)]}'
{"octavia_tempest_plugin/tests/api/v2/test_availability_zone.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"78c80c9a5c41c3db08d5435de8be15ce9d9292e1","unresolved":true,"context_lines":[{"line_number":109,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.OWNERADMIN:"},{"line_number":110,"context_line":"            expected_allowed \u003d [\u0027os_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":111,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.KEYSTONE_DEFAULT_ROLES:"},{"line_number":112,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":113,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.ADVANCED:"},{"line_number":114,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":115,"context_line":"        if expected_allowed:"}],"source_content_type":"text/x-python","patch_set":5,"id":"d43ec8fd_90d5b354","line":112,"range":{"start_line":112,"start_character":52,"end_line":112,"end_character":69},"updated":"2021-04-09 20:17:16.000000000","message":"This is results in a project-scoped token with the role:load-balancer_admin, yeah?\n\nEventually - we will want to disable that for this scenario won\u0027t we?","commit_id":"6006de75a749556a071d23e12ca3a1e7e0ec58c0"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"78c80c9a5c41c3db08d5435de8be15ce9d9292e1","unresolved":true,"context_lines":[{"line_number":235,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.KEYSTONE_DEFAULT_ROLES:"},{"line_number":236,"context_line":"            expected_allowed \u003d [\u0027os_admin\u0027, \u0027os_primary\u0027, \u0027os_system_admin\u0027,"},{"line_number":237,"context_line":"                                \u0027os_system_reader\u0027, \u0027os_roles_lb_observer\u0027,"},{"line_number":238,"context_line":"                                \u0027os_roles_lb_global_observer\u0027,"},{"line_number":239,"context_line":"                                \u0027os_roles_lb_member\u0027, \u0027os_roles_lb_member2\u0027]"},{"line_number":240,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.ADVANCED:"},{"line_number":241,"context_line":"            expected_allowed \u003d ["}],"source_content_type":"text/x-python","patch_set":5,"id":"5815bc0b_868c597d","line":238,"range":{"start_line":238,"start_character":33,"end_line":238,"end_character":60},"updated":"2021-04-09 20:17:16.000000000","message":"Similar comment here as above.","commit_id":"6006de75a749556a071d23e12ca3a1e7e0ec58c0"}],"octavia_tempest_plugin/tests/api/v2/test_availability_zone_capabilities.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"78c80c9a5c41c3db08d5435de8be15ce9d9292e1","unresolved":true,"context_lines":[{"line_number":48,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.OWNERADMIN:"},{"line_number":49,"context_line":"            expected_allowed \u003d [\u0027os_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":50,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.KEYSTONE_DEFAULT_ROLES:"},{"line_number":51,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":52,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.ADVANCED:"},{"line_number":53,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":54,"context_line":"        if expected_allowed:"}],"source_content_type":"text/x-python","patch_set":5,"id":"d6a53175_2833b3c7","line":51,"updated":"2021-04-09 20:17:16.000000000","message":"Similar comment here as in the previous file. This should result in a project-scoped token, which we shouldn\u0027t allow for system-scoped operations, right?\n\nThis *should* fail if we were to deploy the keystone overrides, right?\n\nhttps://github.com/openstack/octavia/blob/master/etc/policy/keystone_default_roles-policy.yaml","commit_id":"6006de75a749556a071d23e12ca3a1e7e0ec58c0"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"e83d3470c4cce2b7fd2ff4f8806ae5c150c85b0a","unresolved":true,"context_lines":[{"line_number":48,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.OWNERADMIN:"},{"line_number":49,"context_line":"            expected_allowed \u003d [\u0027os_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":50,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.KEYSTONE_DEFAULT_ROLES:"},{"line_number":51,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":52,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.ADVANCED:"},{"line_number":53,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027]"},{"line_number":54,"context_line":"        if expected_allowed:"}],"source_content_type":"text/x-python","patch_set":5,"id":"38e31633_b60fa492","line":51,"in_reply_to":"d6a53175_2833b3c7","updated":"2021-04-09 