)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"2639f55563a954487b6f52f28d3adcc9e18cb850","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"84a0afa2_ed5377a1","updated":"2026-04-30 16:51:49.000000000","message":"It might just be me so please take this with a grain of salt, but this seems very confusing to me 😆 I try to explain inline.\n\nIt leaves me wondering if we might need to change some method names or something to make things look less similar.","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b36d9c9d4f16db7efab11b133ae4510c4bb30c20","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1b61aa67_ee9d338c","updated":"2026-04-29 16:01:04.000000000","message":"This is a good update and aligns with my understanding of how these work, at least. I\u0027d be interested in Mel\u0027s opinion in particular here.\n\nCouple of comments inline but it\u0027s more grammar and formatting than structural content.","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cc1152bff660cf8f10a30bb523d0c06184c54206","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"76e76316_e21a3e25","updated":"2026-04-29 15:30:08.000000000","message":"We were not able to discuss it in PTG but I am adding the proposal here. We can wait for most of the core (if not all) to vote on this as a team agreement.","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"}],"doc/source/admin/configuration/service-user-token.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b36d9c9d4f16db7efab11b133ae4510c4bb30c20","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f7bc5fab_f39da548","updated":"2026-04-29 16:01:04.000000000","message":"nit: this doc should probably be renamed now and a redirect put in place (via `doc/source/_extra/.htaccess`)","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b36d9c9d4f16db7efab11b133ae4510c4bb30c20","unresolved":true,"context_lines":[{"line_number":21,"context_line":"Terminology"},{"line_number":22,"context_line":"-----------"},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"user_token"},{"line_number":25,"context_line":"  The end-user\u0027s Keystone token used to call Nova APIs. It identifies"},{"line_number":26,"context_line":"  the end user and carries their project-scoped roles."},{"line_number":27,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"994be468_20e90689","line":24,"updated":"2026-04-29 16:01:04.000000000","message":"```suggestion\nUser token\n```\n\nThis is how you appear to be referring to it below.","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b36d9c9d4f16db7efab11b133ae4510c4bb30c20","unresolved":true,"context_lines":[{"line_number":30,"context_line":"  configured with the ``service`` role. In Nova, this user is configured in"},{"line_number":31,"context_line":"  multiple places:"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"  * :oslo.config:group:`service_user`:"},{"line_number":34,"context_line":"    A Keystone token obtained from the credentials configured in the"},{"line_number":35,"context_line":"    :oslo.config:group:`service_user` section of ``nova.conf``. It is"},{"line_number":36,"context_line":"    sent alongside the ``user_token`` when"}],"source_content_type":"text/x-rst","patch_set":2,"id":"03d97c3d_862413d3","line":33,"updated":"2026-04-29 16:01:04.000000000","message":"nit: I beleive you need a new line under here if you want these to render as separate paragraphs (and you can drop the `:` too). Maybe that\u0027s not the intention though?","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b36d9c9d4f16db7efab11b133ae4510c4bb30c20","unresolved":true,"context_lines":[{"line_number":33,"context_line":"  * :oslo.config:group:`service_user`:"},{"line_number":34,"context_line":"    A Keystone token obtained from the credentials configured in the"},{"line_number":35,"context_line":"    :oslo.config:group:`service_user` section of ``nova.conf``. It is"},{"line_number":36,"context_line":"    sent alongside the ``user_token`` when"},{"line_number":37,"context_line":"    :oslo.config:option:`service_user.send_service_user_token` is ``true``"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"  * :oslo.config:group:`keystone_authtoken`:"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e2c30713_a7ed361a","line":36,"updated":"2026-04-29 16:01:04.000000000","message":"```suggestion\n    sent alongside the user token when\n```\n\nAssuming `user_token` isn\u0027t a specific symbol (e.g. variable) (right? You mean the token of the user, yeah?)","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b36d9c9d4f16db7efab11b133ae4510c4bb30c20","unresolved":true,"context_lines":[{"line_number":50,"context_line":"  Operators have two valid choices for what credentials to place in these"},{"line_number":51,"context_line":"  sections, depending on their deployment requirements:"},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"  * **Single Nova service user (recommended):** Use the same Nova service user"},{"line_number":54,"context_line":"    in every service user sections. Nova should never hold the credentials of"},{"line_number":55,"context_line":"    another service, and no other service should hold Nova\u0027s credentials."},{"line_number":56,"context_line":"    This is the simplest approach and keeps privilege management centralised."