)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"516b156106380a3abed7fb0a24b2586e8bf5436e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"b2e69a14_4b7976c6","updated":"2025-08-21 01:13:32.000000000","message":"failure are valid here.\n\nNova timeout to make server to active because it wait for the network event fron neutron. \nNeutron cannot send the event as policy fail for the current neutron token\n- https://zuul.opendev.org/t/openstack/build/2da22dd794cd4ae8b44c09fa88ac1213/log/controller/logs/screen-neutron-api.txt#6656\n\nRoot cause is that Neutron does not send the service token along with user token to nova for server-external-events which is required by the Nova. This change make server-external-event policy default change to service roles.\n\nI need to fix the neutron token.","commit_id":"3dd523f179708402554d9eb2e27e0e0411f03c4a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6c68f04859f700ba4a50a9550ee8c27cb347d9d6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"63b568eb_ccaf01ea","updated":"2025-08-20 16:15:17.000000000","message":"recheck depends-no updated","commit_id":"3dd523f179708402554d9eb2e27e0e0411f03c4a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6afcc624956743b73bbad69d13ae1edb7830707d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"efd22dd9_d37d5fae","updated":"2025-08-21 06:19:24.000000000","message":"recheck fixing neutron in https://review.opendev.org/c/openstack/neutron/+/958142 https://review.opendev.org/c/openstack/devstack/+/958143","commit_id":"3dd523f179708402554d9eb2e27e0e0411f03c4a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e582874293ab74651f256033ebd94aca98f26ba0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"bfd66c8e_d5ad981c","updated":"2025-08-22 18:17:47.000000000","message":"thanks for feedback, I replied inline here and in neutron change also.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"84c7ae194909975975df833dbd4749bd6f070889","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"3d26180c_0e6def28","updated":"2025-08-26 17:53:33.000000000","message":"one comment inline from cinder perspective","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"65e8e74d5820708f17df7a4abb3337feb44980d2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"0888a71f_a388dcca","updated":"2025-08-26 15:31:34.000000000","message":"one docs nit inline other then that lets wait for the recheck fo the DNM to report back but i think this is more or less good to go.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"815ff1e4_8fa40e6e","updated":"2025-08-27 17:18:00.000000000","message":"Looks good to me overall. A question/suggestion in one of the tests and also some nits in the reno.","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"add6838604a9a929c273e55e2c58f243d76b4752","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"4109ffed_da7da4b6","updated":"2025-08-27 18:31:37.000000000","message":"dan has enough nits that ill hold my +2 for extra visablity but\ni dont really have anything more to add.\n\nthe review looks good to me otherwise as well.","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"474c1d738dcedfa3a7c5661b1cdd45e804f58bf7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"f3f04a03_f0cf0e34","updated":"2025-08-27 19:29:21.000000000","message":"One tiny nit, don\u0027t respin unless you have to rebase or something. Otherwise looks good. Thanks Gmaan!","commit_id":"f8bcf431d4945d925669ceb95ebfe9542659321b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"efce37bac928508dc24a4a3874544c6c11d86259","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"5e0ba795_56f3e8ff","updated":"2025-08-27 23:05:27.000000000","message":"recheck live migration job on ceph is failing because image is not updated and image_id is null so server create throw argument error\n\n+ functions:_upload_image:121              :   openstack --os-cloud\u003ddevstack-admin --os-region-name\u003dRegionOne image create cirros-0.6.2-x86_64-disk --public --container-format bare --disk-format qcow2 --property hw_rng_model\u003dvirtio --file /opt/stack/devstack/files/cirros-0.6.2-x86_64-disk.img\nHttpException: 504: Server Error for url: https://10.209.34.211/image/v2/images/82be2a4b-1e45-4dab-8161-cfac31445c89/file, 504 Gateway Timeout: Gateway Timeout: The gateway did not receive a timely response: from the upstream server or application.: Apache/2.4.62 (Debian) Server at 10.209.34.211 Port 80","commit_id":"f914cb185c40b587ae8ce579eaf2f295c273e43b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"9efa3c8d24a3d1823af94c323cb1d3b10160020b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"6878ea13_76df8ed1","updated":"2025-08-28 09:34:27.000000000","message":"we\u0027re giving a lot of visibility to our operators by telling them it won\u0027t work, except that we keep a backward compatibility for short term (ideally the next non-SLURP release).\nFWIW, this matches with the approved spec, so WFM.\n\n(I also saw @dms@danplanet.com that was +2 so +W anyway)","commit_id":"f914cb185c40b587ae8ce579eaf2f295c273e43b"}],"api-ref/source/index.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"fe4725cd290a9a9a0aec645130b943b57c8aadd0","unresolved":true,"context_lines":[{"line_number":56,"context_line":""},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":"Internal Service APIs"},{"line_number":59,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":".. warning::"},{"line_number":62,"context_line":"   The below Nova APIs are meant to communicate to OpenStack services. Those"}],"source_content_type":"text/x-rst","patch_set":6,"id":"f176b86f_fd5317f0","line":59,"updated":"2025-08-22 14:38:34.000000000","message":"+1 it would be nice to reflect this in the api schema eventually so client can discover it but this is a good start","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"162a74b8d287faa630314016c6659357390ac48d","unresolved":true,"context_lines":[{"line_number":56,"context_line":""},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":"Internal Service APIs"},{"line_number":59,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":".. warning::"},{"line_number":62,"context_line":"   The below Nova APIs are meant to communicate to OpenStack services. Those"}],"source_content_type":"text/x-rst","patch_set":6,"id":"d6b51766_5f34ca1d","line":59,"in_reply_to":"6199ded0_f7f33aa1","updated":"2025-08-23 20:01:55.000000000","message":"if we create a seocnd api ref for internal api perhaps but i dont agree that that is the curernt scope fo the api ref.\nthe api ref covers all resta apis today not just ones we want end user to use.\nso if we want to create a secodn doc for the itnernal ones that is effectly the same as the api ref that ok but it would be a change in the scope of the existin doc IMO.