unresolved":true,"context_lines":[{"line_number":4200,"context_line":""},{"line_number":4201,"context_line":"    @staticmethod"},{"line_number":4202,"context_line":"    def _validate_vtpm_secret_security(current_flavor, new_flavor):"},{"line_number":4203,"context_line":"        \"\"\"Block requests that would require secret ownership conversions."},{"line_number":4204,"context_line":""},{"line_number":4205,"context_line":"        TODO(melwitt): Remove this when support for key manager service secret"},{"line_number":4206,"context_line":"        ownership conversions is added."}],"source_content_type":"text/x-python","patch_set":44,"id":"eea6545a_ef637201","line":4203,"in_reply_to":"bb79dcf5_a761e9e8","updated":"2026-01-22 22:19:28.000000000","message":"Yeah I mean it makes sense that\u0027s what you expected because it _was_ doing a no-op before with no guard around the call below in PS43.\n\nI started out adding the TPM existence conditions in here and then was like is this uglier and more confusing to put the very similarly named constraint check calls here or should I just not call this if there\u0027s no TPM or WHAT SHOULD I DO? And went back and forth. Basically I was overthinking it.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d2cac99891f93b4291ebb05ab296f821f3e4dda3","unresolved":false,"context_lines":[{"line_number":4200,"context_line":""},{"line_number":4201,"context_line":"    @staticmethod"},{"line_number":4202,"context_line":"    def _validate_vtpm_secret_security(current_flavor, new_flavor):"},{"line_number":4203,"context_line":"        \"\"\"Block requests that would require secret ownership conversions."},{"line_number":4204,"context_line":""},{"line_number":4205,"context_line":"        TODO(melwitt): Remove this when support for key manager service secret"},{"line_number":4206,"context_line":"        ownership conversions is added."}],"source_content_type":"text/x-python","patch_set":44,"id":"1b7f7ad6_b215ec5c","line":4203,"in_reply_to":"eea6545a_ef637201","updated":"2026-01-23 17:31:52.000000000","message":"Acknowledged","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"6f1a10025240c7287a3b2d9428552348237f59fa","unresolved":true,"context_lines":[{"line_number":4200,"context_line":""},{"line_number":4201,"context_line":"    @staticmethod"},{"line_number":4202,"context_line":"    def _validate_vtpm_secret_security(current_flavor, new_flavor):"},{"line_number":4203,"context_line":"        \"\"\"Block requests that would require secret ownership conversions."},{"line_number":4204,"context_line":""},{"line_number":4205,"context_line":"        TODO(melwitt): Remove this when support for key manager service secret"},{"line_number":4206,"context_line":"        ownership conversions is added."}],"source_content_type":"text/x-python","patch_set":44,"id":"bb79dcf5_a761e9e8","line":4203,"in_reply_to":"fac91936_8b3d8508","updated":"2026-01-22 22:09:43.000000000","message":"I\u0027m not saying you have to change it.. it makes sense to me now, and it might have been less of a thing if I hadn\u0027t been expecting to see a delta in the logic here based on the previous comment of there being a gap in the case for the \"no vtpm\" case. I\u0027m just kinda defending my lack of \"getting it.\" But I get it now :)","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d299fe6c38e24c56e2f18de98cd1cbc9269e9b15","unresolved":true,"context_lines":[{"line_number":4384,"context_line":"                    hardware.get_vtpm_constraint(new_flavor,"},{"line_number":4385,"context_line":"                                                 instance.image_meta)):"},{"line_number":4386,"context_line":"                self._validate_vtpm_secret_security(current_flavor, new_flavor)"},{"line_number":4387,"context_line":""},{"line_number":4388,"context_line":"        instance.task_state \u003d task_states.RESIZE_PREP"},{"line_number":4389,"context_line":"        instance.progress \u003d 0"},{"line_number":4390,"context_line":"        instance.auto_disk_config \u003d auto_disk_config or False"}],"source_content_type":"text/x-python","patch_set":44,"id":"c60ff44f_7399f4e2","line":4387,"updated":"2026-01-22 16:24:57.000000000","message":"This is the fix for no TPM \u003d\u003e deployment and deployment \u003d\u003e no TPM. The bug was that the validation of TPM secret security was not previously filtering for only TPM \u003c\u003d\u003e TPM resizes ... We should only validate if it\u0027s a TPM to TPM resize, if one flavor is not TPM then that is always allowed i.e. they would not involve any secret ownership conversion.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5bb634f6dc72cab93f10269417a769fa8948914c","unresolved":true,"context_lines":[{"line_number":4384,"context_line":"                    hardware.get_vtpm_constraint(new_flavor,"},{"line_number":4385,"context_line":"                                                 instance.image_meta)):"},{"line_number":4386,"context_line":"                self._validate_vtpm_secret_security(current_flavor, new_flavor)"},{"line_number":4387,"context_line":""},{"line_number":4388,"context_line":"        instance.task_state \u003d task_states.RESIZE_PREP"},{"line_number":4389,"context_line":"        instance.progress \u003d 0"},{"line_number":4390,"context_line":"        instance.auto_disk_config \u003d auto_disk_config or False"}],"source_content_type":"text/x-python","patch_set":44,"id":"c953088d_c5c0e5c3","line":4387,"in_reply_to":"c60ff44f_7399f4e2","updated":"2026-01-22 21:42:19.000000000","message":"Ack, As above, I would have expected all the \"can we do this\" logic to be in one place (above).","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d2cac99891f93b4291ebb05ab296f821f3e4dda3","unresolved":false,"context_lines":[{"line_number":4384,"context_line":"                    hardware.get_vtpm_constraint(new_flavor,"},{"line_number":4385,"context_line":"                                                 instance.image_meta)):"},{"line_number":4386,"context_line":"                self._validate_vtpm_secret_security(current_flavor, new_flavor)"},{"line_number":4387,"context_line":""},{"line_number":4388,"context_line":"        instance.task_state \u003d task_states.RESIZE_PREP"},{"line_number":4389,"context_line":"        instance.progress \u003d 0"},{"line_number":4390,"context_line":"        instance.auto_disk_config \u003d auto_disk_config or False"}],"source_content_type":"text/x-python","patch_set":44,"id":"b3ee5c25_0b92ae58","line":4387,"in_reply_to":"c953088d_c5c0e5c3","updated":"2026-01-23 17:31:52.000000000","message":"Done","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"}],"nova/compute/manager.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6e6525aee2296b993b3e203082e45e7b350ffe66","unresolved":true,"context_lines":[{"line_number":955,"context_line":"        if hardware.get_tpm_secret_security_constraint("},{"line_number":956,"context_line":"                instance.flavor) \u003d\u003d \u0027deployment\u0027:"},{"line_number":957,"context_line":"            use_context \u003d nova.context.get_nova_service_user_context("},{"line_number":958,"context_line":"                    \u0027service_user\u0027)"},{"line_number":959,"context_line":"        crypto.delete_vtpm_secret(use_context, instance)"},{"line_number":960,"context_line":""},{"line_number":961,"context_line":"    def _complete_deletion(self, context, instance):"}],"source_content_type":"text/x-python","patch_set":42,"id":"ee4501fc_e278b216","line":958,"range":{"start_line":958,"start_character":20,"end_line":958,"end_character":34},"updated":"2025-11-24 20:33:28.000000000","message":"I think we should not hard-code it here and instead let get_nova_service_user_context handle where to get the Nova service user.\n\nIf anywhere we need \u0027service_token.service_user\u0027 then it should be done via the common place (nova/service_auth.py-\u003eget_auth_plugin[1])\n\n[1] https://github.com/openstack/nova/blob/23b462d77df1a1d09c43d0918bca853ef3af1e3f/nova/service_auth.py#L33","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2fa87fd6a38478e799c1ecc86c1e428433e98609","unresolved":true,"context_lines":[{"line_number":955,"context_line":"        if hardware.get_tpm_secret_security_constraint("},{"line_number":956,"context_line":"                instance.flavor) \u003d\u003d \u0027deployment\u0027:"},{"line_number":957,"context_line":"            use_context \u003d nova.context.get_nova_service_user_context("},{"line_number":958,"context_line":"                    \u0027service_user\u0027)"},{"line_number":959,"context_line":"        crypto.delete_vtpm_secret(use_context, instance)"},{"line_number":960,"context_line":""},{"line_number":961,"context_line":"    def _complete_deletion(self, context, instance):"}],"source_content_type":"text/x-python","patch_set":42,"id":"69c88197_901f5ec7","line":958,"range":{"start_line":958,"start_character":20,"end_line":958,"end_character":34},"in_reply_to":"143303d3_44ee451c","updated":"2025-12-02 21:54:05.000000000","message":"Sorry if I was not clear in my previous comment. It was just a nit that get_nova_service_user_context() can load \u0027service_user\u0027 automatically instead of passing it as arg. That way get_nova_service_user_context() will be used in a consistent way to load \u0027service_user\u0027 always. If this make sense, then you can do if you end up respinning otherwise, it is ok as it is also.\n\nI agree that nova/service_auth.py-\u003eget_auth_plugin is not usable here due to different configuration checks.","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"4413675aad6bf67ab86202729835685724e3ef6f","unresolved":false,"context_lines":[{"line_number":955,"context_line":"        if hardware.get_tpm_secret_security_constraint("},{"line_number":956,"context_line":"                instance.flavor) \u003d\u003d \u0027deployment\u0027:"},{"line_number":957,"context_line":"            use_context \u003d nova.context.get_nova_service_user_context("},{"line_number":958,"context_line":"                    \u0027service_user\u0027)"},{"line_number":959,"context_line":"        crypto.delete_vtpm_secret(use_context, instance)"},{"line_number":960,"context_line":""},{"line_number":961,"context_line":"    def _complete_deletion(self, context, instance):"}],"source_content_type":"text/x-python","patch_set":42,"id":"55f8695f_65fbac7b","line":958,"range":{"start_line":958,"start_character":20,"end_line":958,"end_character":34},"in_reply_to":"6436a026_87fb00f3","updated":"2025-12-03 04:33:26.000000000","message":"Done","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e959ee6cdc86a61bd1be809c904486ed6d3d2d92","unresolved":true,"context_lines":[{"line_number":955,"context_line":"        if hardware.get_tpm_secret_security_constraint("},{"line_number":956,"context_line":"                instance.flavor) \u003d\u003d \u0027deployment\u0027:"},{"line_number":957,"context_line":"            use_context \u003d nova.context.get_nova_service_user_context("},{"line_number":958,"context_line":"                    \u0027service_user\u0027)"},{"line_number":959,"context_line":"        crypto.delete_vtpm_secret(use_context, instance)"},{"line_number":960,"context_line":""},{"line_number":961,"context_line":"    def _complete_deletion(self, context, instance):"}],"source_content_type":"text/x-python","patch_set":42,"id":"6436a026_87fb00f3","line":958,"range":{"start_line":958,"start_character":20,"end_line":958,"end_character":34},"in_reply_to":"69c88197_901f5ec7","updated":"2025-12-02 23:16:53.000000000","message":"Ah gotcha, I understand now. Originally I had the conf group included inside context.py, but then the config section still felt up in the air so I didn\u0027t quite want to move it back to assuming \u0027service_user\u0027 yet, just in case.