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"  * **Dedicated per-service user:** Create a separate Keystone user in each"},{"line_number":59,"context_line":"    service user sections (e.g. ``service_user``, per-service section"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9d9132b6_988fa024","line":56,"range":{"start_line":53,"start_character":78,"end_line":56,"end_character":77},"updated":"2026-04-29 16:01:04.000000000","message":"\u003e Nova should never hold the credentials of\n\u003e another service, and no other service should hold Nova\u0027s credentials.\n\nThis applies to both options, right? Maybe move this out of here and down to the paragraph below?","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b36d9c9d4f16db7efab11b133ae4510c4bb30c20","unresolved":true,"context_lines":[{"line_number":82,"context_line":"This is controlled by"},{"line_number":83,"context_line":":oslo.config:option:`service_user.send_service_user_token`."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"There are two other configuration options in ``[keystone_authoken]`` which"},{"line_number":86,"context_line":"controls the service token usage for user token expiry.elated to receiving"},{"line_number":87,"context_line":"service tokens are ``service_token_roles`` and"},{"line_number":88,"context_line":"``service_token_roles_required``."},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"#. :oslo.config:option:`keystone_authtoken.service_token_roles`: It contains"},{"line_number":91,"context_line":"   a list of roles that keystone consider to belong to services.  The service"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4e422c6f_1023cb59","line":88,"range":{"start_line":85,"start_character":74,"end_line":88,"end_character":33},"updated":"2026-04-29 16:01:04.000000000","message":"I think this is incomplete and I\u0027m guessing you decided to use bullet points later on, so?\n\n```suggestion\nThere are two other configuration options in ``[keystone_authoken]`` which\ncontrols the service token usage for user token expiry:\n```","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"}],"doc/source/contributor/usage-of-service-users.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"2639f55563a954487b6f52f28d3adcc9e18cb850","unresolved":true,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"  * Sending a service token alongside the end-user token"},{"line_number":30,"context_line":"    (``ServiceTokenAuthWrapper``)."},{"line_number":31,"context_line":"  * Fallback if per-service user is not present. It authenticate Nova itself"},{"line_number":32,"context_line":"    from any process, including nova-compute and nova-conductor."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Per-service sections (``[cinder]``, ``[neutron]``, ``[glance]``, etc.)"},{"line_number":35,"context_line":"  The credentials Nova uses to call a specific service API on behalf of a user."},{"line_number":36,"context_line":"  The auth plugin from these sections is loaded as the *user auth* when"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a2c91363_189aa077","line":33,"range":{"start_line":31,"start_character":4,"end_line":33,"end_character":0},"updated":"2026-04-30 16:51:49.000000000","message":"I\u0027m not sure about this being a fallback ... meaning, if we\u0027re trying to define rules for when to use `[service_user]` vs `[cinder|glance|neutron|...]` having a fallback seems to just mix the two and essentially allow both options i.e no real rules.\n\nFor the sake of argument in the context of vTPM: what would be the motivation for me to use `[barbican]` when I could just let it use `[service_user]`? Backward compat or something else?\n\nOr maybe you are thinking in the case of `[service_user]` with `send_service_user_token \u003d false` would be a valid time to fallback?","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"2639f55563a954487b6f52f28d3adcc9e18cb850","unresolved":true,"context_lines":[{"line_number":57,"context_line":""},{"line_number":58,"context_line":"``get_service_auth_plugin(conf_group)``"},{"line_number":59,"context_line":"  Returns a cached keystoneauth1 auth plugin loaded from the named"},{"line_number":60,"context_line":"  configuration group. Use this to get the auth plugin for a per-service"},{"line_number":61,"context_line":"  section (e.g. ``nova.conf.cinder.cinder_group.name``) or for the"},{"line_number":62,"context_line":"  ``[service_user]`` group (``nova.conf.service_token.SERVICE_USER_GROUP``)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"``get_service_auth_session(conf_group, auth\u003dNone)``"},{"line_number":65,"context_line":"  Returns a cached ``keystoneauth1.session.Session`` for the named"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f6edf907_c4915cb8","line":62,"range":{"start_line":60,"start_character":23,"end_line":62,"end_character":76},"updated":"2026-04-30 16:51:49.000000000","message":"This is another place where it seems to be confusing -- the `get_service_user_token_auth_plugin()` above would seem to be the one to use for the `[service_user]` section but here this is saying you can also use `get_service_auth_plugin()` to read the `[service_user]` section.","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"874f0696d6b5c074fcb089a5675a0bab1f3b12d7","unresolved":true,"context_lines":[{"line_number":78,"context_line":"Nova calling a service for internal interaction"},{"line_number":79,"context_line":"-----------------------------------------------"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"This is case when nNova needs to call another service for internal"},{"line_number":82,"context_line":"communication or as part of user request but should not use user token."