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4e0cb6e2600a8937a8489d69507a4501edcec3c8","unresolved":false,"context_lines":[{"line_number":56,"context_line":""},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":"Internal Service APIs"},{"line_number":59,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":".. warning::"},{"line_number":62,"context_line":"   The below Nova APIs are meant to communicate to OpenStack services. Those"}],"source_content_type":"text/x-rst","patch_set":6,"id":"07f183ce_d3e84c97","line":59,"in_reply_to":"d6b51766_5f34ca1d","updated":"2025-08-26 02:45:11.000000000","message":"Acknowledged","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e582874293ab74651f256033ebd94aca98f26ba0","unresolved":true,"context_lines":[{"line_number":56,"context_line":""},{"line_number":57,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":58,"context_line":"Internal Service APIs"},{"line_number":59,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":".. warning::"},{"line_number":62,"context_line":"   The below Nova APIs are meant to communicate to OpenStack services. Those"}],"source_content_type":"text/x-rst","patch_set":6,"id":"6199ded0_f7f33aa1","line":59,"in_reply_to":"f176b86f_fd5317f0","updated":"2025-08-22 18:17:47.000000000","message":"k. Sometime later, I am thinking if we just remove the service APIs from api-ref because they are not supposed to be used by external users? and documentation for service api usage (these API ref and how to pass service token) can be kept in another place?","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"}],"api-ref/source/os-volume-attachments-swap.inc":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"fe4725cd290a9a9a0aec645130b943b57c8aadd0","unresolved":false,"context_lines":[{"line_number":28,"context_line":"   volume actions. Direct usage of this API is not supported"},{"line_number":29,"context_line":"   and will be blocked by nova with a 409 conflict."},{"line_number":30,"context_line":"   Furthermore, updating ``volumeId`` via this API is only"},{"line_number":31,"context_line":"   implemented by `certain compute drivers`_."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":".. _certain compute drivers: https://docs.openstack.org/nova/latest/user/support-matrix.html#operation_swap_volume"},{"line_number":34,"context_line":""}],"source_content_type":"text/x-c++src","patch_set":6,"id":"e0d768a9_ebeae7ec","line":31,"updated":"2025-08-22 14:38:34.000000000","message":"oh you moved it here ok","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e582874293ab74651f256033ebd94aca98f26ba0","unresolved":false,"context_lines":[{"line_number":28,"context_line":"   volume actions. Direct usage of this API is not supported"},{"line_number":29,"context_line":"   and will be blocked by nova with a 409 conflict."},{"line_number":30,"context_line":"   Furthermore, updating ``volumeId`` via this API is only"},{"line_number":31,"context_line":"   implemented by `certain compute drivers`_."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":".. _certain compute drivers: https://docs.openstack.org/nova/latest/user/support-matrix.html#operation_swap_volume"},{"line_number":34,"context_line":""}],"source_content_type":"text/x-c++src","patch_set":6,"id":"8d8c29df_a80e42ae","line":31,"in_reply_to":"e0d768a9_ebeae7ec","updated":"2025-08-22 18:17:47.000000000","message":"yeah, keeping it in a separate file so that we can keep it under \"Internal Service API\" section (or later maybe not to show service APIs in api-ref itself, though that is not bad idea?)","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"}],"api-ref/source/os-volume-attachments.inc":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"fe4725cd290a9a9a0aec645130b943b57c8aadd0","unresolved":false,"context_lines":[{"line_number":187,"context_line":""},{"line_number":188,"context_line":".. Important::"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"   When updating volumeId, this API **MUST**  only be used"},{"line_number":191,"context_line":"   as part of a larger orchestrated volume"},{"line_number":192,"context_line":"   migration operation initiated in the block storage"},{"line_number":193,"context_line":"   service via the ``os-retype`` or ``os-migrate_volume``"}],"source_content_type":"text/x-c++src","patch_set":6,"id":"a5d92020_7706ceb4","side":"PARENT","line":190,"updated":"2025-08-22 14:38:34.000000000","message":"i would like to keep this as not only is this a service only operation but only cinder can do it.\n\nlater\n-----\n\nnever mind you just moved it","commit_id":"b0900e918545f595713afac76c2e1ed94fb7375f"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e582874293ab74651f256033ebd94aca98f26ba0","unresolved":false,"context_lines":[{"line_number":187,"context_line":""},{"line_number":188,"context_line":".. Important::"},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"   When updating volumeId, this API **MUST**  only be used"},{"line_number":191,"context_line":"   as part of a larger orchestrated volume"},{"line_number":192,"context_line":"   migration operation initiated in the block storage"},{"line_number":193,"context_line":"   service via the ``os-retype`` or ``os-migrate_volume``"}],"source_content_type":"text/x-c++src","patch_set":6,"id":"7fa7f0a8_67a13d6e","side":"PARENT","line":190,"in_reply_to":"a5d92020_7706ceb4","updated":"2025-08-22 18:17:47.000000000","message":"yeah, i moved it to separate file. But let me add a note here that this is only to change the attachment data and not volume.","commit_id":"b0900e918545f595713afac76c2e1ed94fb7375f"}],"doc/source/configuration/policy-concepts.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"65e8e74d5820708f17df7a4abb3337feb44980d2","unresolved":true,"context_lines":[{"line_number":278,"context_line":""},{"line_number":279,"context_line":".. rubric:: ``service``"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"``service`` role is a special role in Keystone, which is used for the internal"},{"line_number":282,"context_line":"service-to-service communication. It is assigned to service users who are used"},{"line_number":283,"context_line":"to communicating to the other services. Nova defaults its service-to-service"},{"line_number":284,"context_line":"APIs to ``service`` role so that they cannot be used by any non-service"},{"line_number":285,"context_line":"users. Allowing service-to-service APIs to non-service users can be destructive"},{"line_number":286,"context_line":"to resources and deployment, so it\u0027s good idea to audit the ``policy.yaml``"},{"line_number":287,"context_line":"file to make sure those APIs are not allowed to any non-service users."},{"line_number":288,"context_line":""},{"line_number":289,"context_line":".. note::"},{"line_number":290,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"83db4b8c_f4d61271","line":287,"range":{"start_line":281,"start_character":1,"end_line":287,"end_character":69},"updated":"2025-08-26 15:31:34.000000000","message":"```suggestion\nThe ``service`` role is a special role in Keystone, which is used for the internal\nservice-to-service communication. It is assigned to service users i.e. nova or neutron which model the OpenStack services. Nova defaults its service-to-service\nAPIs to require the ``service`` role so that they cannot be used by any non-service\nusers. Allowing access to service-to-service APIs to non-service users can be destructive to resources and leave the deployment in an invalid state.\nIt\u0027s advisable to audit the ``policy.yaml`` files and keystone users to make sure those APIs are not allowed to any non-service users and the service role is not granted to human admin accounts.