\n\nSince we seem to be settled on \u0027service_user\u0027 for now, I can roll all of that back into context.py again. I\u0027m working on a respin already for other comments anyway.","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"5a0bb824313425be3d7725444964318c2f5aed50","unresolved":true,"context_lines":[{"line_number":955,"context_line":"        if hardware.get_tpm_secret_security_constraint("},{"line_number":956,"context_line":"                instance.flavor) \u003d\u003d \u0027deployment\u0027:"},{"line_number":957,"context_line":"            use_context \u003d nova.context.get_nova_service_user_context("},{"line_number":958,"context_line":"                    \u0027service_user\u0027)"},{"line_number":959,"context_line":"        crypto.delete_vtpm_secret(use_context, instance)"},{"line_number":960,"context_line":""},{"line_number":961,"context_line":"    def _complete_deletion(self, context, instance):"}],"source_content_type":"text/x-python","patch_set":42,"id":"143303d3_44ee451c","line":958,"range":{"start_line":958,"start_character":20,"end_line":958,"end_character":34},"in_reply_to":"ee4501fc_e278b216","updated":"2025-12-01 23:18:14.000000000","message":"I considered that but the nova/service_auth.py-\u003eget_auth_plugin is guarded by CONF.service_user.send_service_user_token and I was thinking vTPM live migration doesn\u0027t depend on the configuration of service user token, no?","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"}],"nova/conf/libvirt.py":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"a75cc7f3d34a305f21407a8f89c6953c5e315c2a","unresolved":true,"context_lines":[{"line_number":1607,"context_line":"* ``swtpm_user`` must also be set."},{"line_number":1608,"context_line":"\"\"\"),"},{"line_number":1609,"context_line":"    cfg.ListOpt(\u0027supported_tpm_secret_security\u0027,"},{"line_number":1610,"context_line":"        default\u003d[\u0027user\u0027],"},{"line_number":1611,"context_line":"        help\u003d\"\"\""},{"line_number":1612,"context_line":"The list of TPM security policies supported by this compute host. If a value is"},{"line_number":1613,"context_line":"absent, it is not supported by this host, and any instance that requests it"}],"source_content_type":"text/x-python","patch_set":25,"id":"4e772e69_99bcea9d","line":1610,"updated":"2025-10-02 21:09:44.000000000","message":"Maybe should also add deployment here, i.e. `default\u003d[\u0027user,host,deployment\u0027]`.","commit_id":"66dbd3bad53c4bd8d5f2b394cba7f5e3a67e1ddd"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"3600397490056253952bca996aabb642d3aa8c69","unresolved":false,"context_lines":[{"line_number":1607,"context_line":"* ``swtpm_user`` must also be set."},{"line_number":1608,"context_line":"\"\"\"),"},{"line_number":1609,"context_line":"    cfg.ListOpt(\u0027supported_tpm_secret_security\u0027,"},{"line_number":1610,"context_line":"        default\u003d[\u0027user\u0027],"},{"line_number":1611,"context_line":"        help\u003d\"\"\""},{"line_number":1612,"context_line":"The list of TPM security policies supported by this compute host. If a value is"},{"line_number":1613,"context_line":"absent, it is not supported by this host, and any instance that requests it"}],"source_content_type":"text/x-python","patch_set":25,"id":"79ea526d_674a61bf","line":1610,"in_reply_to":"4e772e69_99bcea9d","updated":"2025-10-08 06:21:50.000000000","message":"Done","commit_id":"66dbd3bad53c4bd8d5f2b394cba7f5e3a67e1ddd"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"dcef6a28a15626c71b0124d95c9e13dac5ad05ea","unresolved":true,"context_lines":[{"line_number":1623,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1624,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1625,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1626,"context_line":"* \u0027deployment\u0027: The Barbican secret is owned by the Nova service user. The"},{"line_number":1627,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"},{"line_number":1628,"context_line":"  live-migrated and resumed automatically after host reboot."},{"line_number":1629,"context_line":"\"\"\"),"}],"source_content_type":"text/x-python","patch_set":34,"id":"e0e57f96_238c37a1","line":1626,"range":{"start_line":1626,"start_character":2,"end_line":1626,"end_character":14},"updated":"2025-10-31 21:36:46.000000000","message":"\\`\\`deployment\\`\\` for better docs rendering","commit_id":"617277bfcb7d36eed648776852a75fcb40f2e68b"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"1ebe6731cb4545e947ad79712083f55cdb6a34f2","unresolved":false,"context_lines":[{"line_number":1623,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1624,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1625,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1626,"context_line":"* \u0027deployment\u0027: The Barbican secret is owned by the Nova service user. The"},{"line_number":1627,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"},{"line_number":1628,"context_line":"  live-migrated and resumed automatically after host reboot."},{"line_number":1629,"context_line":"\"\"\"),"}],"source_content_type":"text/x-python","patch_set":34,"id":"92311338_c4b3125d","line":1626,"range":{"start_line":1626,"start_character":2,"end_line":1626,"end_character":14},"in_reply_to":"e0e57f96_238c37a1","updated":"2025-11-10 23:25:45.000000000","message":"Done","commit_id":"617277bfcb7d36eed648776852a75fcb40f2e68b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"156331cfcf807ce4dbdf2b30ecf2f8ccd5863e50","unresolved":true,"context_lines":[{"line_number":1651,"context_line":"* ``host``: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1652,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1653,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1654,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1655,"context_line":"* ``deployment``: The Barbican secret is owned by the Nova service user. The"},{"line_number":1656,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"},{"line_number":1657,"context_line":"  live-migrated and resumed automatically after host reboot."}],"source_content_type":"text/x-python","patch_set":38,"id":"8f240dd9_f2c00ce2","line":1654,"range":{"start_line":1654,"start_character":5,"end_line":1654,"end_character":18},"updated":"2025-11-20 18:43:03.000000000","message":"I just realized we probably shouldn\u0027t have added this until the later patches :D","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d2cac99891f93b4291ebb05ab296f821f3e4dda3","unresolved":false,"context_lines":[{"line_number":1651,"context_line":"* ``host``: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1652,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1653,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1654,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1655,"context_line":"* ``deployment``: The Barbican secret is owned by the Nova service user. The"},{"line_number":1656,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"},{"line_number":1657,"context_line":"  live-migrated and resumed automatically after host reboot."}],"source_content_type":"text/x-python","patch_set":38,"id":"882b8898_11d28829","line":1654,"range":{"start_line":1654,"start_character":5,"end_line":1654,"end_character":18},"in_reply_to":"6141ea6f_5d61b23d","updated":"2026-01-23 17:31:52.000000000","message":"Acknowledged","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"cf2eaaccc9d73f92e0da5210590dc02476aa0c91","unresolved":true,"context_lines":[{"line_number":1651,"context_line":"* ``host``: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1652,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1653,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1654,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1655,"context_line":"* ``deployment``: The Barbican secret is owned by the Nova service user. The"},{"line_number":1656,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"},{"line_number":1657,"context_line":"  live-migrated and resumed automatically after host reboot."}],"source_content_type":"text/x-python","patch_set":38,"id":"6141ea6f_5d61b23d","line":1654,"range":{"start_line":1654,"start_character":5,"end_line":1654,"end_character":18},"in_reply_to":"8f240dd9_f2c00ce2","updated":"2025-11-20 21:39:54.000000000","message":"Yeah, I hadn\u0027t thought to split out the second sentences of these out into their corresponding live migrate patches. Was an oversight.","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04338b8509f767ea80adb0782b711fb631e6db85","unresolved":true,"context_lines":[{"line_number":1650,"context_line":"  reboot."},{"line_number":1651,"context_line":"* ``host``: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1652,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1653,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1654,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1655,"context_line":"* ``deployment``: The Barbican secret is owned by the Nova service user. The"},{"line_number":1656,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"}],"source_content_type":"text/x-python","patch_set":44,"id":"c201424d_b0919809","line":1653,"range":{"start_line":1653,"start_character":17,"end_line":1653,"end_character":58},"updated":"2026-01-22 21:23:33.000000000","message":"one basic quesiton. I was checking the old merged changes[1] to get context on vTPM. For \u0027host\u0027 security, where do we exactly check about \u0027the sufficient access on the host\u0027? or anyone creating the instance and requesting \u0027host\u0027 security will make that particular instance (add instance.uuid as secret\u0027s usage_id) secret as public and persistent? If any non-owner user (admin or manager user who is permitted for operation as per the rbac policy) can perform the vTPM live migration on that because secret is on host?\n\n[1] https://review.opendev.org/c/openstack/nova/+/941795","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"232116b73565020822afcf5b1dc3769d47eea482","unresolved":false,"context_lines":[{"line_number":1650,"context_line":"  reboot."},{"line_number":1651,"context_line":"* ``host``: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1652,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1653,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1654,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1655,"context_line":"* ``deployment``: The Barbican secret is owned by the Nova service user. The"},{"line_number":1656,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"}],"source_content_type":"text/x-python","patch_set":44,"id":"1da873bb_8d983abf","line":1653,"range":{"start_line":1653,"start_character":17,"end_line":1653,"end_character":58},"in_reply_to":"8225fa04_e723e5a5","updated":"2026-01-23 17:21:40.000000000","message":"i see, thanks for explaining.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"beb925304bb1522da2e43ad4db4788e4ceb9ac52","unresolved":true,"context_lines":[{"line_number":1650,"context_line":"  reboot."},{"line_number":1651,"context_line":"* ``host``: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1652,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1653,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1654,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1655,"context_line":"* ``deployment``: The Barbican secret is owned by the Nova service user. The"},{"line_number":1656,"context_line":"  Libvirt secret is private and non-persistent. The instance can be"}],"source_content_type":"text/x-python","patch_set":44,"id":"8225fa04_e723e5a5","line":1653,"range":{"start_line":1653,"start_character":17,"end_line":1653,"end_character":58},"in_reply_to":"c201424d_b0919809","updated":"2026-01-22 22:03:59.000000000","message":"For the libvirt secret access, we don\u0027t check anything about access on the host ourselves -- it just happens automatically. Basically if you have sufficient permissions to do the equivalent of a `virsh secret-get-value` then you will be able to query libvirt for the secret value, due to the secret not being \"private\".\n\nPrivate IIUC means that you could see that the secret exists (i.e. `virsh secret-list`) but you will not be able to read its value.\n\nhttps://www.libvirt.org/manpages/virsh.html#secret-commands\nhttps://libvirt.org/html/libvirt-libvirt-secret.html","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"}],"nova/context.py":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"811a7a4ed412e62431966a0f760ec4b9be364700","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"444ffadb_b2bb93fb","line":287,"updated":"2025-09-26 05:03:42.000000000","message":"Question: should this possibly be the `[keystone_authtoken]` option group instead? I\u0027m not sure.","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"1e96dd1b9b2ba6542afac6811a617e66261eec01","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"396d0df0_e3917b65","line":287,"in_reply_to":"27e09c86_2a24a356","updated":"2025-11-21 02:02:08.000000000","message":"OK, I dug into this and found I was incorrect (and it should have been obvious I guess, but let\u0027s ignore that) -- the RequestContext will not be filled in at all unless we set the kwargs here. As you probably already knew.