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Per-service section is configured or not preset in nova.conf"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3eaf37de_11e70268","line":81,"range":{"start_line":81,"start_character":18,"end_line":81,"end_character":23},"updated":"2026-04-29 19:27:50.000000000","message":"\"Nova\"","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"874f0696d6b5c074fcb089a5675a0bab1f3b12d7","unresolved":true,"context_lines":[{"line_number":79,"context_line":"-----------------------------------------------"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"This is case when nNova needs to call another service for internal"},{"line_number":82,"context_line":"communication or as part of user request but should not use user token."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Per-service section is configured or not preset in nova.conf"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":2,"id":"70964208_f75cd148","line":82,"updated":"2026-04-29 19:27:50.000000000","message":"What would be an example of this? Nova doing stuff in barbican for \"deployment\" vTPM security? The two examples seem to be dependent on the config, but the code can\u0027t really know. Can you explain why there are two alternatives below? Is it just that we have a `[cinder]` but we don\u0027t have a `[barbican]`?","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"2639f55563a954487b6f52f28d3adcc9e18cb850","unresolved":true,"context_lines":[{"line_number":81,"context_line":"This is case when nNova needs to call another service for internal"},{"line_number":82,"context_line":"communication or as part of user request but should not use user token."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Per-service section is configured or not preset in nova.conf"},{"line_number":85,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Always use ``get_service_user_token_auth_plugin`` with the per-service section"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7f8f803d_6962f30f","line":84,"range":{"start_line":84,"start_character":37,"end_line":84,"end_character":60},"updated":"2026-04-30 16:51:49.000000000","message":"\"present\"? Sorry I am not sure what this means?\n\nIf the \"per-service section is configured or when it is not configured\" sounds like you do this when the per-service section is configured but also when it is not configured, it sounds like saying you need to do the following all of the time?","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"2639f55563a954487b6f52f28d3adcc9e18cb850","unresolved":true,"context_lines":[{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Always use ``get_service_user_token_auth_plugin`` with the per-service section"},{"line_number":88,"context_line":"service user, and ``get_service_auth_session`` with the ``[service_user]``"},{"line_number":89,"context_line":"group (``nova.conf.service_token.SERVICE_USER_GROUP``)."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":".. code-block:: python"},{"line_number":92,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"f21bb53a_b2ca83dc","line":89,"updated":"2026-04-30 16:51:49.000000000","message":"Is this backwards? Also is this supposed to be \"session\" or \"plugin\"?\n\nI had thought the `get_service_user_token_auth_plugin()` is supposed to be used with `[service_user]` and `get_service_auth_plugin()` with `[cinder|glance|neutron|...]`.","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"874f0696d6b5c074fcb089a5675a0bab1f3b12d7","unresolved":true,"context_lines":[{"line_number":134,"context_line":"        client \u003d BarbicanClient(session\u003dsession, auth\u003dauth)"},{"line_number":135,"context_line":"        ..."},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"Case 3: Checking if a caller is an OpenStack service"},{"line_number":138,"context_line":"-----------------------------------------------------"},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"When a Nova API is restricted to service-to-service calls only, check that the"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1c8d826d_64c323f9","line":137,"updated":"2026-04-29 19:27:50.000000000","message":"...straight to \"case 3\"? I think these could/should be prefixed with \"Case N:\" like in the other document as it makes it easier to identify the headings of the example peers.","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"874f0696d6b5c074fcb089a5675a0bab1f3b12d7","unresolved":true,"context_lines":[{"line_number":159,"context_line":"calling user\u0027s identity. The policy decision must be based on the calling"},{"line_number":160,"context_line":"user\u0027s roles so that the RBAC model remains consistent."},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"Adding a New per-service service user"},{"line_number":163,"context_line":"-------------------------------------"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"Follow these steps when adding code that calls a new external service."}],"source_content_type":"text/x-rst","patch_set":2,"id":"e543af72_244d5d1b","line":162,"updated":"2026-04-29 19:27:50.000000000","message":"I think this should be \"adding a new service-to-service call\" or \"adding a new call to another service\"?","commit_id":"d24461331fa3e4cbdd2eb6631916b1fa980f5b26"}]}