\n```","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a2bb0d2346437909ab3d761bf827cfa7bcff74b5","unresolved":true,"context_lines":[{"line_number":278,"context_line":""},{"line_number":279,"context_line":".. rubric:: ``service``"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"``service`` role is a special role in Keystone, which is used for the internal"},{"line_number":282,"context_line":"service-to-service communication. It is assigned to service users who are used"},{"line_number":283,"context_line":"to communicating to the other services. Nova defaults its service-to-service"},{"line_number":284,"context_line":"APIs to ``service`` role so that they cannot be used by any non-service"},{"line_number":285,"context_line":"users. Allowing service-to-service APIs to non-service users can be destructive"},{"line_number":286,"context_line":"to resources and deployment, so it\u0027s good idea to audit the ``policy.yaml``"},{"line_number":287,"context_line":"file to make sure those APIs are not allowed to any non-service users."},{"line_number":288,"context_line":""},{"line_number":289,"context_line":".. note::"},{"line_number":290,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"be03f04c_dc3d1ee1","line":287,"range":{"start_line":281,"start_character":1,"end_line":287,"end_character":69},"in_reply_to":"83db4b8c_f4d61271","updated":"2025-08-26 16:38:06.000000000","message":"ack, will do once testing is finished.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6208cf326eb4413dc342e48f526b4e952c1fe1d7","unresolved":false,"context_lines":[{"line_number":278,"context_line":""},{"line_number":279,"context_line":".. rubric:: ``service``"},{"line_number":280,"context_line":""},{"line_number":281,"context_line":"``service`` role is a special role in Keystone, which is used for the internal"},{"line_number":282,"context_line":"service-to-service communication. It is assigned to service users who are used"},{"line_number":283,"context_line":"to communicating to the other services. Nova defaults its service-to-service"},{"line_number":284,"context_line":"APIs to ``service`` role so that they cannot be used by any non-service"},{"line_number":285,"context_line":"users. Allowing service-to-service APIs to non-service users can be destructive"},{"line_number":286,"context_line":"to resources and deployment, so it\u0027s good idea to audit the ``policy.yaml``"},{"line_number":287,"context_line":"file to make sure those APIs are not allowed to any non-service users."},{"line_number":288,"context_line":""},{"line_number":289,"context_line":".. note::"},{"line_number":290,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"bc0d9b81_11f6d268","line":287,"range":{"start_line":281,"start_character":1,"end_line":287,"end_character":69},"in_reply_to":"be03f04c_dc3d1ee1","updated":"2025-08-27 05:27:10.000000000","message":"Done","commit_id":"78d2ee2e513705762806d8183287abaddd545882"}],"nova/policies/base.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"65e8e74d5820708f17df7a4abb3337feb44980d2","unresolved":true,"context_lines":[{"line_number":45,"context_line":"# continue allowing admin to access the service APIs, otherwise it will break"},{"line_number":46,"context_line":"# deployment where nova service users in other services are not assigned"},{"line_number":47,"context_line":"# \u0027service\u0027 role. After one SLURP (2026.1), we can make service APIs only"},{"line_number":48,"context_line":"# allowed for the \u0027service\u0027 role."},{"line_number":49,"context_line":"SERVICE_ROLE \u003d \u0027rule:service_or_admin\u0027"},{"line_number":50,"context_line":"PROJECT_MANAGER_OR_ADMIN \u003d \u0027rule:project_manager_or_admin\u0027"},{"line_number":51,"context_line":"PROJECT_MEMBER_OR_ADMIN \u003d \u0027rule:project_member_or_admin\u0027"}],"source_content_type":"text/x-python","patch_set":8,"id":"ec346485_a737c1ee","line":48,"updated":"2025-08-26 15:31:34.000000000","message":"do we want to docuemnt that we are using admin_or_service in general for now or just leave that as an upgrade detail.\n\nthe current docs state we require the service role for service apis but does not refence admin. Personally im fine with only mentioning this in the release notes.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a2bb0d2346437909ab3d761bf827cfa7bcff74b5","unresolved":false,"context_lines":[{"line_number":45,"context_line":"# continue allowing admin to access the service APIs, otherwise it will break"},{"line_number":46,"context_line":"# deployment where nova service users in other services are not assigned"},{"line_number":47,"context_line":"# \u0027service\u0027 role. After one SLURP (2026.1), we can make service APIs only"},{"line_number":48,"context_line":"# allowed for the \u0027service\u0027 role."},{"line_number":49,"context_line":"SERVICE_ROLE \u003d \u0027rule:service_or_admin\u0027"},{"line_number":50,"context_line":"PROJECT_MANAGER_OR_ADMIN \u003d \u0027rule:project_manager_or_admin\u0027"},{"line_number":51,"context_line":"PROJECT_MEMBER_OR_ADMIN \u003d \u0027rule:project_member_or_admin\u0027"}],"source_content_type":"text/x-python","patch_set":8,"id":"3c046c85_e93bc921","line":48,"in_reply_to":"ec346485_a737c1ee","updated":"2025-08-26 16:38:06.000000000","message":"Yeah, I did not document that because eventually we want the service user to have \u0027service\u0027 role. They can assign more role, for example, admin in the neutron case of sending an event to Nova, which Nova needs admin for background operation.\n\nBut for policy, yes, I would like to promote the default as \u0027role:service\u0027 even we are giving some grace time for deployment does not have service role ocnfigured in services.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"84c7ae194909975975df833dbd4749bd6f070889","unresolved":true,"context_lines":[{"line_number":114,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":115,"context_line":"    policy.RuleDefault("},{"line_number":116,"context_line":"        \"service_api\","},{"line_number":117,"context_line":"        \"role:service\","},{"line_number":118,"context_line":"        \"Default rule for service-to-service APIs.\","},{"line_number":119,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY),"},{"line_number":120,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"11b7c545_5d82078c","line":117,"range":{"start_line":117,"start_character":9,"end_line":117,"end_character":21},"updated":"2025-08-26 17:53:33.000000000","message":"as noted in [1], Cinder\u0027s service context doesn\u0027t pass role:service but rather sends service_role:service which will cause a problem here.\nNot sure if there is any way to pass role:service but current cinder service requests behaves as described above.\n\n[1] https://review.opendev.org/c/openstack/glance/+/957572","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6208cf326eb4413dc342e48f526b4e952c1fe1d7","unresolved":false,"context_lines":[{"line_number":114,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":115,"context_line":"    policy.RuleDefault("},{"line_number":116,"context_line":"        \"service_api\","},{"line_number":117,"context_line":"        \"role:service\","},{"line_number":118,"context_line":"        \"Default rule for service-to-service APIs.