\n\n(The auth plugin is pulled by Castellan to talk to Barbican so the auth itself is working correctly (which is why the Tempest tests pass the secret ownership checks I included)).\n\nThe interesting thing that should have also been obvious to me is that everywhere we talk about \"admin user\" when Nova calls another service (like in nova/network/neutron.py for example), what is actually happening is we are passing the Nova service user auth. Which happens to have the `admin` role in Devstack and it might be a standard deployment thing in general. So we say \"admin user is calling Neutron\".\n\nGiven that, it seems like considering this case `get_service_user_context()` as admin would maintain consistency with the rest of our stuff.\n\nOtherwise, if we want to fill in `user_id` and `project_id` I don\u0027t see any other way than calling out to Keystone once to translate the `username` and `project_name` from the `[service_user]` config to IDs.\n\nWhat do you think? I lean toward letting it be considered admin because the Nova service user is what we use as \"admin\" in our interactions with other services like Cinder, Glance, and Neutron.","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8053dee6d8d4f51a56fdcd774580a91c93d0278f","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"e8d87167_0d963216","line":287,"in_reply_to":"2e6f7ed6_2ee081bf","updated":"2025-11-21 18:42:49.000000000","message":"I think we can extract from the plugin, something like below. auth_token will be used to authenticate the request and user_id and project_id can be set is_user_context()\n\n        def get_service_user_context():\n            auth_plugin \u003d ks_loading.load_auth_from_conf_options(\n                CONF, nova.conf.service_token.SERVICE_USER_GROUP)\n            auth_token \u003d auth_plugin.get_token()\n            user_id \u003d auth_plugin.get_user_id()\n            project_id \u003d auth_plugin.get_project_id()\n            return RequestContext(user_id\u003duser_id, project_id\u003dproject_id , auth_token\u003dauth_token )\n\n\n\u003e def get_service_user_context(service, service_group):\n       auth_plugin \u003d ks_loading.load_auth_from_conf_options(conf,\n                                CONF.service.service_group.name)\n       return RequestContext(user_auth_plugin\u003dauth_plugin)`\n\n\nAlso, this is only passing the service token, which should be used for the user token expiry use case only.\n\nWe should pass the Barbican service user when talking to barbican (based on castellan key_manager), something like below:\n\n       def get_service_user_context(service, service_group):\n           auth_plugin \u003d ks_loading.load_auth_from_conf_options(conf,\n                                    CONF.service.service_group.name)\n           return RequestContext(user_auth_plugin\u003dauth_plugin)`\n                                   \n  - Barbican service user is created here[1] \n  - Barbican needs to set this in nova.conf. somewhere here[2]\n                                    \nIf we want to distinguish service user context from user context, then we can check \u0027service\u0027 role in is_user_context() so that it will return false for service user (or it can be as it is to say service user context also user context) and implement is_service_user_context(), which can return true based on role \u0027service\u0027. Something like:\n\n        def is_service_user_context(context):\n        \"\"\" Indicates if the request context is a service user.\"\"\"\n            if not context:\n                return False\n            if \u0027service\u0027 not in context.roles:\n                return False\n            if not context.user_id or not context.project_id:\n                return False\n            return True\n\nFurther, if we are worried about long long-running operation, then this can be embedded \n \n       def get_service_user_context():\n           auth_plugin \u003d ks_loading.load_auth_from_conf_options(conf,\n                                    nova.conf.barbican.barbican_group.name)\n           auth_with_service_token \u003d service_auth.get_auth_plugin(context, user_auth\u003dauth_plugin )\n            auth_token \u003d auth_with_service_token .get_token()\n            user_id \u003d auth_with_service_token .get_user_id()\n            project_id \u003d auth_with_service_token .get_project_id()\n            return RequestContext(user_id\u003duser_id, project_id\u003dproject_id , auth_token\u003dauth_with_service_token)\n\n\nService user historically and as per our code needs has the \u0027admin\u0027 role, but as Dan mentioned, it should not require the \u0027admin\u0027 role for ideal service-to-service  interaction. This needs a lot of work to get rid of admin things from our DB access or at the background operation layer.\n\n -https://github.com/openstack/nova/blob/16e65e74b28721de3530c13e6aba198466f5f91a/nova/service_auth.py#L33\n\n[1] https://github.com/openstack/barbican/blob/25ef5677a674088bfb433ab39df3a75ac7b3cf8f/devstack/lib/barbican#L257\n[2] https://github.com/openstack/barbican/blob/25ef5677a674088bfb433ab39df3a75ac7b3cf8f/devstack/lib/barbican#L94","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"17448456ed96fb3bbf78f711d8c600ac46209b4e","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"2e6f7ed6_2ee081bf","line":287,"in_reply_to":"327467e4_4a32540b","updated":"2025-11-21 15:14:34.000000000","message":"\u003e OK, I dug into this and found I was incorrect (and it should have been obvious I guess, but let\u0027s ignore that) -- the RequestContext will not be filled in at all unless we set the kwargs here. As you probably already knew.\n\n\u003e (The auth plugin is pulled by Castellan to talk to Barbican so the auth itself is working correctly (which is why the Tempest tests pass the secret ownership checks I included)).\n\nYep.\n\n\u003e The interesting thing that should have also been obvious to me is that everywhere we talk about \"admin user\" when Nova calls another service (like in nova/network/neutron.py for example), what is actually happening is we are passing the Nova service user auth. Which happens to have the admin role in Devstack and it might be a standard deployment thing in general. So we say \"admin user is calling Neutron\".\n\nRight, and that\u0027s why it works for you for talking to barbican - that\u0027s not my concern. It\u0027s just that now we potentially have two situations where we\u0027ve got a blank context, where previously that was always the admin case.\n\n\u003e Given that, it seems like considering this case get_service_user_context() as admin would maintain consistency with the rest of our stuff.\n\nDoes this mean just continue on with making is `admin\u003dTrue` (which doesn\u0027t mean anything other than internal to nova) for consistency? I guess the point is that in the future we\u0027ll want this to be not-admin (AFAIK our service user has service,admin roles today but eventually we want only service).\n\n\u003e Otherwise, if we want to fill in user_id and project_id I don\u0027t see any other way than calling out to Keystone once to translate the username and project_name from the [service_user] config to IDs.\n\nI feel like we must be able to get it out of the auth_plugin, surely.\n\n\u003e What do you think? I lean toward letting it be considered admin because the Nova service user is what we use as \"admin\" in our interactions with other services like Cinder, Glance, and Neutron.\n\nWell, right now it _is_ admin (and we don\u0027t actually use it anywhere for glance today, AFAIK). I don\u0027t think we actually create any resources in Nova\u0027s DB with an admin context today (the DB layer will stop us) but it feels like we _could_ end up needing to do that with this context, since this (unlike admin powers) an actual user that is going to own something in someone else\u0027s database. On the other hand, maybe leaving it anonymous would prevent us from doing that without some additional care, I dunno.\n\nAt least I think you should pass `user_id\u003dNone,project_id\u003dNone` like we do for get_admin_context() to be explicit. Maybe just a solid comment or docstring (everything else in here has one too) explaining this is a user context for the service user, without admin (in our DB) rights, but also no user/project either. It _is_ a user context, but won\u0027t pass `is_user_context()` below without either of those set. I just don\u0027t want that to be confusing in the future - most people just pass context around and don\u0027t give it much thought :)","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"a54e024d661fbe314c50c9b7c0c785d6280c95f3","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"327467e4_4a32540b","line":287,"in_reply_to":"396d0df0_e3917b65","updated":"2025-11-21 09:06:49.000000000","message":"As Dan said, this is a bit black magic to me and AFAIK, this is configuration-dependent. \nThe main important point is that operators need to modify the nova-compute configuration for adding a new [service_user] section for having nova as an admin, IIUC.\n\n@gmaan@ghanshyammann.com could you help us ?","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"85c285cb603cecc7c653672e2a737954706f393f","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"dfe8038e_7e919d0a","line":287,"in_reply_to":"40a8c15e_ce3250d3","updated":"2025-11-21 21:13:30.000000000","message":"I\u0027m so glad you know all this stuff, thank you. That\u0027s what I was wondering at the beginning of this comment thread was if I should be using `[keystone_authtoken]` instead. Thanks for confirming and explaining the details about the differences.\n\nWhat you have shown makes sense and good point that the name of the function should probably include `nova` to make it clearer what this is for. Originally I was thinking just \"service user\" in the context of the Nova project would be the Nova service user.\n\nI\u0027ll make the changes.","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a3c113a9515c662e7a6d7369b421531eb60f991c","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"c5cc6c62_f1f7ad3d","line":287,"in_reply_to":"40a8c15e_ce3250d3","updated":"2025-11-21 21:12:52.000000000","message":"yeah, implementation is hiding very deep BaseIdentityPlugin[1]\n\nPassword-\u003eAuth-\u003e BaseAuth -\u003e BaseIdentityPlugin\n\n[1] https://github.com/openstack/keystoneauth/blob/4f0414d864bd790aa6dc54e55308a94653fbcfb4/keystoneauth1/identity/base.py#L646","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"156331cfcf807ce4dbdf2b30ecf2f8ccd5863e50","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"e63ec86d_fe09db45","line":287,"in_reply_to":"444ffadb_b2bb93fb","updated":"2025-11-20 18:43:03.000000000","message":"\u003e Question: should this possibly be the [keystone_authtoken] option group instead? I\u0027m not sure.\n\nI also don\u0027t know. This keystone auth stuff is always black magic to me. We should ask someone who knows better.\n\nI also wonder if we should have user/project set to something for this. Just below, `is_user_context()` will return `False` for this I think because `user_id` and/or `project_id` is unset. That\u0027s maybe kinda the right answer, but I think that test is sort of \"is this a user context? No? Then must be admin.\" That just might bite us somewhere if we use this context to do anything other than make a call to barbican.","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"42ae1ea272306e88a7ab0730b64ef9e032deb14b","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"74c28c23_83259d1e","line":287,"in_reply_to":"53e2bbf7_6dd0fddb","updated":"2025-11-21 20:45:16.000000000","message":"Thanks all for the input. I had actually first looked to find if/how to get the `user_id` and `project_id` out of the auth plugin and did not find it somehow. So thanks @gmaan@ghanshyammann.com for showing how 😊\n\nOther than that, this context is intentionally supposed to be the Nova service user\u0027s own auth because in this TPM secret security mode (\"deployment\") the Barbican secret is owned by the Nova service user itself (see the spec). So when it creates the secret it needs to do it as the Nova service user and same when it needs to GET or DELETE it.