23:03:44.000000000","message":"Please see the release note that highlights these will not pass due to the tempest limitations.","commit_id":"6006de75a749556a071d23e12ca3a1e7e0ec58c0"}],"octavia_tempest_plugin/tests/api/v2/test_healthmonitor.py":[{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"329f2583b061205c7a9cfe18aaaa25d11fc79f1b","unresolved":true,"context_lines":[{"line_number":286,"context_line":"                                \u0027os_roles_lb_member\u0027, \u0027os_roles_lb_member2\u0027]"},{"line_number":287,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.ADVANCED:"},{"line_number":288,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027,"},{"line_number":289,"context_line":"                                \u0027os_roles_lb_member\u0027, \u0027os_roles_lb_member2\u0027]"},{"line_number":290,"context_line":"        if expected_allowed:"},{"line_number":291,"context_line":"            self.check_create_RBAC_enforcement("},{"line_number":292,"context_line":"                \u0027healthmonitor_client\u0027, \u0027create_healthmonitor\u0027,"}],"source_content_type":"text/x-python","patch_set":4,"id":"8f7cd494_9c00c27e","line":289,"range":{"start_line":289,"start_character":55,"end_line":289,"end_character":74},"updated":"2021-04-08 07:43:09.000000000","message":"os_roles_lb_member2 should not be in the expected_allowed list because it\u0027s not a member of the project of the LB","commit_id":"f4b5769f06cf492f96762b785dda0da0210d628c"}],"octavia_tempest_plugin/tests/api/v2/test_l7policy.py":[{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"329f2583b061205c7a9cfe18aaaa25d11fc79f1b","unresolved":true,"context_lines":[{"line_number":143,"context_line":"                                \u0027os_roles_lb_member\u0027, \u0027os_roles_lb_member2\u0027]"},{"line_number":144,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.ADVANCED:"},{"line_number":145,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027,"},{"line_number":146,"context_line":"                                \u0027os_roles_lb_member\u0027, \u0027os_roles_lb_member2\u0027]"},{"line_number":147,"context_line":"        if expected_allowed:"},{"line_number":148,"context_line":"            self.check_create_RBAC_enforcement("},{"line_number":149,"context_line":"                \u0027l7policy_client\u0027, \u0027create_l7policy\u0027,"}],"source_content_type":"text/x-python","patch_set":4,"id":"d9bff73d_795ad548","line":146,"range":{"start_line":146,"start_character":55,"end_line":146,"end_character":74},"updated":"2021-04-08 07:43:09.000000000","message":"os_roles_lb_member2 doesn\u0027t belong to the project of the LB","commit_id":"f4b5769f06cf492f96762b785dda0da0210d628c"}],"octavia_tempest_plugin/tests/api/v2/test_l7rule.py":[{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"329f2583b061205c7a9cfe18aaaa25d11fc79f1b","unresolved":true,"context_lines":[{"line_number":151,"context_line":"                                \u0027os_roles_lb_member\u0027, \u0027os_roles_lb_member2\u0027]"},{"line_number":152,"context_line":"        if CONF.load_balancer.RBAC_test_type \u003d\u003d const.ADVANCED:"},{"line_number":153,"context_line":"            expected_allowed \u003d [\u0027os_system_admin\u0027, \u0027os_roles_lb_admin\u0027,"},{"line_number":154,"context_line":"                                \u0027os_roles_lb_member\u0027, \u0027os_roles_lb_member2\u0027]"},{"line_number":155,"context_line":"        if expected_allowed:"},{"line_number":156,"context_line":"            self.check_create_RBAC_enforcement("},{"line_number":157,"context_line":"                \u0027l7rule_client\u0027, \u0027create_l7rule\u0027,"}],"source_content_type":"text/x-python","patch_set":4,"id":"e9f6f09b_804f739f","line":154,"range":{"start_line":154,"start_character":55,"end_line":154,"end_character":74},"updated":"2021-04-08 07:43:09.000000000","message":"same here","commit_id":"f4b5769f06cf492f96762b785dda0da0210d628c"}],"octavia_tempest_plugin/tests/test_base.py":[{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"ddfd583d5fd29ea3598ac84de4ce5a97b3af2d15","unresolved":true,"context_lines":[{"line_number":63,"context_line":"            [\u0027lb_global_observer\u0027, CONF.load_balancer.global_observer_role,"},{"line_number":64,"context_line":"             \u0027reader\u0027],"},{"line_number":65,"context_line":"            [\u0027lb_member\u0027, CONF.load_balancer.member_role],"},{"line_number":66,"context_line":"            [\u0027lb_member2\u0027, CONF.load_balancer.member_role]]"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"    # If scope enforcement is enabled, add in the system scope credentials."