\","},{"line_number":119,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY),"},{"line_number":120,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"dc5e78e3_3e9daf38","line":117,"range":{"start_line":117,"start_character":9,"end_line":117,"end_character":21},"in_reply_to":"0da5c244_feb9c073","updated":"2025-08-27 05:27:10.000000000","message":"Done","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"df3ea1e6c7934143d9945b418960210c6684b30a","unresolved":true,"context_lines":[{"line_number":114,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":115,"context_line":"    policy.RuleDefault("},{"line_number":116,"context_line":"        \"service_api\","},{"line_number":117,"context_line":"        \"role:service\","},{"line_number":118,"context_line":"        \"Default rule for service-to-service APIs.\","},{"line_number":119,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY),"},{"line_number":120,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"bc4e86d9_946909d7","line":117,"range":{"start_line":117,"start_character":9,"end_line":117,"end_character":21},"in_reply_to":"11b7c545_5d82078c","updated":"2025-08-26 18:14:19.000000000","message":"so checkign the serviec token for the service role is not valid to allow access to a service only api so https://review.opendev.org/c/openstack/glance/+/957572 shoudl likely be reverted.\n\ni woudl condier that to be a policy bypas or at least not consitent with the expected usage of the service role in https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3d06a640c51c86decd0d758c912a4275fc1b580e","unresolved":true,"context_lines":[{"line_number":114,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":115,"context_line":"    policy.RuleDefault("},{"line_number":116,"context_line":"        \"service_api\","},{"line_number":117,"context_line":"        \"role:service\","},{"line_number":118,"context_line":"        \"Default rule for service-to-service APIs.\","},{"line_number":119,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY),"},{"line_number":120,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"0da5c244_feb9c073","line":117,"range":{"start_line":117,"start_character":9,"end_line":117,"end_character":21},"in_reply_to":"bc4e86d9_946909d7","updated":"2025-08-26 18:39:27.000000000","message":"@rajatdhasmana@gmail.com, That is the thing here to be taken care by the operator when they configure the service user in cinder.conf[nova] section. When they add any service user in cinder conf to communicate to nova, they needs to take care that it has the \u0027service\u0027 role assigned. For example, in upstream CI, devstack take care of it\n\n- devstack create the \u0027cinder\u0027 and \u0027nova\u0027 service user which are assignes the \u0027service\u0027 role + extra role\n - https://github.com/openstack/devstack/blob/c072f159cf66ed9b44b1dce90b7f0e86c81571eb/lib/cinder#L467\n - https://github.com/openstack/devstack/blob/c072f159cf66ed9b44b1dce90b7f0e86c81571eb/lib/nova#L388\n \n- \u0027nova\u0027 service user which has \u0027service\u0027 role is configured in cinder.conf to talk to nova.\n  - https://github.com/openstack/devstack/blob/c072f159cf66ed9b44b1dce90b7f0e86c81571eb/lib/cinder#L423\n  \nThis is how cinder service user for nova get \u0027service\u0027 role and we are all good in CI. This is something operator needs to make sure that user configured in [cinder.conf][nova] section has \u0027service\u0027 role. For that we can do two things:\n- Document that clearly for operator. That is something I am trying to do in this change for nova via doc and releasenotes. Or more operator facing documents etc can be helpful to them.\n\n- Allow admin-or-service role for a SLURP release (idea from Sean and we are doing it in nova in this change) so that operator have time to assign \u0027service\u0027 role to configured user if not.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2f47d3b4b52e18ef51eafca392899805aa7a6e61","unresolved":true,"context_lines":[{"line_number":114,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY),"},{"line_number":115,"context_line":"    policy.RuleDefault("},{"line_number":116,"context_line":"        \"service_api\","},{"line_number":117,"context_line":"        \"role:service\","},{"line_number":118,"context_line":"        \"Default rule for service-to-service APIs.\","},{"line_number":119,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY),"},{"line_number":120,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":8,"id":"d4bf1561_62b905d7","line":117,"range":{"start_line":117,"start_character":9,"end_line":117,"end_character":21},"in_reply_to":"bc4e86d9_946909d7","updated":"2025-08-26 18:21:40.000000000","message":"https://review.opendev.org/c/openstack/glance/+/958567\nthere is a revert for that.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"9efa3c8d24a3d1823af94c323cb1d3b10160020b","unresolved":false,"context_lines":[{"line_number":41,"context_line":"PROJECT_MEMBER \u003d \u0027rule:project_manager_api\u0027"},{"line_number":42,"context_line":"PROJECT_MEMBER \u003d \u0027rule:project_member_api\u0027"},{"line_number":43,"context_line":"PROJECT_READER \u003d \u0027rule:project_reader_api\u0027"},{"line_number":44,"context_line":"# TODO(gmaan): Remove the admin role from the service rule in 2026.2. We are"},{"line_number":45,"context_line":"# continue allowing admin to access the service APIs, otherwise it will break"},{"line_number":46,"context_line":"# deployment where nova service users in other services are not assigned"},{"line_number":47,"context_line":"# \u0027service\u0027 role. After one SLURP (2026.1), we can make service APIs only"}],"source_content_type":"text/x-python","patch_set":13,"id":"f01ec5ac_835c4bdd","line":44,"range":{"start_line":44,"start_character":15,"end_line":44,"end_character":68},"updated":"2025-08-28 09:34:27.000000000","message":"happy with the upgrade path.","commit_id":"f914cb185c40b587ae8ce579eaf2f295c273e43b"}],"nova/policy.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"fe4725cd290a9a9a0aec645130b943b57c8aadd0","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"a097d558_fee01375","line":244,"updated":"2025-08-22 14:38:34.000000000","message":"there is only ment to be one service role called service a least when it comes\nto the SRBAC goal\n\nany toher \"service roles\"  are custom roles adn should not be treated the same as the real `service` role.\n\nso im not sure we should supprot this in nova let alone prot this to oslo.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"162a74b8d287faa630314016c6659357390ac48d","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"3719ad17_38e6549c","line":244,"in_reply_to":"1e11e4fb_d6236fbf","updated":"2025-08-23 20:01:55.000000000","message":"it not valid to consider the roles on the service token in our policy rules today and i don\u0027t think we shoudl be changing that.\n\nany service that support the service_user feature shoudl be sending a service token for every request to any other service so i don\u0027t think overloading that token to play two roles is a good thing give its already used for extending the lifetime of the user token.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c06a320bf463cee3034e6ecfc53df3d1b752a7f1","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"44d90431_27b577ef","line":244,"in_reply_to":"2abdb61b_0a0c0d12","updated":"2025-08-25 18:30:18.000000000","message":"+1\n\nwe likely will want to keep admin_or_service until 2026.2 so that we have a slurp \n2026.1 that we know operator should not skip in there upgrade.