\n\nSo if I\u0027m understanding correctly, all we need to do here is fill in `user_id` and `project_id` and maybe the roles too if I can get them from the auth plugin.","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ac8cf73096dfa3ffa7ecdbba67efb9d67bd5d294","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"40a8c15e_ce3250d3","line":287,"in_reply_to":"74c28c23_83259d1e","updated":"2025-11-21 21:05:22.000000000","message":"\u003e Other than that, this context is intentionally supposed to be the Nova service user\u0027s own auth because in this TPM secret security mode (\"deployment\") the Barbican secret is owned by the Nova service user itself\n\nI see, in that case, you should get it from [keystone_authtoken] itself because there we have the \u0027nova\u0027 service user configured[1].\n\nnova.conf.service_token.SERVICE_USER_GROUP is service token which we used to only for the user token expiry case. Name of \u0027service token group\u0027 with \u0027service user\u0027 is always confusing but as you know both are different things.\n\n\n\u003e So if I\u0027m understanding correctly, all we need to do here is fill in `user_id` and `project_id` and maybe the roles too if I can get them from the auth plugin.\n\nand \u0027auth_token\u0027, which will be used for actual authentication.\n\nI think that should solve Dan\u0027s concern about is_user_context() return True for this service user means yes this is a user token, but is_service_user_context() can be implemented later if we explicitly want to differentiate between external user and service user context.\n\nAs we are using Nova service user, can you make the method name explicit to reflect that:\n\n        get_service_user_context-\u003eget_nova_service_user_context\n\nunless you are making it generic to take the conf group name as arg and it can be used to get context for any other service user also.\n\n[1] https://github.com/openstack/devstack/blob/f61d747518a3b4896032c7e9440ddf31856a060f/lib/nova#L508","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"d7c5f07a66a1fed77ff19f7f6d3e8314bb435baf","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"dfe130b1_a476ada3","line":287,"in_reply_to":"74c28c23_83259d1e","updated":"2025-11-21 20:56:20.000000000","message":"OK, just looked again and I see why I thought you can\u0027t easily get `user_id` and `project_id`. In the `BaseAuthPlugin` both methods return `None` [1]. And in the subclass we are using `v3.Password`, it does not provide any implementation for the methods [2]. So as far as I can tell, if I call those methods here I will always get `None` right?\n\n[1] https://github.com/openstack/keystoneauth/blob/4f0414d864bd790aa6dc54e55308a94653fbcfb4/keystoneauth1/plugin.py#L302-L330\n[2] https://github.com/openstack/keystoneauth/blob/4f0414d864bd790aa6dc54e55308a94653fbcfb4/keystoneauth1/loading/_plugins/identity/v3.py#L49","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"30b4446ce4fa9e57aff09999e95d47d2d4a70154","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"f513a507_21098b9f","line":287,"in_reply_to":"dfe130b1_a476ada3","updated":"2025-11-21 21:01:29.000000000","message":"Sorry, ignore my last comment, I think I was looking at the wrong class as the plugin class. Instead it should be https://github.com/openstack/keystoneauth/blob/4f0414d864bd790aa6dc54e55308a94653fbcfb4/keystoneauth1/identity/v3/password.py#L83\n\nIt looks like `user_id` and `project_id` should be set as attributes on the class so I will test that out.","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fc570d9fe4c25d426e1a3d4085014c58c5ac34ff","unresolved":false,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"d72004bf_d7c53eae","line":287,"in_reply_to":"dfe8038e_7e919d0a","updated":"2025-11-22 06:11:55.000000000","message":"Done","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"cf2eaaccc9d73f92e0da5210590dc02476aa0c91","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"27e09c86_2a24a356","line":287,"in_reply_to":"e63ec86d_fe09db45","updated":"2025-11-20 21:39:54.000000000","message":"I believe this will result in a RequestContext with the Nova service user name and project set given that it\u0027s pulling auth details from the `[service_user]` config which has all of that, i.e.:\n\n```\n[service_user]\nproject_domain_name \u003d Default\nproject_name \u003d service\nuser_domain_name \u003d Default\npassword \u003d a\nusername \u003d nova\nauth_url \u003d http://192.168.64.8/identity\nauth_type \u003d password\nsend_service_user_token \u003d True\n```\n\nbut I will check and see if I can test for it in a unit test or such.","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6d811c4f694447cb81967ef6c8d5ae8b4977b788","unresolved":true,"context_lines":[{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"def is_user_context(context):"},{"line_number":290,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":23,"id":"53e2bbf7_6dd0fddb","line":287,"in_reply_to":"e8d87167_0d963216","updated":"2025-11-21 19:02:29.000000000","message":"Sorry, one mistake, I forgot to pass the session, which is still needed to fetch the token/project/user id. Also using the Barbican service user\n\nThe correct way is:\n\n        def get_service_user_context(service_group_name):\n            auth_plugin \u003d ks_loading.load_auth_from_conf_options(\n                CONF, service_group_name)\n            session \u003d ks_loading.load_session_from_conf_options(\n                CONF, service_group_name)\n            auth_token \u003d auth_plugin.get_token(session )\n            user_id \u003d auth_plugin.get_user_id(session )\n            project_id \u003d auth_plugin.get_project_id(session )\n            return RequestContext(user_id\u003duser_id, project_id\u003dproject_id , auth_token\u003dauth_token )\n \nThen, It can be called with the specific service user context we want:  \n      \n        context.get_service_user_context(nova.conf.barbican.barbican_group.name)","commit_id":"97f378b9573bdc037da7c3b256ca3db34b30a853"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"a54e024d661fbe314c50c9b7c0c785d6280c95f3","unresolved":true,"context_lines":[{"line_number":282,"context_line":""},{"line_number":283,"context_line":"def get_service_user_context():"},{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""}],"source_content_type":"text/x-python","patch_set":38,"id":"1a698daf_0be6cd31","line":285,"updated":"2025-11-21 09:06:49.000000000","message":"this is a bit fragile : the conf option couldn\u0027t be set so we would have a raised exception here. Could we check the possible exceptions here ?\n\nIf the operator misconfigures, then the migration would fail with a difficult exception.","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fc570d9fe4c25d426e1a3d4085014c58c5ac34ff","unresolved":false,"context_lines":[{"line_number":282,"context_line":""},{"line_number":283,"context_line":"def get_service_user_context():"},{"line_number":284,"context_line":"    auth_plugin \u003d ks_loading.load_auth_from_conf_options("},{"line_number":285,"context_line":"        CONF, nova.conf.service_token.SERVICE_USER_GROUP)"},{"line_number":286,"context_line":"    return RequestContext(user_auth_plugin\u003dauth_plugin)"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":""}],"source_content_type":"text/x-python","patch_set":38,"id":"150d08d6_156adaec","line":285,"in_reply_to":"1a698daf_0be6cd31","updated":"2025-11-22 06:11:55.000000000","message":"Done","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"1c676df8f21c7248786b0e221980fc7c57038cd7","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"6b5537ee_f365ab56","line":338,"updated":"2025-11-22 22:16:16.000000000","message":"Note to reviewers: I have had a HELLISH time trying to get `[keystone_authtoken]` or a new `[barbican]` config section to work due to option registration collisions with other libraries such as keystonemiddleware (which actually owns the [keystone_authtoken] section) or castellan (owns parts of the [barbican] section).\n\nSo far it seems to me whatever config section we use, it has to be solely owned by Nova in order to avoid such headaches. I have set it back to `[service_user]` for now. If we want a different section, AFAICT we would need to create a new one that other things won\u0027t be registering options in. And that of course comes with all of the cost of making a new section for operators to configure.\n\nOpen to thoughts.","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"aa37de1d9c1b2d76548650b7e4dc9fc4f5d7be34","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"90fd27a9_96b416c5","line":338,"in_reply_to":"019c4eca_2e1a0e74","updated":"2025-12-02 23:19:02.000000000","message":"\\*and similarly I get the missing conf error instead if I **don\u0027t** register them","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2fa87fd6a38478e799c1ecc86c1e428433e98609","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"5c183820_b2a35aba","line":338,"in_reply_to":"2106fcee_615c515e","updated":"2025-12-02 21:54:05.000000000","message":"ah right, sorry I did not test the \u0027keystone_authtoken\u0027 session loading and I thought it should work same as we load auth/sessions for other service user group (say \u0027cinder\u0027).\n\nI debugged it more and found what is missing here. To get the sessions from any group, session\u0027s config needs to be registered (get_session_conf_options()). You are right on \u0027keystone_authtoken\u0027 is owned by the keystonemiddleware and keystonemiddleware register the auth config but does not register session\u0027s config under \u0027keystone_authtoken\u0027 group and that is why load_session_from_conf_options(\n             CONF, \u0027keystone_authtoken\u0027) fail about complaining the missing config and register_session_conf_options() complain about duplicate registration because keystonemiddleware register some of the config under \u0027keystone_authtoken\u0027 which register_session_conf_options() try to do again.\n\n[\u0027service_user\u0027] group does it all and it works fine:\n- https://github.com/openstack/nova/blob/23b462d77df1a1d09c43d0918bca853ef3af1e3f/nova/conf/service_token.py#L58\n\nTo make \u0027keystone_authtoken\u0027 sessions loading work, we need a bit more work (register the session\u0027s config also) but that needs to be done on keystonemiddleware side as that own and register things for \u0027keystone_authtoken\u0027.\n\nConsidering that, I think I agree on using the \u0027service_user\u0027 group here. Later in future we can make \u0027keystone_authtoken\u0027 work if we really want to separate out the \u0027keystone_authtoken\u0027 and \u0027service_user\u0027.\n\nI am good with this.","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e959ee6cdc86a61bd1be809c904486ed6d3d2d92","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"019c4eca_2e1a0e74","line":338,"in_reply_to":"5c183820_b2a35aba","updated":"2025-12-02 23:16:53.000000000","message":"Thanks for digging into the details on this. I had the same experience in my testing and I agree with you that resolving the issue needs to be done in keystonemiddleware.\n\nSomething else I thought of though, is if keystonemiddleware is only used by nova-api then doesn\u0027t that mean nova-compute shouldn\u0027t really be using [keystone_authtoken]? I know it\u0027s not being loaded because when I start n-cpu and I register the session conf options, there is no DuplicateOptError and similarly I get the missing conf error instead.\n\nJust wondering whether [keystone_authtoken] is really the ideal target for this kind of service user auth, given that.","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6e6525aee2296b993b3e203082e45e7b350ffe66","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"6ca33fa0_ec2c980b","line":338,"in_reply_to":"6b5537ee_f365ab56","updated":"2025-11-24 20:33:28.000000000","message":"ah right. I thought, somewhere at common place, we do register the keystoneauth auth for the nova group also, but I checked again, and we do not. We do register it for \u0027service_token.service_user\u0027[1] or for all the other service users that Nova uses to interact with (for example, manila[2]), but we do not for Nova itself under \u0027keystone_authtoken\u0027 group  (because Nova never needed to use \u0027nova\u0027 user to interact with other services).\n\nMost of the time, service users in \u0027service_token.service_user\u0027 and \u0027keystone_authtoken\u0027 are the same (operator might be setting the same user in both sections), but technically (or I will say ideally), the operator should configure two different users:\n\n1. \u0027service_token.service_user\u0027 -\u003e create a user with required service roles[3] because it is meant to be used for token expiry only.