},{"line_number":69,"context_line":"    # The project scope is already handled by the above credentials."}],"source_content_type":"text/x-python","patch_set":2,"id":"80c0d651_5326a4c0","line":66,"updated":"2021-03-08 21:49:33.000000000","message":"I don\u0027t know if lb_member3 is not required here?  The only place I see it used is above.","commit_id":"d7a1eb12419c6fddfd341718ea4a20beb1e3163d"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"8aa36bd45e732e7074a1b94a66346367bd1de21c","unresolved":true,"context_lines":[{"line_number":63,"context_line":"            [\u0027lb_global_observer\u0027, CONF.load_balancer.global_observer_role,"},{"line_number":64,"context_line":"             \u0027reader\u0027],"},{"line_number":65,"context_line":"            [\u0027lb_member\u0027, CONF.load_balancer.member_role],"},{"line_number":66,"context_line":"            [\u0027lb_member2\u0027, CONF.load_balancer.member_role]]"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"    # If scope enforcement is enabled, add in the system scope credentials."},{"line_number":69,"context_line":"    # The project scope is already handled by the above credentials."}],"source_content_type":"text/x-python","patch_set":2,"id":"f8580459_14a333cd","line":66,"in_reply_to":"00da2fea_e0181bbd","updated":"2021-03-10 02:01:17.000000000","message":"Ok, I must need more coffee since I don\u0027t see lb_member3 being used anywhere with this patch applied.\n\n--\u003e grep -R lb_member3 *\noctavia_tempest_plugin/tests/test_base.py:            [\u0027lb_member3\u0027, CONF.load_balancer.member_role]]\n\nI do see \u0027os_roles_lb_member2\u0027 though.","commit_id":"d7a1eb12419c6fddfd341718ea4a20beb1e3163d"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"740dafed534c25b0e8b46b9ba1383a6d4259f288","unresolved":true,"context_lines":[{"line_number":63,"context_line":"            [\u0027lb_global_observer\u0027, CONF.load_balancer.global_observer_role,"},{"line_number":64,"context_line":"             \u0027reader\u0027],"},{"line_number":65,"context_line":"            [\u0027lb_member\u0027, CONF.load_balancer.member_role],"},{"line_number":66,"context_line":"            [\u0027lb_member2\u0027, CONF.load_balancer.member_role]]"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"    # If scope enforcement is enabled, add in the system scope credentials."},{"line_number":69,"context_line":"    # The project scope is already handled by the above credentials."}],"source_content_type":"text/x-python","patch_set":2,"id":"00da2fea_e0181bbd","line":66,"in_reply_to":"80c0d651_5326a4c0","updated":"2021-03-10 00:28:35.000000000","message":"All of the negative tests will use it.\nSee lines 73-82.","commit_id":"d7a1eb12419c6fddfd341718ea4a20beb1e3163d"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"e193991a988bc7911098a6ca9abf2a2806c5fa3b","unresolved":true,"context_lines":[{"line_number":63,"context_line":"            [\u0027lb_global_observer\u0027, CONF.load_balancer.global_observer_role,"},{"line_number":64,"context_line":"             \u0027reader\u0027],"},{"line_number":65,"context_line":"            [\u0027lb_member\u0027, CONF.load_balancer.member_role],"},{"line_number":66,"context_line":"            [\u0027lb_member2\u0027, CONF.load_balancer.member_role]]"},{"line_number":67,"context_line":""},{"line_number":68,"context_line":"    # If scope enforcement is enabled, add in the system scope credentials."},{"line_number":69,"context_line":"    # The project scope is already handled by the above credentials."}],"source_content_type":"text/x-python","patch_set":2,"id":"54bfd814_71a2d974","line":66,"in_reply_to":"f8580459_14a333cd","updated":"2021-03-17 16:32:25.000000000","message":"Ok, so since \u0027lb_member3\u0027 isn\u0027t in the allowed list it ends up in the disallowed list that will fail for eternity.  