\n\nso we can add an upgrade note to say that oepraotr shoudl update the relevant service users this cycle and include it in 2026.1 then drop the compat after that.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"bb79b2aaad440e688242c20c0afc12d32e8d1240","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"5a9dbc73_91847194","line":244,"in_reply_to":"3719ad17_38e6549c","updated":"2025-08-24 04:46:35.000000000","message":"true, but service token has the service role right? that is what I am using for RBAC also. Or you are saying service can send service token without having service role ?","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4e0cb6e2600a8937a8489d69507a4501edcec3c8","unresolved":false,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"93842ce7_4cd80a47","line":244,"in_reply_to":"44d90431_27b577ef","updated":"2025-08-26 02:45:11.000000000","message":"Done","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"4dbaac7373d83795e221f6a65e0bb6a04a8f2d3c","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"8e9ba65a_4dbe6307","line":244,"in_reply_to":"5a9dbc73_91847194","updated":"2025-08-24 12:03:54.000000000","message":"they can and historically did because we used the normal nova user for both, we have required the nova user to have the service role to be able to talks to since since antelope to manage volume attachments.\nbut that is not my point the policy rules shoudl not conder the roles on the service token today the policy role are expclitlvie enforced against the standard token not the service token. \n\nif user A boot a vm and nova binds the port it shoudl do that by genreating a new token form nova config (which will have the admin and service role in general today) even if there was no servic_user configred in the nova.conf its expected that neutron will accpet that toke to call teh port bindign api because of the roles on it (be that the admin role or service role or both depneding on the relase)\n\n\nthe same is true for neutron calling nova external event api when neutron is finshed wiring it up. this happens asynconly and neutron wont have access to the orginal user token so it call nova back with a new token generated form its config which shoudl have the admin role today and ideally the service role going forward.\n\nagain the service_token can be also present for the porpous of life time extention fo the stadard token but since neuton is going to create a new token for every request to the external events api that actully not required, the policy rule shoudl not eb asserting the presence of the service token or roles on it. the keyston auth middlware will check it for the lifetiem extention usecase but that entrily seperate form SRBAC. Nova shoudl just be checkign and validatign the standard token.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e582874293ab74651f256033ebd94aca98f26ba0","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"1e11e4fb_d6236fbf","line":244,"in_reply_to":"803f4930_e8f9dd4b","updated":"2025-08-22 18:17:47.000000000","message":"Yeah, service_token_roles config option is the reason I am adding this logic; otherwise, oslo.policy GenericCheck[1] will work for us. This is something to discuss if we can stop accepting the service roles from config and have a hardcoded value. The only reason I can think of that the service role is configurable is if any deployment is using the \u0027service\u0027 role for some other purpose for their users, and wants the OpenStack service role to be something else.\n\nAll the logic in this new Check is because of this config option which can be configured differently but yes, that makes things like custom policy not default.\n\nThis is how I am using it in target: https://review.opendev.org/c/openstack/nova/+/957578/6/nova/api/openstack/compute/assisted_volume_snapshots.py#49\n\n[1] https://github.com/openstack/oslo.policy/blob/fc28a7b343516754829ffd0ecddc7323b866b33e/oslo_policy/_checks.py#L285","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4212b0cacb3780e3a05b292f35786546b6df0a50","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"beab87e1_2ad8ad5e","line":244,"in_reply_to":"8e9ba65a_4dbe6307","updated":"2025-08-25 00:08:26.000000000","message":"I think I got your point now, and you are right to check the user token role only. I was considering the wrong case as service-to-service communication. Let me explain all the cases I considered/am considering now. Let me know if I am missing anything. \n\n1. ServiceA calling ServiceB asynchronously (Neutron/cinder etc sends events to Nova):\n \n  This case does not have any actual user token coming from an external user and service (neutron/cinder etc) creates its own token with \u0027service\u0027 role. In this case, I agree with you to check the \u0027service\u0027 role on the user token coming from services. Policy default for this case will be:\n       \"role:service\"\n\n2. User calling ServiceA, then ServiceA calling ServiceB:\n   This has two cases:\n\n   2.1 ServiceA calling ServiceB with internal user token (has service role):\n      In this case, serviceA creates a user token with \u0027service\u0027 role (from conf). For example, Cinder here[1]. To make sure the call is from services, Nova can check the \u0027 service\u0027 role on the user token. I checked all Cinder calls and Neutron calls to Nova, and they do pass the internal user token with \u0027service\u0027 role. Policy default for this case will be:\n       \"role:service\"\n   \n   2.2 With external user token + service token: (Here I was wrong and considered this service-to-service call)\n      This is a case where services call other services to complete the user operation. External user calling serviceA that does not have \u0027service\u0027 role, and if serviceA calls another service with the external user token and service token. In this case, I was considering and checking the service token in RBAC, but I was wrong. This is not the service-to-service calling, and the user token should be considered to check the permission. For example, a user creating a VM in Nova, Nova calls Neutron for network-related things. If the service checks the service token for permission, then it can be wrong and lead to information leaks/security issues.\n\nBasically, services should call Nova service APIs by creating an internal user with \u0027service\u0027 role. If not, then we should fix their usage. For Nova four service APIs, their usage in cinder, neutron is all good so we are good here.\n\n\n[1] https://github.com/openstack/cinder/blob/7ee3678b162981fa170df5bb12ac81ebdabb37ef/cinder/compute/nova.py#L100","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"856598fb84aef2742518b1ae1ecff4a329d48da5","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"803f4930_e8f9dd4b","line":244,"in_reply_to":"a097d558_fee01375","updated":"2025-08-22 14:41:53.000000000","message":"by the way by not sure i actully mean we explictly should not supprot alternitve service euser roles\n\nhttps://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles predates the standardisation \n\nthis is a direct interop problem and we shoudl not prpoagate that more.