\n2. \u0027nova\u0027 service user (in keystone_authtoken): a user used by other services to interact with Nova, and it may have additional roles as per service/what operations it performs on Nova. For example, swap volume: as per the current implementation and its complexity, it really needs \u0027admin\u0027 role on \u0027nova\u0027 user. But configuring the \u0027service_token.service_user\u0027 with the same \u0027nova\u0027 user who has \u0027admin\u0027 role is wrong because \u0027admin\u0027 is not needed to extend the user token expiry.\n\nAnd as you know, we do not have very good documentation for operators to explain these configuration, which looks very similar. So I am ok if you use \u0027service_user\u0027 as per vTPM scope (because we need to improve the doc and some implementation as part of these service user things as a separate effort), but please add a todo to use the Nova user from \u0027keystone_authtoken\u0027.\n\nor if you want to use it from keystone_authtoken then you can register the same before loading (register_auth_conf_options and register_session_conf_options):\n\n.\n.\n.\n\n     _NOVA_USER_AUTH \u003d\n         ks_loading.register_auth_conf_options(conf, \u0027keystone_authtoken\u0027)\n         ks_loading.load_auth_from_conf_options(\n                CONF, \u0027keystone_authtoken\u0027)\n     except ks_exc.MissingRequiredOptions as e:\n         raise exception.InvalidConfiguration(\n            \u0027The following options are required in the \u0027\n            f\u0027[{conf_group}] section of the Nova configuration: \u0027\n                f\u0027{str(e)}\u0027)\n\n     if not _NOVA_USER_SESSION:\n         # Session does not have any required conf options.\n          ks_loading.register_session_conf_options(conf, \u0027keystone_authtoken\u0027)\n         _NOVA_USER_SESSION \u003d ks_loading.load_session_from_conf_options(\n                 CONF, \u0027keystone_authtoken\u0027)\n                \n[1] https://github.com/openstack/nova/blob/23b462d77df1a1d09c43d0918bca853ef3af1e3f/nova/conf/service_token.py#L50-L51\n\n[2]https://github.com/openstack/nova/blob/23b462d77df1a1d09c43d0918bca853ef3af1e3f/nova/conf/manila.py#L46\n\n[3] https://github.com/openstack/keystonemiddleware/blob/b14f816465bd224f9e5bde162e825c1a808b9547/keystonemiddleware/auth_token/__init__.py#L382","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"c2bd18d03ee1f917a37035d17e813d1c5c45eb6f","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"2106fcee_615c515e","line":338,"in_reply_to":"6ca33fa0_ec2c980b","updated":"2025-12-01 18:49:56.000000000","message":"Yes sorry, I understood what you commented earlier about the general difference between `[service_user]` and `[keystone_authtoken]`. I was trying to say that when I tried to `register_auth_conf_options()` and `register_session_conf_options()`  for `[keystone_authtoken]`, I got collisions with keystonemiddleware as it owns that config section. It registers the options itself and if Nova registered them first, it will fail with `oslo_config.cfg.DuplicateOptError`, for example in `n-api` raised from inside keystonemiddleware:\n\nhttps://paste.openstack.org/show/b5DOF6pcwV3VnOyK1b5Q\n\nSo it seemed wrong to be trying to register options in Nova that a standalone library owns -- it likely rightfully assumes it is the only one who will register the options.\n\nRegistering them in Nova works \"ok\" in `n-cpu` but it\u0027s not guaranteed we will only need the service user context in `n-cpu`. It should be able to be used by `n-api` (in nova/compute/api.py) if needed.\n\nI got similar results with the `[barbican]` section except the duplicate opt errors were raised from inside castellan instead of from inside keystonemiddleware.\n\nAnd it didn\u0027t seem right to try to do things like, try to detect keystonemiddleware or castellan and skip config option registration if so, etc etc. It seemed like a messy thing to do to try to circumvent how the `keystone_authtoken` and `[barbican]` sections are intended to be used.\n\nThe `[service_user]` section is the only already existing section that Nova owns, as far as I could tell and when I tested.\n\nI\u0027m not sure what is the best thing to do given all this?","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"96e97b4f8e4eeb06f3c2569d1a0bc73b4c9af3d6","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"9c187bf2_1bfa9b25","line":338,"in_reply_to":"8130f358_36b35fbe","updated":"2026-04-02 17:35:13.000000000","message":"just to capture what i said on irc \n\nim -2 perhaps -1.5 to use itn teh \n\n`[keystone_authtoken]` or `[service_user]`\n\nsection to talk to barnican\n\ni woudl like use to epxlcity add a `[barbican]`\nsection to the config and requrie that when \nCONF.key_manager.backend \u003d\u003d barbican and \"deployment\" in CONF.libvirt.supported_tpm_secret_security\n\nthat shoudl be a hard error checked in init_host or simialr.\n\nthis is somehting i would have -1 if i had seen this and requested we change before moving forward with https://review.opendev.org/c/openstack/nova/+/925771/61","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e81925f3124aec77dc361ebd54b3cd44af728e73","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"8130f358_36b35fbe","line":338,"in_reply_to":"90fd27a9_96b416c5","updated":"2025-12-02 23:34:07.000000000","message":"Yeah, good point. [keystone_authtoken] is more of a thing at the API layer when the user is authenticated. If other services need nova service user (this case), we should not overload the service/operation of registering/loading [keystone_authtoken] for them.","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ac7244200c0c3247c7e976d9d2a59800667922f6","unresolved":true,"context_lines":[{"line_number":335,"context_line":"        project_id\u003d_NOVA_USER_AUTH.get_project_id(_NOVA_USER_SESSION),"},{"line_number":336,"context_line":"        roles\u003d_NOVA_USER_AUTH.get_access(_NOVA_USER_SESSION).role_names,"},{"line_number":337,"context_line":"        user_auth_plugin\u003d_NOVA_USER_AUTH, is_admin\u003dFalse, overwrite\u003dFalse)"},{"line_number":338,"context_line":""},{"line_number":339,"context_line":""},{"line_number":340,"context_line":"def is_user_context(context):"},{"line_number":341,"context_line":"    \"\"\"Indicates if the request context is a normal user.\"\"\""}],"source_content_type":"text/x-python","patch_set":42,"id":"887219e2_07464a96","line":338,"in_reply_to":"9c187bf2_1bfa9b25","updated":"2026-04-02 17:41:54.000000000","message":"I have added a PTG discussion topic about this here: https://etherpad.opendev.org/p/nova-2026.2-ptg#L151","commit_id":"33824a3c8aeed76d4a70693df99a770eeb4c74d7"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"467c522dbd78c695a4bf480113f70804e16a8768","unresolved":true,"context_lines":[{"line_number":309,"context_line":"    conf_group \u003d \u0027service_user\u0027"},{"line_number":310,"context_line":""},{"line_number":311,"context_line":"    global _NOVA_USER_AUTH"},{"line_number":312,"context_line":"    global _NOVA_USER_SESSION"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"    if not _NOVA_USER_AUTH:"},{"line_number":315,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":43,"id":"b41c6967_72928a8e","line":312,"updated":"2026-01-14 19:08:49.000000000","message":"So, I was going through the `network/neutron.py` code to sort of compare to this and... it seems maybe a bit unfortunate to have replicated a lot of that here but slightly different. I _think_ everything we do there is the same as here (although it\u0027s hard to tell) but the layout is somewhat different.\n\nI also think slamming this all in `context.py` is maybe further inflating what this used-to-be-small file is really for. I wonder if we could maybe create a `nova/service_auth.py` file and put some generic code in there to handle all this stuff in a generic manner. Such that we had a function like:\n\n```python\nAUTHS \u003d {}\ndef get_auth_for_service(service, conf_group):\n    global AUTHS\n    \n    auth \u003d AUTHS.get(service)\n    if not auth:\n        auth \u003d AUTHS[service] \u003d load_auth_from_conf_options(CONF, conf_group)\n\n    # Similar for session\n    \n    return RequestContext(...)\n```\n\nand then this, neutron, probably cinder? could all use the same set of code in a similar way. We could also reset those globals in a more consistent way in `test.py`, etc.\n\nNot saying we need to do that before this patch, but... seems like it might be good to do it as part of this effort to avoid losing the context on these things that we have built up.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"a7bb5d80e10b0f0f4a6aea63095cfb9b8eb9744c","unresolved":true,"context_lines":[{"line_number":309,"context_line":"    conf_group \u003d \u0027service_user\u0027"},{"line_number":310,"context_line":""},{"line_number":311,"context_line":"    global _NOVA_USER_AUTH"},{"line_number":312,"context_line":"    global _NOVA_USER_SESSION"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"    if not _NOVA_USER_AUTH:"},{"line_number":315,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":43,"id":"bb41c9ac_0840539a","line":312,"in_reply_to":"b41c6967_72928a8e","updated":"2026-01-14 19:32:36.000000000","message":"We already have one [1] but currently it is about `service_user_token` which is different than the actual token of the service user. I thought it might be confusing.\n\nBut yeah, we can add this somewhere else, I\u0027ll think about where. There might be a reason it can\u0027t be used by neutron and cinder but I\u0027ll check on it and see if reuse is possible.\n\n[1] https://github.com/openstack/nova/blob/d16689b7753e4329af6fa272ed02e8560c010446/nova/service_auth.py","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bbe0745c24e39c9531c220c96408f413b92c5b62","unresolved":true,"context_lines":[{"line_number":309,"context_line":"    conf_group \u003d \u0027service_user\u0027"},{"line_number":310,"context_line":""},{"line_number":311,"context_line":"    global _NOVA_USER_AUTH"},{"line_number":312,"context_line":"    global _NOVA_USER_SESSION"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"    if not _NOVA_USER_AUTH:"},{"line_number":315,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":43,"id":"be35b4e6_aa7b35aa","line":312,"in_reply_to":"bb41c9ac_0840539a","updated":"2026-01-21 23:00:09.000000000","message":"I have prepared a refactor patch for \"service auth stuff\" like this that I will place underneath this one when I respin.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04338b8509f767ea80adb0782b711fb631e6db85","unresolved":true,"context_lines":[{"line_number":309,"context_line":"    conf_group \u003d \u0027service_user\u0027"},{"line_number":310,"context_line":""},{"line_number":311,"context_line":"    global _NOVA_USER_AUTH"},{"line_number":312,"context_line":"    global _NOVA_USER_SESSION"},{"line_number":313,"context_line":""},{"line_number":314,"context_line":"    if not _NOVA_USER_AUTH:"},{"line_number":315,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":43,"id":"82a5b91f_e3e9966c","line":312,"in_reply_to":"be35b4e6_aa7b35aa","updated":"2026-01-22 21:23:33.000000000","message":"++, yeah, we added service users need per service bssis and duplicated the usage in many place. good idea to make it generic and common.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"}],"nova/crypto.