Can you choose a different name to make that clear?","commit_id":"d7a1eb12419c6fddfd341718ea4a20beb1e3163d"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"329f2583b061205c7a9cfe18aaaa25d11fc79f1b","unresolved":true,"context_lines":[{"line_number":53,"context_line":"    if CONF.load_balancer.enforce_new_defaults:"},{"line_number":54,"context_line":"        credentials \u003d ["},{"line_number":55,"context_line":"            \u0027admin\u0027, \u0027primary\u0027, [\u0027lb_admin\u0027, CONF.load_balancer.admin_role],"},{"line_number":56,"context_line":"            [\u0027lb_observer\u0027, CONF.load_balancer.observer_role, \u0027reader\u0027],"},{"line_number":57,"context_line":"            [\u0027lb_global_observer\u0027, CONF.load_balancer.global_observer_role,"},{"line_number":58,"context_line":"             \u0027reader\u0027],"},{"line_number":59,"context_line":"            [\u0027lb_member\u0027, CONF.load_balancer.member_role, \u0027member\u0027],"}],"source_content_type":"text/x-python","patch_set":4,"id":"3735bb15_340c92c0","line":56,"range":{"start_line":56,"start_character":14,"end_line":56,"end_character":25},"updated":"2021-04-08 07:43:09.000000000","message":"It means that lb_observer has its own project, so it cannot be used to read resources created by another user, lb_observer is only used in negative tests.\nPerhaps we could improve it later.","commit_id":"f4b5769f06cf492f96762b785dda0da0210d628c"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"66cab4f99246d3eb20161edd12a2f89a0ac7f26d","unresolved":true,"context_lines":[{"line_number":53,"context_line":"    if CONF.load_balancer.enforce_new_defaults:"},{"line_number":54,"context_line":"        credentials \u003d ["},{"line_number":55,"context_line":"            \u0027admin\u0027, \u0027primary\u0027, [\u0027lb_admin\u0027, CONF.load_balancer.admin_role],"},{"line_number":56,"context_line":"            [\u0027lb_observer\u0027, CONF.load_balancer.observer_role, \u0027reader\u0027],"},{"line_number":57,"context_line":"            [\u0027lb_global_observer\u0027, CONF.load_balancer.global_observer_role,"},{"line_number":58,"context_line":"             \u0027reader\u0027],"},{"line_number":59,"context_line":"            [\u0027lb_member\u0027, CONF.load_balancer.member_role, \u0027member\u0027],"}],"source_content_type":"text/x-python","patch_set":4,"id":"7ca95283_a1907fb1","line":56,"range":{"start_line":56,"start_character":14,"end_line":56,"end_character":25},"in_reply_to":"3735bb15_340c92c0","updated":"2021-04-08 22:08:05.000000000","message":"Yeah, this is where the new \"scope\" functionality we needed in tempest will come in.\nWe need to make sure we maintain compatibility with the previously defined roles.","commit_id":"f4b5769f06cf492f96762b785dda0da0210d628c"}],"releasenotes/notes/Add-RBAC-scoped-tokens-tests-920aa35faf4a8c9d.yaml":[{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"7eaf0696e7d31ff3c977f710ff79821ab1bb9fb1","unresolved":true,"context_lines":[{"line_number":6,"context_line":"  - |"},{"line_number":7,"context_line":"    Currently the API tests will not pass with the"},{"line_number":8,"context_line":"    keystone_default_roles-policy.yaml override file. This is due to the"},{"line_number":9,"context_line":"    tempest framework credentials do not yet support token scopes."},{"line_number":10,"context_line":"    This issue is tracked in https://bugs.launchpad.net/tempest/+bug/1917168"},{"line_number":11,"context_line":"    Once that bug is fixed, octavia-tempest-plugin can be updated to use the"},{"line_number":12,"context_line":"    required scope in the test credentials."}],"source_content_type":"text/x-yaml","patch_set":4,"id":"109b06c5_7e1e38b3","line":9,"range":{"start_line":9,"start_character":34,"end_line":9,"end_character":52},"updated":"2021-03-27 02:09:46.000000000","message":"nit: not yet supporting","commit_id":"f4b5769f06cf492f96762b785dda0da0210d628c"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"a219d959b83b606ad31dcb9a868ed6e9d3cf47cf","unresolved":true,"context_lines":[{"line_number":6,"context_line":"  - |"},{"line_number":7,"context_line":"    Currently the API tests will not pass with the"},{"line_number":8,"context_line":"    keystone_default_roles-policy.yaml override file. This is due to the"},{"line_number":9,"context_line":"    tempest framework credentials do not yet support token scopes."},{"line_number":10,"context_line":"    This issue is tracked in https://bugs.launchpad.net/tempest/+bug/1917168"},{"line_number":11,"context_line":"    Once that bug is fixed, octavia-tempest-plugin can be updated to use the"},{"line_number":12,"context_line":"    required scope in the test credentials."}],"source_content_type":"text/x-yaml","patch_set":4,"id":"ef2ee24a_1ac5ee63","line":9,"range":{"start_line":9,"start_character":34,"end_line":9,"end_character":52},"in_reply_to":"109b06c5_7e1e38b3","updated":"2021-04-09 13:27:59.000000000","message":"😞","commit_id":"f4b5769f06cf492f96762b785dda0da0210d628c"}]}