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"874f06aad716b70011edd410c5cea5097ccd26ec","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"db212576_2c48e3a8","line":244,"in_reply_to":"beab87e1_2ad8ad5e","updated":"2025-08-25 11:19:31.000000000","message":"yep that aligns to what i was thinking.\n\nefectivly to complete the \"calling\" part of this part of the SRBAC goal all a service need to do is document that the user in there config shoudl have the `service` role. i.e. the user in the nova section of neutron config should have the service role and optionally the admin role for smooth upgrades if you do not want to care about the upgrade order. after your cloud id fully upgraded you can remove the admin role once all calls that internal user is making is upgraded supported by the service role.\n\non the reciviing side a service need to update there policy rule form admin to service (optinally have an or between the too for upgrades) this is what actully needs a code change.\n\nseparately form those too there is the Service_user token which i would stongly encurrage for long running operation but in general is only required when not creating a new token form the config. i.e. when using a toekn that was passed in by an end user to call another service. This is complementry but sepreate form the SRBAC goal. im not sure if neutron has any usecases like that cinder may if talking to swift or glance for volume backups but nova often does since it orchestrates calls to many other services which makes it somewhat unique.\n\nso i think we are more or less on the same page now.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"96e138061c43af6f0818c36fa424d53724b1881d","unresolved":true,"context_lines":[{"line_number":241,"context_line":"        - String formatting from target:"},{"line_number":242,"context_line":"          - \u0027service_roles:%(service_roles)s\u0027"},{"line_number":243,"context_line":"        - List of service roles:"},{"line_number":244,"context_line":"          - \u0027service_roles:[\u0027service1\u0027, \u0027service2\u0027]\u0027"},{"line_number":245,"context_line":"        - Single service role:"},{"line_number":246,"context_line":"          - \u0027service_roles:service\u0027"},{"line_number":247,"context_line":"    \"\"\""}],"source_content_type":"text/x-python","patch_set":6,"id":"2abdb61b_0a0c0d12","line":244,"in_reply_to":"db212576_2c48e3a8","updated":"2025-08-25 16:57:56.000000000","message":"Yeah, I cannot think of neutron case where they need to extend the user expiry so I abandon my neutron change - https://review.opendev.org/c/openstack/neutron/+/958142\n\n\nON RBAC scope, I am re-thinking the upgrade case where the operator has only an admin role in the nova user (configured service user for nova) in neutron.conf and with our new defaults enabled by default, it will break them right away and need to add a service role to that user. I am more thinking of allowing \u0027admin-or-service\u0027 for this cycle, and once we have updated doc and release notes floated in this cycle, then we can update it to \u0027service\u0027 only.\n\nI am ok to break the external user to access the service API, but at the same time, it will break the neutron/cinder internal call also if service user is not configured correctly. \n\nCinder has documented it very clearly - https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html#configuration\n\nNova did too - https://docs.openstack.org/nova/latest/admin/configuration/service-user-token.html\n\nBut could not find anything for Neutron, which is my worry that many operator might have just admin role for nova service user in neutron conf.","commit_id":"ad4375de68ea8c26c7d6b7e8584a7154811c092c"}],"nova/tests/unit/test_policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":569,"context_line":"            self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,"},{"line_number":570,"context_line":"                              self.non_admin_context, rule,"},{"line_number":571,"context_line":"                              {\u0027project_id\u0027: \u0027fake\u0027, \u0027user_id\u0027: \u0027fake\u0027})"},{"line_number":572,"context_line":"            policy.authorize(self.admin_context, rule)"},{"line_number":573,"context_line":"            policy.authorize(self.service_context, rule)"},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"    def test_rule_missing(self):"}],"source_content_type":"text/x-python","patch_set":10,"id":"914f3954_9dd1b2cb","line":572,"updated":"2025-08-27 17:18:00.000000000","message":"This will be removed (or change to `assertRaises`) after the next slurp, right? Perhaps a comment?","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":569,"context_line":"            self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,"},{"line_number":570,"context_line":"                              self.non_admin_context, rule,"},{"line_number":571,"context_line":"                              {\u0027project_id\u0027: \u0027fake\u0027, \u0027user_id\u0027: \u0027fake\u0027})"},{"line_number":572,"context_line":"            policy.authorize(self.admin_context, rule)"},{"line_number":573,"context_line":"            policy.authorize(self.service_context, rule)"},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"    def test_rule_missing(self):"}],"source_content_type":"text/x-python","patch_set":10,"id":"6f7ff015_1c438a48","line":572,"in_reply_to":"914f3954_9dd1b2cb","updated":"2025-08-27 18:54:38.000000000","message":"yeah, it will be assertRaise after we remove admin access from service role. I will add comment.","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"}],"releasenotes/notes/add-policy-service-role-eaa391e30431a9d6.yaml":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"65e8e74d5820708f17df7a4abb3337feb44980d2","unresolved":true,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"    For backward compatibility, Nova continue allow ``admin`` role token to"},{"line_number":33,"context_line":"    access service APIs but in future release, ``admin`` access will be"},{"line_number":34,"context_line":"    removed."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"67ce6a08_22ef59ce","line":34,"updated":"2025-08-26 15:31:34.000000000","message":"i think this is fine but we could also formally deprecate using the admin role for service to service comms.\n\nwe want to have 2026.1 support both so this is not required this cycle either ways so treat this as a nit.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"6208cf326eb4413dc342e48f526b4e952c1fe1d7","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"    For backward compatibility, Nova continue allow ``admin`` role token to"},{"line_number":33,"context_line":"    access service APIs but in future release, ``admin`` access will be"},{"line_number":34,"context_line":"    removed."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"055f7b07_7cc9b3a6","line":34,"in_reply_to":"2de2bc3c_532e3eaa","updated":"2025-08-27 05:27:10.000000000","message":"Done","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"a2bb0d2346437909ab3d761bf827cfa7bcff74b5","unresolved":true,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"    For backward compatibility, Nova continue allow ``admin`` role token to"},{"line_number":33,"context_line":"    access service APIs but in future release, ``admin`` access will be"},{"line_number":34,"context_line":"    removed."