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"19b8aa106fa4f5ae360dc9508c7eb37fa629a37a","unresolved":true,"context_lines":[{"line_number":213,"context_line":"    # Castellan ManagedObject"},{"line_number":214,"context_line":"    cmo \u003d passphrase.Passphrase("},{"line_number":215,"context_line":"        secret, name\u003d\"vTPM secret for instance %s\" % instance.uuid)"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"    secret_uuid \u003d key_mgr.store(context, cmo)"},{"line_number":218,"context_line":"    LOG.debug(\"Created vTPM secret with UUID %s\","},{"line_number":219,"context_line":"              secret_uuid, instance\u003dinstance)"}],"source_content_type":"text/x-python","patch_set":19,"id":"750ad8e7_2631037d","line":216,"updated":"2025-08-07 15:26:54.000000000","message":"Random whitespace damage?","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"72e8eedb6a28940240bea99e54fb33c290064451","unresolved":true,"context_lines":[{"line_number":213,"context_line":"    # Castellan ManagedObject"},{"line_number":214,"context_line":"    cmo \u003d passphrase.Passphrase("},{"line_number":215,"context_line":"        secret, name\u003d\"vTPM secret for instance %s\" % instance.uuid)"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"    secret_uuid \u003d key_mgr.store(context, cmo)"},{"line_number":218,"context_line":"    LOG.debug(\"Created vTPM secret with UUID %s\","},{"line_number":219,"context_line":"              secret_uuid, instance\u003dinstance)"}],"source_content_type":"text/x-python","patch_set":19,"id":"fbbc1e1f_8f3cd7f2","line":216,"in_reply_to":"750ad8e7_2631037d","updated":"2025-08-07 16:48:02.000000000","message":"Yes 🙁","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"299ef742ed6ee230db36c39d63d53a6cadd2f128","unresolved":false,"context_lines":[{"line_number":213,"context_line":"    # Castellan ManagedObject"},{"line_number":214,"context_line":"    cmo \u003d passphrase.Passphrase("},{"line_number":215,"context_line":"        secret, name\u003d\"vTPM secret for instance %s\" % instance.uuid)"},{"line_number":216,"context_line":""},{"line_number":217,"context_line":"    secret_uuid \u003d key_mgr.store(context, cmo)"},{"line_number":218,"context_line":"    LOG.debug(\"Created vTPM secret with UUID %s\","},{"line_number":219,"context_line":"              secret_uuid, instance\u003dinstance)"}],"source_content_type":"text/x-python","patch_set":19,"id":"dc53a204_dbfec3dc","line":216,"in_reply_to":"fbbc1e1f_8f3cd7f2","updated":"2025-08-09 01:27:16.000000000","message":"Done","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"}],"nova/tests/functional/libvirt/test_vtpm.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"156331cfcf807ce4dbdf2b30ecf2f8ccd5863e50","unresolved":true,"context_lines":[{"line_number":329,"context_line":"        instance \u003d objects.Instance.get_by_uuid(ctx, server[\u0027id\u0027])"},{"line_number":330,"context_line":"        self._assert_libvirt_had_secret("},{"line_number":331,"context_line":"            compute, instance.system_metadata[\u0027vtpm_secret_uuid\u0027])"},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"        # now delete the server"},{"line_number":334,"context_line":"        self._delete_server(server)"},{"line_number":335,"context_line":""}],"source_content_type":"text/x-python","patch_set":38,"id":"9da831ff_48f97fec","line":332,"updated":"2025-11-20 18:43:03.000000000","message":"Er, are we not testing that we used the service context anywhere here? And also for delete below? It seems like this is the most complete functional test we have for this stuff, so it should be in here...","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"cf2eaaccc9d73f92e0da5210590dc02476aa0c91","unresolved":true,"context_lines":[{"line_number":329,"context_line":"        instance \u003d objects.Instance.get_by_uuid(ctx, server[\u0027id\u0027])"},{"line_number":330,"context_line":"        self._assert_libvirt_had_secret("},{"line_number":331,"context_line":"            compute, instance.system_metadata[\u0027vtpm_secret_uuid\u0027])"},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"        # now delete the server"},{"line_number":334,"context_line":"        self._delete_server(server)"},{"line_number":335,"context_line":""}],"source_content_type":"text/x-python","patch_set":38,"id":"f58fc006_291cbabf","line":332,"in_reply_to":"9da831ff_48f97fec","updated":"2025-11-20 21:39:54.000000000","message":"Maybe not, the RequestContext checking I added was a later thought after finishing the series but since we have it now, we can check for it so I\u0027ll add that in here.\n\nFWIW secret ownership stuff was and is covered in more detail in the Tempest tests, which I did before I added any RequestContext checking in the func tests:\n\nhttps://review.opendev.org/c/openstack/tempest/+/957475/25/tempest/api/compute/admin/test_live_migration.py","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fc570d9fe4c25d426e1a3d4085014c58c5ac34ff","unresolved":false,"context_lines":[{"line_number":329,"context_line":"        instance \u003d objects.Instance.get_by_uuid(ctx, server[\u0027id\u0027])"},{"line_number":330,"context_line":"        self._assert_libvirt_had_secret("},{"line_number":331,"context_line":"            compute, instance.system_metadata[\u0027vtpm_secret_uuid\u0027])"},{"line_number":332,"context_line":""},{"line_number":333,"context_line":"        # now delete the server"},{"line_number":334,"context_line":"        self._delete_server(server)"},{"line_number":335,"context_line":""}],"source_content_type":"text/x-python","patch_set":38,"id":"f96ebec1_f4065fda","line":332,"in_reply_to":"f58fc006_291cbabf","updated":"2025-11-22 06:11:55.000000000","message":"Done","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"a54e024d661fbe314c50c9b7c0c785d6280c95f3","unresolved":true,"context_lines":[{"line_number":338,"context_line":"        self.assertEqual(0, len(self.key_mgr._passphrases))"},{"line_number":339,"context_line":"        conn \u003d compute.driver._host.get_connection()"},{"line_number":340,"context_line":"        self.assertNotIn(conn._secrets,"},{"line_number":341,"context_line":"                         instance.system_metadata[\u0027vtpm_secret_uuid\u0027])"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"    def test_suspend_resume_server(self):"},{"line_number":344,"context_line":"        self.start_compute()"}],"source_content_type":"text/x-python","patch_set":38,"id":"4ba6ec52_7de57bfe","line":341,"updated":"2025-11-21 09:06:49.000000000","message":"nope : \n```\nassertNotIn(instance.system_metadata[\u0027vtpm_secret_uuid\u0027], conn._secrets)\n```","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"42ae1ea272306e88a7ab0730b64ef9e032deb14b","unresolved":true,"context_lines":[{"line_number":338,"context_line":"        self.assertEqual(0, len(self.key_mgr._passphrases))"},{"line_number":339,"context_line":"        conn \u003d compute.driver._host.get_connection()"},{"line_number":340,"context_line":"        self.assertNotIn(conn._secrets,"},{"line_number":341,"context_line":"                         instance.system_metadata[\u0027vtpm_secret_uuid\u0027])"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"    def test_suspend_resume_server(self):"},{"line_number":344,"context_line":"        self.start_compute()"}],"source_content_type":"text/x-python","patch_set":38,"id":"ec92be52_41f8d8d1","line":341,"in_reply_to":"4ba6ec52_7de57bfe","updated":"2025-11-21 20:45:16.000000000","message":"Argh I had fixed this at some point and must have lost the fix in a manual rebase or something. Thanks for pointing it out.","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"fc570d9fe4c25d426e1a3d4085014c58c5ac34ff","unresolved":false,"context_lines":[{"line_number":338,"context_line":"        self.assertEqual(0, len(self.key_mgr._passphrases))"},{"line_number":339,"context_line":"        conn \u003d compute.driver._host.get_connection()"},{"line_number":340,"context_line":"        self.assertNotIn(conn._secrets,"},{"line_number":341,"context_line":"                         instance.system_metadata[\u0027vtpm_secret_uuid\u0027])"},{"line_number":342,"context_line":""},{"line_number":343,"context_line":"    def test_suspend_resume_server(self):"},{"line_number":344,"context_line":"        self.start_compute()"}],"source_content_type":"text/x-python","patch_set":38,"id":"d6f99447_ccacaf14","line":341,"in_reply_to":"ec92be52_41f8d8d1","updated":"2025-11-22 06:11:55.000000000","message":"Done","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04338b8509f767ea80adb0782b711fb631e6db85","unresolved":true,"context_lines":[{"line_number":549,"context_line":""},{"line_number":550,"context_line":"    @ddt.unpack"},{"line_number":551,"context_line":"    @ddt.data("},{"line_number":552,"context_line":"        (None, \u0027deployment\u0027), (\u0027deployment\u0027, None),"},{"line_number":553,"context_line":"        (\u0027user\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027user\u0027),"},{"line_number":554,"context_line":"        (\u0027host\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027host\u0027))"},{"line_number":555,"context_line":"    def test_resize_server_secret_security_deployment_unsupported("}],"source_content_type":"text/x-python","patch_set":44,"id":"ea9f195a_7ff250d5","line":552,"range":{"start_line":552,"start_character":7,"end_line":552,"end_character":51},"updated":"2026-01-22 21:23:33.000000000","message":"this should be supported right? this is case of no-vtpm to/from vtpm cases.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"232116b73565020822afcf5b1dc3769d47eea482","unresolved":false,"context_lines":[{"line_number":549,"context_line":""},{"line_number":550,"context_line":"    @ddt.unpack"},{"line_number":551,"context_line":"    @ddt.data("},{"line_number":552,"context_line":"        (None, \u0027deployment\u0027), (\u0027deployment\u0027, None),"},{"line_number":553,"context_line":"        (\u0027user\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027user\u0027),"},{"line_number":554,"context_line":"        (\u0027host\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027host\u0027))"},{"line_number":555,"context_line":"    def test_resize_server_secret_security_deployment_unsupported("}],"source_content_type":"text/x-python","patch_set":44,"id":"f3dbc874_3a514eb3","line":552,"range":{"start_line":552,"start_character":7,"end_line":552,"end_character":51},"in_reply_to":"02e264ff_2e7aadb4","updated":"2026-01-23 17:21:40.000000000","message":"yeah, thanks for explaining and updates. lgtm now","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"beb925304bb1522da2e43ad4db4788e4ceb9ac52","unresolved":true,"context_lines":[{"line_number":549,"context_line":""},{"line_number":550,"context_line":"    @ddt.unpack"},{"line_number":551,"context_line":"    @ddt.data("},{"line_number":552,"context_line":"        (None, \u0027deployment\u0027), (\u0027deployment\u0027, None),"},{"line_number":553,"context_line":"        (\u0027user\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027user\u0027),"},{"line_number":554,"context_line":"        (\u0027host\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027host\u0027))"},{"line_number":555,"context_line":"    def test_resize_server_secret_security_deployment_unsupported("}],"source_content_type":"text/x-python","patch_set":44,"id":"02e264ff_2e7aadb4","line":552,"range":{"start_line":552,"start_character":7,"end_line":552,"end_character":51},"in_reply_to":"ea9f195a_7ff250d5","updated":"2026-01-22 22:03:59.000000000","message":"OK so this test case deals only with instances that have vTPMs. A secret_security of None means the user did not select a policy or this is a legacy instance with TPM. Instances in this situation are by default treated as policy \u0027user\u0027.\n\nThese two ddt.data are representing resize from TPM with default policy \u0027user\u0027 \u003c\u003d\u003e TPM with policy \u0027deployment\u0027.