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"2de2bc3c_532e3eaa","line":34,"in_reply_to":"67ce6a08_22ef59ce","updated":"2025-08-26 16:38:06.000000000","message":"sure, I can add that here so that it will be clear as deprecation notes. will do once testing is finished.","commit_id":"78d2ee2e513705762806d8183287abaddd545882"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"f2005570_05cb994e","line":4,"range":{"start_line":4,"start_character":37,"end_line":4,"end_character":73},"updated":"2025-08-27 17:18:00.000000000","message":"This implies outbound communication to my ear, which is not right. Suggest:\n\n\"A few of the Nova APIs are meant only for use by other OpenstackServices\"","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"a5e9defc_a56ae370","line":4,"range":{"start_line":4,"start_character":37,"end_line":4,"end_character":73},"in_reply_to":"5aef473a_1900b679","updated":"2025-08-27 18:54:38.000000000","message":"Done","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"add6838604a9a929c273e55e2c58f243d76b4752","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"5aef473a_1900b679","line":4,"range":{"start_line":4,"start_character":37,"end_line":4,"end_character":73},"in_reply_to":"f2005570_05cb994e","updated":"2025-08-27 18:31:37.000000000","message":"oh because of \"communicate to\" ya that implies send not recive to me also.\n\n+1 to your rewording.","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"},{"line_number":8,"context_line":"    This will make sure they are allowed to be used by the OpenStack services"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"1f2e005f_b2f77b4c","line":5,"range":{"start_line":5,"start_character":50,"end_line":5,"end_character":55},"updated":"2025-08-27 17:18:00.000000000","message":"\"any users (even admins)\"","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"add6838604a9a929c273e55e2c58f243d76b4752","unresolved":true,"context_lines":[{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"},{"line_number":8,"context_line":"    This will make sure they are allowed to be used by the OpenStack services"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"d0273ba2_709b22c7","line":5,"range":{"start_line":5,"start_character":50,"end_line":5,"end_character":55},"in_reply_to":"1f2e005f_b2f77b4c","updated":"2025-08-27 18:31:37.000000000","message":"also +1 to renforce the point that even admins should not be calling these apis.","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"},{"line_number":8,"context_line":"    This will make sure they are allowed to be used by the OpenStack services"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"12a387c7_3dddc779","line":5,"range":{"start_line":5,"start_character":50,"end_line":5,"end_character":55},"in_reply_to":"d0273ba2_709b22c7","updated":"2025-08-27 18:54:38.000000000","message":"done, I think I used \u0027non-service\u0027 user term in doc, let me use that here too.","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"},{"line_number":8,"context_line":"    This will make sure they are allowed to be used by the OpenStack services"},{"line_number":9,"context_line":"    only."},{"line_number":10,"context_line":"upgrade:"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"d2d4037c_751b5cef","line":7,"range":{"start_line":7,"start_character":19,"end_line":7,"end_character":31},"updated":"2025-08-27 17:18:00.000000000","message":"\"Nova now defaults those APIs to a policy rule of the service role.","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":4,"context_line":"    A few of the Nova APIs are meant to communicate to OpenStack services."},{"line_number":5,"context_line":"    Those APIs are not supposed to be used by any users because they can make"},{"line_number":6,"context_line":"    deployment or resources in unwanted state. To restrict the usage of those"},{"line_number":7,"context_line":"    APIs by users, Nova default those APIs policy rule to the ``service`` role"},{"line_number":8,"context_line":"    This will make sure they are allowed to be used by the OpenStack services"},{"line_number":9,"context_line":"    only."},{"line_number":10,"context_line":"upgrade:"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"d94ce644_894e735a","line":7,"range":{"start_line":7,"start_character":19,"end_line":7,"end_character":31},"in_reply_to":"d2d4037c_751b5cef","updated":"2025-08-27 18:54:38.000000000","message":"Done","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    Nova changed the default access for the service-to-service APIs which are"},{"line_number":13,"context_line":"    meant to be used by the OpenStack services only and not by any users."},{"line_number":14,"context_line":"    The below service-to-service APIs access are default to``service`` role:"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"    * os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":17,"context_line":"    * os_compute_api:os-assisted-volume-snapshots:delete"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"70374288_3d185139","line":14,"range":{"start_line":14,"start_character":57,"end_line":14,"end_character":70},"updated":"2025-08-27 17:18:00.000000000","message":"s/are// and also, need a space after \"to\". Also recommend \"default to THE service role\"","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    Nova changed the default access for the service-to-service APIs which are"},{"line_number":13,"context_line":"    meant to be used by the OpenStack services only and not by any users."},{"line_number":14,"context_line":"    The below service-to-service APIs access are default to``service`` role:"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"    * os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":17,"context_line":"    * os_compute_api:os-assisted-volume-snapshots:delete"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"a5c992fb_de94f7b2","line":14,"range":{"start_line":14,"start_character":57,"end_line":14,"end_character":70},"in_reply_to":"70374288_3d185139","updated":"2025-08-27 18:54:38.000000000","message":"Done","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":24,"context_line":"    ``neutron.conf`` file under ``[nova]`` section has the ``service``"},{"line_number":25,"context_line":"    role."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to admin or non-admin user then it is"},{"line_number":28,"context_line":"    highly recommended to remove those permission and make sure those APIs"},{"line_number":29,"context_line":"    are not accessed by any non-service users."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"1b32feba_1c1f1869","line":27,"range":{"start_line":27,"start_character":35,"end_line":27,"end_character":37},"updated":"2025-08-27 17:18:00.000000000","message":"\"to be accessed by admin ...\"","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":24,"context_line":"    ``neutron.conf`` file under ``[nova]`` section has the ``service``"},{"line_number":25,"context_line":"    role."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to admin or non-admin user then it is"},{"line_number":28,"context_line":"    highly recommended to remove those permission and make sure those APIs"},{"line_number":29,"context_line":"    are not accessed by any non-service users."