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"5bb634f6dc72cab93f10269417a769fa8948914c","unresolved":true,"context_lines":[{"line_number":549,"context_line":""},{"line_number":550,"context_line":"    @ddt.unpack"},{"line_number":551,"context_line":"    @ddt.data("},{"line_number":552,"context_line":"        (None, \u0027deployment\u0027), (\u0027deployment\u0027, None),"},{"line_number":553,"context_line":"        (\u0027user\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027user\u0027),"},{"line_number":554,"context_line":"        (\u0027host\u0027, \u0027deployment\u0027), (\u0027deployment\u0027, \u0027host\u0027))"},{"line_number":555,"context_line":"    def test_resize_server_secret_security_deployment_unsupported("}],"source_content_type":"text/x-python","patch_set":44,"id":"a32b72ac_2e718060","line":552,"range":{"start_line":552,"start_character":7,"end_line":552,"end_character":51},"in_reply_to":"ea9f195a_7ff250d5","updated":"2026-01-22 21:42:19.000000000","message":"hmm, yeah!","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04338b8509f767ea80adb0782b711fb631e6db85","unresolved":true,"context_lines":[{"line_number":585,"context_line":"            \u0027.migrate_disk_and_power_off\u0027, return_value\u003d\u0027{}\u0027,"},{"line_number":586,"context_line":"        ):"},{"line_number":587,"context_line":"            ex \u003d self.assertRaises("},{"line_number":588,"context_line":"                    client.OpenStackApiException, self._resize_server, server,"},{"line_number":589,"context_line":"                    flavor_id\u003dflavor_id)"},{"line_number":590,"context_line":"            self.assertEqual(400, ex.response.status_code)"},{"line_number":591,"context_line":"            self.assertIn("},{"line_number":592,"context_line":"                \"Resize between \u0027deployment\u0027 TPM secret security and \""}],"source_content_type":"text/x-python","patch_set":44,"id":"ed3700f7_f065eab3","line":589,"range":{"start_line":588,"start_character":0,"end_line":589,"end_character":40},"updated":"2026-01-22 21:23:33.000000000","message":"as per the check in nova/compute/api.py, it should allow no-vtpm to/from vtpm resize but not sure why this test passing for  (None, \u0027deployment\u0027), (\u0027deployment\u0027, None),?","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"232116b73565020822afcf5b1dc3769d47eea482","unresolved":false,"context_lines":[{"line_number":585,"context_line":"            \u0027.migrate_disk_and_power_off\u0027, return_value\u003d\u0027{}\u0027,"},{"line_number":586,"context_line":"        ):"},{"line_number":587,"context_line":"            ex \u003d self.assertRaises("},{"line_number":588,"context_line":"                    client.OpenStackApiException, self._resize_server, server,"},{"line_number":589,"context_line":"                    flavor_id\u003dflavor_id)"},{"line_number":590,"context_line":"            self.assertEqual(400, ex.response.status_code)"},{"line_number":591,"context_line":"            self.assertIn("},{"line_number":592,"context_line":"                \"Resize between \u0027deployment\u0027 TPM secret security and \""}],"source_content_type":"text/x-python","patch_set":44,"id":"1ab9dc0a_7f1749f4","line":589,"range":{"start_line":588,"start_character":0,"end_line":589,"end_character":40},"in_reply_to":"31abb4d4_aab8776c","updated":"2026-01-23 17:21:40.000000000","message":"Done","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"beb925304bb1522da2e43ad4db4788e4ceb9ac52","unresolved":true,"context_lines":[{"line_number":585,"context_line":"            \u0027.migrate_disk_and_power_off\u0027, return_value\u003d\u0027{}\u0027,"},{"line_number":586,"context_line":"        ):"},{"line_number":587,"context_line":"            ex \u003d self.assertRaises("},{"line_number":588,"context_line":"                    client.OpenStackApiException, self._resize_server, server,"},{"line_number":589,"context_line":"                    flavor_id\u003dflavor_id)"},{"line_number":590,"context_line":"            self.assertEqual(400, ex.response.status_code)"},{"line_number":591,"context_line":"            self.assertIn("},{"line_number":592,"context_line":"                \"Resize between \u0027deployment\u0027 TPM secret security and \""}],"source_content_type":"text/x-python","patch_set":44,"id":"31abb4d4_aab8776c","line":589,"range":{"start_line":588,"start_character":0,"end_line":589,"end_character":40},"in_reply_to":"ed3700f7_f065eab3","updated":"2026-01-22 22:03:59.000000000","message":"We chatted on IRC but just adding for history, (None, \u0027deployment\u0027) and (\u0027deployment\u0027, None) essentially means \u0027user\u0027 \u003c\u003d\u003e \u0027deployment\u0027 bc \u0027user\u0027 is what gets used if secret_security\u003dNone for an instance with TPM.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"04338b8509f767ea80adb0782b711fb631e6db85","unresolved":true,"context_lines":[{"line_number":599,"context_line":"        (\u0027user\u0027, \u0027user\u0027),"},{"line_number":600,"context_line":"        (\u0027host\u0027, \u0027host\u0027),"},{"line_number":601,"context_line":"        (\u0027deployment\u0027, \u0027deployment\u0027),"},{"line_number":602,"context_line":"        (None, \u0027user\u0027), (\u0027user\u0027, None),"},{"line_number":603,"context_line":"        (None, \u0027host\u0027), (\u0027host\u0027, None),"},{"line_number":604,"context_line":"        (\u0027user\u0027, \u0027host\u0027), (\u0027host\u0027, \u0027user\u0027))"},{"line_number":605,"context_line":"    def test_resize_server_secret_security_deployment_supported("},{"line_number":606,"context_line":"            self, from_secret_security, to_secret_security):"}],"source_content_type":"text/x-python","patch_set":44,"id":"dffe805b_6a331be6","line":603,"range":{"start_line":602,"start_character":0,"end_line":603,"end_character":39},"updated":"2026-01-22 21:23:33.000000000","message":"++ to test this but None to/from \u0027deployment\u0027 also supported right?","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"232116b73565020822afcf5b1dc3769d47eea482","unresolved":false,"context_lines":[{"line_number":599,"context_line":"        (\u0027user\u0027, \u0027user\u0027),"},{"line_number":600,"context_line":"        (\u0027host\u0027, \u0027host\u0027),"},{"line_number":601,"context_line":"        (\u0027deployment\u0027, \u0027deployment\u0027),"},{"line_number":602,"context_line":"        (None, \u0027user\u0027), (\u0027user\u0027, None),"},{"line_number":603,"context_line":"        (None, \u0027host\u0027), (\u0027host\u0027, None),"},{"line_number":604,"context_line":"        (\u0027user\u0027, \u0027host\u0027), (\u0027host\u0027, \u0027user\u0027))"},{"line_number":605,"context_line":"    def test_resize_server_secret_security_deployment_supported("},{"line_number":606,"context_line":"            self, from_secret_security, to_secret_security):"}],"source_content_type":"text/x-python","patch_set":44,"id":"c366a581_2d53bf36","line":603,"range":{"start_line":602,"start_character":0,"end_line":603,"end_character":39},"in_reply_to":"8e2267c3_044865eb","updated":"2026-01-23 17:21:40.000000000","message":"yeah, thanks for adding doc strings.++","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"beb925304bb1522da2e43ad4db4788e4ceb9ac52","unresolved":true,"context_lines":[{"line_number":599,"context_line":"        (\u0027user\u0027, \u0027user\u0027),"},{"line_number":600,"context_line":"        (\u0027host\u0027, \u0027host\u0027),"},{"line_number":601,"context_line":"        (\u0027deployment\u0027, \u0027deployment\u0027),"},{"line_number":602,"context_line":"        (None, \u0027user\u0027), (\u0027user\u0027, None),"},{"line_number":603,"context_line":"        (None, \u0027host\u0027), (\u0027host\u0027, None),"},{"line_number":604,"context_line":"        (\u0027user\u0027, \u0027host\u0027), (\u0027host\u0027, \u0027user\u0027))"},{"line_number":605,"context_line":"    def test_resize_server_secret_security_deployment_supported("},{"line_number":606,"context_line":"            self, from_secret_security, to_secret_security):"}],"source_content_type":"text/x-python","patch_set":44,"id":"8e2267c3_044865eb","line":603,"range":{"start_line":602,"start_character":0,"end_line":603,"end_character":39},"in_reply_to":"dffe805b_6a331be6","updated":"2026-01-22 22:03:59.000000000","message":"No because these means \u0027user\u0027 (defaulted) \u003c\u003d\u003e \u0027user\u0027 and \u0027user\u0027 (defaulted) \u003c\u003d\u003e \u0027host\u0027.\n\nAs we chatted I will be going through these to improve naming and comments and docstrings.","commit_id":"9f0e150bc65b7e0d6a28e38aff883d7a32b08204"}],"nova/tests/unit/virt/libvirt/test_driver.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"19b8aa106fa4f5ae360dc9508c7eb37fa629a37a","unresolved":true,"context_lines":[{"line_number":16690,"context_line":"            extra_specs\u003d{\u0027hw:tpm_secret_security\u0027: \u0027deployment\u0027})"},{"line_number":16691,"context_line":"        system_metadata \u003d {}"},{"line_number":16692,"context_line":"        if confirmed:"},{"line_number":16693,"context_line":"            system_metadata \u003d {\u0027image_hw_tpm_secret_security\u0027: \u0027deployment\u0027}"},{"line_number":16694,"context_line":""},{"line_number":16695,"context_line":"        instance \u003d objects.Instance("},{"line_number":16696,"context_line":"            uuid\u003duuids.instance, image_ref\u003duuids.image, flavor\u003dflavor,"}],"source_content_type":"text/x-python","patch_set":19,"id":"bc38bdcd_8ac3cbe9","line":16693,"updated":"2025-08-07 15:26:54.000000000","message":"Seems there are sort of three cases.. confirmed, unconfirmed but provisional, and unconfirmed at all. You have the first and the last, but I think the latter is actually never possible for this code. If it\u0027s an updated compute node running this updated virt code, it should have at least stamped the default into `_provisional` right?\n\nI guess I\u0027m not sure if we should have a case where the provisional default is deployment and not, to make sure we\u0027re never fooled by the provisional case right?","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"2bac8edac86752141be7099fb5abb5b592df5a9e","unresolved":true,"context_lines":[{"line_number":16690,"context_line":"            extra_specs\u003d{\u0027hw:tpm_secret_security\u0027: \u0027deployment\u0027})"},{"line_number":16691,"context_line":"        system_metadata \u003d {}"},{"line_number":16692,"context_line":"        if confirmed:"},{"line_number":16693,"context_line":"            system_metadata \u003d {\u0027image_hw_tpm_secret_security\u0027: \u0027deployment\u0027}"},{"line_number":16694,"context_line":""},{"line_number":16695,"context_line":"        instance \u003d objects.Instance("},{"line_number":16696,"context_line":"            uuid\u003duuids.instance, image_ref\u003duuids.image, flavor\u003dflavor,"}],"source_content_type":"text/x-python","patch_set":19,"id":"82b0651b_ed103ae2","line":16693,"in_reply_to":"0c9e8416_8411985e","updated":"2025-08-07 17:12:35.000000000","message":"Ack, I\u0027ll make sure to cover that as part of the updates.","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"299ef742ed6ee230db36c39d63d53a6cadd2f128","unresolved":false,"context_lines":[{"line_number":16690,"context_line":"            extra_specs\u003d{\u0027hw:tpm_secret_security\u0027: \u0027deployment\u0027})"},{"line_number":16691,"context_line":"        system_metadata \u003d {}"},{"line_number":16692,"context_line":"        if confirmed:"},{"line_number":16693,"context_line":"            system_metadata \u003d {\u0027image_hw_tpm_secret_security\u0027: \u0027deployment\u0027}"},{"line_number":16694,"context_line":""},{"line_number":16695,"context_line":"        instance \u003d objects.Instance("},{"line_number":16696,"context_line":"            uuid\u003duuids.instance, image_ref\u003duuids.image, flavor\u003dflavor,"}],"source_content_type":"text/x-python","patch_set":19,"id":"ea395f67_8688c09f","line":16693,"in_reply_to":"82b0651b_ed103ae2","updated":"2025-08-09 01:27:16.000000000","message":"Done","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"72e8eedb6a28940240bea99e54fb33c290064451","unresolved":true,"context_lines":[{"line_number":16690,"context_line":"            extra_specs\u003d{\u0027hw:tpm_secret_security\u0027: \u0027deployment\u0027})"},{"line_number":16691,"context_line":"        system_metadata \u003d {}"},{"line_number":16692,"context_line":"        if confirmed:"},{"line_number":16693,"context_line":"            system_metadata \u003d {\u0027image_hw_tpm_secret_security\u0027: \u0027deployment\u0027}"},{"line_number":16694,"context_line":""},{"line_number":16695,"context_line":"        instance \u003d objects.Instance("},{"line_number":16696,"context_line":"            uuid\u003duuids.instance, image_ref\u003duuids.image, flavor\u003dflavor,"}],"source_content_type":"text/x-python","patch_set":19,"id":"f2bc4146_b08bcf53","line":16693,"in_reply_to":"bc38bdcd_8ac3cbe9","updated":"2025-08-07 16:48:02.000000000","message":"Hm, yeah, I\u0027m thinking this must be a holdover from the original extra flag implementation `tpm_secret_security_confirmed \u003d True|False` and I didn\u0027t adjust this test(s).\n\nI\u0027m not sure I understand the second sentence but yeah provisional should always also mean unconfirmed. If `image_hw_tpm_secret_security` is present, it is confirmed, if it\u0027s not present, it\u0027s not confirmed. I\u0027ll go through these tests again to make them make sense with `image_hw_` vs `provisional_`.","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d2d69193e488c6a528da3504e14add91d1d5f30b","unresolved":true,"context_lines":[{"line_number":16690,"context_line":"            extra_specs\u003d{\u0027hw:tpm_secret_security\u0027: \u0027deployment\u0027})"},{"line_number":16691,"context_line":"        system_metadata \u003d {}"},{"line_number":16692,"context_line":"        if confirmed:"},{"line_number":16693,"context_line":"            system_metadata \u003d {\u0027image_hw_tpm_secret_security\u0027: \u0027deployment\u0027}"},{"line_number":16694,"context_line":""},{"line_number":16695,"context_line":"        instance \u003d objects.Instance("},{"line_number":16696,"context_line":"            uuid\u003duuids.instance, image_ref\u003duuids.image, flavor\u003dflavor,"}],"source_content_type":"text/x-python","patch_set":19,"id":"0c9e8416_8411985e","line":16693,"in_reply_to":"f2bc4146_b08bcf53","updated":"2025-08-07 16:54:53.000000000","message":"\u003e I\u0027m not sure I understand the second sentence but yeah provisional should always also mean unconfirmed. If `image_hw_tpm_secret_security` is present, it is confirmed, if it\u0027s not present, it\u0027s not confirmed. I\u0027ll go through these tests again to make them make sense with `image_hw_` vs `provisional_`.\n\nWhat I mean is, it might be good to have a test where provisional is set to deployment, to make sure we don\u0027t accidentally say \"deployment security? do the deployment code!\" .. in other words, if you just have a provisional policy set, but it wouldn\u0027t match deployment anyway, it\u0027s hard to tell from the outside if it didn\u0027t do the deployment path because it\u0027s set to (for example) host, or if it\u0027s because it _properly_ ignored the provisional policy regardless of what it is.","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"}],"nova/virt/libvirt/driver.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"19b8aa106fa4f5ae360dc9508c7eb37fa629a37a","unresolved":true,"context_lines":[{"line_number":8214,"context_line":"        instance: \u0027objects.Instance\u0027,"},{"line_number":8215,"context_line":"    ) -\u003e None:"},{"line_number":8216,"context_line":"        # If the instance is using \u0027deployment\u0027 secret security, replace the"},{"line_number":8217,"context_line":"        # context with that of the Nova service user\u0027s."},{"line_number":8218,"context_line":"        security \u003d instance.system_metadata.get(\u0027image_hw_tpm_secret_security\u0027)"},{"line_number":8219,"context_line":""},{"line_number":8220,"context_line":"        if security \u003d\u003d \u0027deployment\u0027:"}],"source_content_type":"text/x-python","patch_set":19,"id":"84e2558a_1e8e7357","line":8217,"updated":"2025-08-07 15:26:54.000000000","message":"This is a silly nit, but can you move this comment underneath the \"if deployment\" conditional? Reading this before just fetching the mode seems to document the wrong thing, and doing so would make it mach the pattern on L8192 above.","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"72e8eedb6a28940240bea99e54fb33c290064451","unresolved":true,"context_lines":[{"line_number":8214,"context_line":"        instance: \u0027objects.Instance\u0027,"},{"line_number":8215,"context_line":"    ) -\u003e None:"},{"line_number":8216,"context_line":"        # If the instance is using \u0027deployment\u0027 secret security, replace the"},{"line_number":8217,"context_line":"        # context with that of the Nova service user\u0027s."},{"line_number":8218,"context_line":"        security \u003d instance.system_metadata.get(\u0027image_hw_tpm_secret_security\u0027)"},{"line_number":8219,"context_line":""},{"line_number":8220,"context_line":"        if security \u003d\u003d \u0027deployment\u0027:"}],"source_content_type":"text/x-python","patch_set":19,"id":"fb460ba8_df57b3dc","line":8217,"in_reply_to":"84e2558a_1e8e7357","updated":"2025-08-07 16:48:02.000000000","message":"I don\u0027t know how I put this here but it\u0027s supposed to be like L8192. I\u0027ll fix it.","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"299ef742ed6ee230db36c39d63d53a6cadd2f128","unresolved":false,"context_lines":[{"line_number":8214,"context_line":"        instance: \u0027objects.Instance\u0027,"},{"line_number":8215,"context_line":"    ) -\u003e None:"},{"line_number":8216,"context_line":"        # If the instance is using \u0027deployment\u0027 secret security, replace the"},{"line_number":8217,"context_line":"        # context with that of the Nova service user\u0027s."},{"line_number":8218,"context_line":"        security \u003d instance.system_metadata.get(\u0027image_hw_tpm_secret_security\u0027)"},{"line_number":8219,"context_line":""},{"line_number":8220,"context_line":"        if security \u003d\u003d \u0027deployment\u0027:"}],"source_content_type":"text/x-python","patch_set":19,"id":"ecd3e608_fd1ed0ae","line":8217,"in_reply_to":"fb460ba8_df57b3dc","updated":"2025-08-09 01:27:16.000000000","message":"Done","commit_id":"4f22ab0183cd5d5afed196be50e2999c1c847375"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"156331cfcf807ce4dbdf2b30ecf2f8ccd5863e50","unresolved":true,"context_lines":[{"line_number":1964,"context_line":"            # secret; the deletion of the instance directory and undefining of"},{"line_number":1965,"context_line":"            # the domain will take care of the TPM files themselves"},{"line_number":1966,"context_line":"            LOG.info(\u0027New flavor no longer requests vTPM; deleting secret.\u0027)"},{"line_number":1967,"context_line":"            self._delete_secret_for_vtpm(context, instance)"},{"line_number":1968,"context_line":""},{"line_number":1969,"context_line":"    # TODO(stephenfin): Fold this back into its only caller, cleanup_resize"},{"line_number":1970,"context_line":"    def _cleanup_resize(self, context, instance, network_info):"}],"source_content_type":"text/x-python","patch_set":38,"id":"17b5d1e2_ef80dba8","line":1967,"updated":"2025-11-20 18:43:03.000000000","message":"I know this was already here, but the more we build in here the more this feels unfortunate to have this extra cleanup path, in the driver, only for resize. Could we not move basically this whole `_cleanup_resize_tpm()` method to compute manager so it could just do it after `driver.confirm_migration()`? Then it could re-use the same tpm secret cleanup method with the user-or-service logic...","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"cf2eaaccc9d73f92e0da5210590dc02476aa0c91","unresolved":true,"context_lines":[{"line_number":1964,"context_line":"            # secret; the deletion of the instance directory and undefining of"},{"line_number":1965,"context_line":"            # the domain will take care of the TPM files themselves"},{"line_number":1966,"context_line":"            LOG.info(\u0027New flavor no longer requests vTPM; deleting secret.\u0027)"},{"line_number":1967,"context_line":"            self._delete_secret_for_vtpm(context, instance)"},{"line_number":1968,"context_line":""},{"line_number":1969,"context_line":"    # TODO(stephenfin): Fold this back into its only caller, cleanup_resize"},{"line_number":1970,"context_line":"    def _cleanup_resize(self, context, instance, network_info):"}],"source_content_type":"text/x-python","patch_set":38,"id":"b3bbffd3_2488a6be","line":1967,"in_reply_to":"17b5d1e2_ef80dba8","updated":"2025-11-20 21:39:54.000000000","message":"Hm, maybe. In general there is not much in the way of vTPM code that is not in the driver, perhaps to keep the logic mostly in the same place rather than spanning across compute manager and driver more often.\n\nIf it\u0027s straightforward, I can move it. I\u0027ll investigate.","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bbe0745c24e39c9531c220c96408f413b92c5b62","unresolved":true,"context_lines":[{"line_number":1964,"context_line":"            # secret; the deletion of the instance directory and undefining of"},{"line_number":1965,"context_line":"            # the domain will take care of the TPM files themselves"},{"line_number":1966,"context_line":"            LOG.info(\u0027New flavor no longer requests vTPM; deleting secret.\u0027)"},{"line_number":1967,"context_line":"            self._delete_secret_for_vtpm(context, instance)"},{"line_number":1968,"context_line":""},{"line_number":1969,"context_line":"    # TODO(stephenfin): Fold this back into its only caller, cleanup_resize"},{"line_number":1970,"context_line":"    def _cleanup_resize(self, context, instance, network_info):"}],"source_content_type":"text/x-python","patch_set":38,"id":"bcc32bd5_5d238840","line":1967,"in_reply_to":"1a34d607_6bbaf2f2","updated":"2026-01-21 23:00:09.000000000","message":"I like that idea a lot more than trying to put stuff into compute manager. I\u0027ll try moving them and see how it goes.","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"85b6ad291b937b4d305445c4c94f032492ce0539","unresolved":true,"context_lines":[{"line_number":1964,"context_line":"            # secret; the deletion of the instance directory and undefining of"},{"line_number":1965,"context_line":"            # the domain will take care of the TPM files themselves"},{"line_number":1966,"context_line":"            LOG.info(\u0027New flavor no longer requests vTPM; deleting secret.\u0027)"},{"line_number":1967,"context_line":"            self._delete_secret_for_vtpm(context, instance)"},{"line_number":1968,"context_line":""},{"line_number":1969,"context_line":"    # TODO(stephenfin): Fold this back into its only caller, cleanup_resize"},{"line_number":1970,"context_line":"    def _cleanup_resize(self, context, instance, network_info):"}],"source_content_type":"text/x-python","patch_set":38,"id":"1a34d607_6bbaf2f2","line":1967,"in_reply_to":"b3bbffd3_2488a6be","updated":"2026-01-20 15:59:28.000000000","message":"Maybe we could just create a `virt/tpm.py` module and put these helpers in there, which do all the \"if deployment service_context else user_context\" type things for setup and teardown? Then at least they\u0027re in a non-driver-specific area so hopefully we won\u0027t bleed too much libvirt into them, and also to encourage re-use in case any other drivers were to implement parity here?","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"aa001547fc02a8be01a9be9888e5825a607af2e8","unresolved":false,"context_lines":[{"line_number":1964,"context_line":"            # secret; the deletion of the instance directory and undefining of"},{"line_number":1965,"context_line":"            # the domain will take care of the TPM files themselves"},{"line_number":1966,"context_line":"            LOG.info(\u0027New flavor no longer requests vTPM; deleting secret.\u0027)"},{"line_number":1967,"context_line":"            self._delete_secret_for_vtpm(context, instance)"},{"line_number":1968,"context_line":""},{"line_number":1969,"context_line":"    # TODO(stephenfin): Fold this back into its only caller, cleanup_resize"},{"line_number":1970,"context_line":"    def _cleanup_resize(self, context, instance, network_info):"}],"source_content_type":"text/x-python","patch_set":38,"id":"26925ac2_59eeeaf4","line":1967,"in_reply_to":"bcc32bd5_5d238840","updated":"2026-01-22 14:28:37.000000000","message":"I like :)","commit_id":"aa7654c94a5e1054b343fab99d972dcc04d688a0"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"85b6ad291b937b4d305445c4c94f032492ce0539","unresolved":true,"context_lines":[{"line_number":8176,"context_line":"            self._create_domain_cleanup_lxc(instance)"},{"line_number":8177,"context_line":""},{"line_number":8178,"context_line":"    @staticmethod"},{"line_number":8179,"context_line":"    def _get_instance_tpm_secret_security(context, instance):"},{"line_number":8180,"context_line":"        secret_security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":8181,"context_line":"                instance.flavor)"},{"line_number":8182,"context_line":"        return secret_security or \u0027user\u0027"}],"source_content_type":"text/x-python","patch_set":43,"id":"eeca0d2a_24fea690","line":8179,"updated":"2026-01-20 15:59:28.000000000","message":"Erm, is this used anywhere? I\u0027m not sure I see it...","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bbe0745c24e39c9531c220c96408f413b92c5b62","unresolved":true,"context_lines":[{"line_number":8176,"context_line":"            self._create_domain_cleanup_lxc(instance)"},{"line_number":8177,"context_line":""},{"line_number":8178,"context_line":"    @staticmethod"},{"line_number":8179,"context_line":"    def _get_instance_tpm_secret_security(context, instance):"},{"line_number":8180,"context_line":"        secret_security \u003d hardware.get_tpm_secret_security_constraint("},{"line_number":8181,"context_line":"                instance.flavor)"},{"line_number":8182,"context_line":"        return secret_security or \u0027user\u0027"}],"source_content_type":"text/x-python","patch_set":43,"id":"cf7f8e54_17513264","line":8179,"in_reply_to":"eeca0d2a_24fea690","updated":"2026-01-21 23:00:09.000000000","message":"You are right and this is probably a rebase merge conflict resolution mistake. Will move it to where it\u0027s first used in later patches.","commit_id":"b89e2220bc9084cba7cd21bea480dccb1766c594"}]}