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"fc31dfb4_f51665c9","line":27,"range":{"start_line":27,"start_character":35,"end_line":27,"end_character":37},"in_reply_to":"1b32feba_1c1f1869","updated":"2025-08-27 18:54:38.000000000","message":"Done","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":25,"context_line":"    role."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to admin or non-admin user then it is"},{"line_number":28,"context_line":"    highly recommended to remove those permission and make sure those APIs"},{"line_number":29,"context_line":"    are not accessed by any non-service users."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    For backward compatibility, Nova continue allow ``admin`` role token to"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"024864af_8a76fb37","line":28,"range":{"start_line":28,"start_character":39,"end_line":28,"end_character":49},"updated":"2025-08-27 17:18:00.000000000","message":"permissions (or \"that permission\")","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":25,"context_line":"    role."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to admin or non-admin user then it is"},{"line_number":28,"context_line":"    highly recommended to remove those permission and make sure those APIs"},{"line_number":29,"context_line":"    are not accessed by any non-service users."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    For backward compatibility, Nova continue allow ``admin`` role token to"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"26062174_df70c6c2","line":28,"range":{"start_line":28,"start_character":39,"end_line":28,"end_character":49},"in_reply_to":"024864af_8a76fb37","updated":"2025-08-27 18:54:38.000000000","message":"Done","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"410f84591821623a3d4b1c55a77ed436fce0b3f6","unresolved":true,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to admin or non-admin user then it is"},{"line_number":28,"context_line":"    highly recommended to remove those permission and make sure those APIs"},{"line_number":29,"context_line":"    are not accessed by any non-service users."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    For backward compatibility, Nova continue allow ``admin`` role token to"},{"line_number":32,"context_line":"    access service APIs but in future release, ``admin`` access will be"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"9d116c16_8e1c8d11","line":29,"range":{"start_line":29,"start_character":12,"end_line":29,"end_character":20},"updated":"2025-08-27 17:18:00.000000000","message":"\"accessible\"","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"4af4d6ca30a15f5a4e019c6afb99e793e829a505","unresolved":false,"context_lines":[{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to admin or non-admin user then it is"},{"line_number":28,"context_line":"    highly recommended to remove those permission and make sure those APIs"},{"line_number":29,"context_line":"    are not accessed by any non-service users."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"    For backward compatibility, Nova continue allow ``admin`` role token to"},{"line_number":32,"context_line":"    access service APIs but in future release, ``admin`` access will be"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"85840e67_66220049","line":29,"range":{"start_line":29,"start_character":12,"end_line":29,"end_character":20},"in_reply_to":"9d116c16_8e1c8d11","updated":"2025-08-27 18:54:38.000000000","message":"Done","commit_id":"d939044d341901db9905c7f69e52173084e6dd3e"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"474c1d738dcedfa3a7c5661b1cdd45e804f58bf7","unresolved":true,"context_lines":[{"line_number":24,"context_line":"    ``neutron.conf`` file under ``[nova]`` section has the ``service``"},{"line_number":25,"context_line":"    role."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to be accessed by admin or non-admin user"},{"line_number":28,"context_line":"    then it is highly recommended to remove that permission and make sure"},{"line_number":29,"context_line":"    those APIs are not accessible by any non-service users."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":11,"id":"2b782393_1a20e07c","line":27,"range":{"start_line":27,"start_character":72,"end_line":27,"end_character":76},"updated":"2025-08-27 19:29:21.000000000","message":"\"users\" should be pluralized here","commit_id":"f8bcf431d4945d925669ceb95ebfe9542659321b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"7356ef8f853bc1a2d727b650a5d41c0078b6b791","unresolved":true,"context_lines":[{"line_number":24,"context_line":"    ``neutron.conf`` file under ``[nova]`` section has the ``service``"},{"line_number":25,"context_line":"    role."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to be accessed by admin or non-admin user"},{"line_number":28,"context_line":"    then it is highly recommended to remove that permission and make sure"},{"line_number":29,"context_line":"    those APIs are not accessible by any non-service users."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":11,"id":"bad966ab_22b02766","line":27,"range":{"start_line":27,"start_character":72,"end_line":27,"end_character":76},"in_reply_to":"2b782393_1a20e07c","updated":"2025-08-27 19:31:51.000000000","message":"either is ok\n\ni read this more like \n\n\n```suggestion\n    If you are allowing these APIs to be accessed by a (admin or non-admin) user,\n```","commit_id":"f8bcf431d4945d925669ceb95ebfe9542659321b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"167815aea132defbd6ccbba2932bccc85e8c8865","unresolved":false,"context_lines":[{"line_number":24,"context_line":"    ``neutron.conf`` file under ``[nova]`` section has the ``service``"},{"line_number":25,"context_line":"    role."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"    If you are allowing these APIs to be accessed by admin or non-admin user"},{"line_number":28,"context_line":"    then it is highly recommended to remove that permission and make sure"},{"line_number":29,"context_line":"    those APIs are not accessible by any non-service users."},{"line_number":30,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":11,"id":"8d66a811_0600b54a","line":27,"range":{"start_line":27,"start_character":72,"end_line":27,"end_character":76},"in_reply_to":"bad966ab_22b02766","updated":"2025-08-27 19:34:12.000000000","message":"Done","commit_id":"f8bcf431d4945d925669ceb95ebfe9542659321b"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"9efa3c8d24a3d1823af94c323cb1d3b10160020b","unresolved":false,"context_lines":[{"line_number":40,"context_line":"    * os_compute_api:os-assisted-volume-snapshots:create"},{"line_number":41,"context_line":"    * os_compute_api:os-assisted-volume-snapshots:delete"},{"line_number":42,"context_line":"    * os_compute_api:os-server-external-events:create"},{"line_number":43,"context_line":"    * os_compute_api:os-volumes-attachments:swap"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"dc496ad0_879cc6f7","line":43,"updated":"2025-08-28 09:34:27.000000000","message":"as I said, I\u0027m fine with the upgrade path provided the future release being after 2026.1 at least.","commit_id":"f914cb185c40b587ae8ce579eaf2f295c273e43b"}]}