)]}'
{"doc/source/configuration/policy.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ab0622123bd3532c0ed6953238b501f2bb987fee","unresolved":true,"context_lines":[{"line_number":13,"context_line":""},{"line_number":14,"context_line":"The Octavia Advanced RBAC goes beyond the OpenStack legacy RBAC policies of"},{"line_number":15,"context_line":"allowing \"owners and admins\" full access to all services. It also provides a"},{"line_number":16,"context_line":"more fine-grained RBAC policy than the newer `Keystone Default Roles`_ ."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"The default policy is to not allow access unless the auth_strategy is \u0027noauth\u0027."},{"line_number":19,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"4c50724c_1f8b9f69","line":16,"range":{"start_line":16,"start_character":45,"end_line":16,"end_character":72},"updated":"2021-02-19 17:21:56.000000000","message":"++\n\nThank you for adding this.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ab0622123bd3532c0ed6953238b501f2bb987fee","unresolved":true,"context_lines":[{"line_number":52,"context_line":"These roles are in addition to the `Keystone Default Roles`_:"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"* role:reader"},{"line_number":55,"context_line":"* role:member"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"In addition, the Octavia API supports Keystone scoped tokens. When enabled"},{"line_number":58,"context_line":"in Oslo Policy, users will need to present a token scoped to either the"}],"source_content_type":"text/x-rst","patch_set":12,"id":"9a5e025a_eaf42095","line":55,"updated":"2021-02-19 17:21:56.000000000","message":"Technically - the `admin` role is a keystone default, too. It\u0027s just existed forever and it\u0027s been baked into policy defaults for so long that that it doesn\u0027t really seem that new when we discuss it with these two new roles.\n\nhttps://opendev.org/openstack/keystone/src/commit/d67975e7b9cdbb3654840d7453402438a546c1bf/keystone/cmd/bootstrap.py#L172-L175","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ab0622123bd3532c0ed6953238b501f2bb987fee","unresolved":true,"context_lines":[{"line_number":57,"context_line":"In addition, the Octavia API supports Keystone scoped tokens. When enabled"},{"line_number":58,"context_line":"in Oslo Policy, users will need to present a token scoped to either the"},{"line_number":59,"context_line":"\"system\" or a specific \"project\". See the section `Upgrade Considerations`_"},{"line_number":60,"context_line":"for more information."},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"See the section `Managing Octavia User Roles`_ for examples and advice on how"},{"line_number":63,"context_line":"to apply these RBAC policies in production."}],"source_content_type":"text/x-rst","patch_set":12,"id":"639f8fa0_9cdcc681","line":60,"updated":"2021-02-19 17:21:56.000000000","message":"I think some readers will have questions on how to do this. I\u0027ll work on a keystone patch to be more explicit about how to do that in keystone.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ab0622123bd3532c0ed6953238b501f2bb987fee","unresolved":true,"context_lines":[{"line_number":72,"context_line":"This will drop the role requirements to allow access to all with the \"admin\""},{"line_number":73,"context_line":"role or if the user is a member of the project that created the resource. All"},{"line_number":74,"context_line":"users have access to the Octavia API to create and manage load balancers"},{"line_number":75,"context_line":"under their project."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"OpenStack Default Roles Policy Override File"},{"line_number":78,"context_line":"--------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"32f3b9ce_d25e7287","line":75,"updated":"2021-02-19 17:21:56.000000000","message":"I wonder if we can provide a warning here saying this violates tenancy.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ab0622123bd3532c0ed6953238b501f2bb987fee","unresolved":true,"context_lines":[{"line_number":177,"context_line":"When the new default policies are enabled in the Octavia API, users with the"},{"line_number":178,"context_line":"load-balancer:observer role will also require the Keystone default role of"},{"line_number":179,"context_line":"\"role:reader\". Users with the load-balancer:member role will also require"},{"line_number":180,"context_line":"the Keystone default role of \"role:member\"."},{"line_number":181,"context_line":""},{"line_number":182,"context_line":"Sample File Generation"},{"line_number":183,"context_line":"----------------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"e15247dc_1aaaf367","line":180,"updated":"2021-02-19 17:21:56.000000000","message":"These users will require these roles on projects, right?","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"b6ec9fc559e952fb7c4b55733c80298e6495dac2","unresolved":true,"context_lines":[{"line_number":39,"context_line":"        User is considered an admin for all load-balnacer APIs including"},{"line_number":40,"context_line":"        resources owned by others."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    role:admin and system_scope:all"},{"line_number":43,"context_line":"        User is admin to all service APIs, including Octavia."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":13,"id":"9d830889_052bbe85","line":42,"range":{"start_line":42,"start_character":15,"end_line":42,"end_character":35},"updated":"2021-02-22 18:11:17.000000000","message":"do we need to mention system_scope:all here since it\u0027s not enabled yet in the default config for Wallaby?","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"594e59c85c8f440ed1fcc97eba5e2e5029b2309d","unresolved":false,"context_lines":[{"line_number":39,"context_line":"        User is considered an admin for all load-balnacer APIs including"},{"line_number":40,"context_line":"        resources owned by others."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    role:admin and system_scope:all"},{"line_number":43,"context_line":"        User is admin to all service APIs, including Octavia."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":13,"id":"39fc7409_28b5d456","line":42,"range":{"start_line":42,"start_character":15,"end_line":42,"end_character":35},"in_reply_to":"17db11a2_8fb53bc5","updated":"2021-02-24 10:32:23.000000000","message":"No I get it, that\u0027s good to me","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"8bf256ca9c3c76ba237da5bd15bac8e79fe042ba","unresolved":true,"context_lines":[{"line_number":39,"context_line":"        User is considered an admin for all load-balnacer APIs including"},{"line_number":40,"context_line":"        resources owned by others."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    role:admin and system_scope:all"},{"line_number":43,"context_line":"        User is admin to all service APIs, including Octavia."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":13,"id":"17db11a2_8fb53bc5","line":42,"range":{"start_line":42,"start_character":15,"end_line":42,"end_character":35},"in_reply_to":"38eadf7f_0af84926","updated":"2021-02-23 23:25:11.000000000","message":"I get your question Greg.\nI added it here to be more explicit about the options available to users.\nEven in Wallaby, if they setup a user with \"role:admin and system_scope:all\" it would still give the user the cloud-wide \"admin\" role like they had previous to Wallaby.\nSo, yeah, maybe it is slightly misleading, but future proof.\nIf you feel strongly I can change/drop this.","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"4b285f944e564c052e2d3032fb2209dac1dad066","unresolved":true,"context_lines":[{"line_number":39,"context_line":"        User is considered an admin for all load-balnacer APIs including"},{"line_number":40,"context_line":"        resources owned by others."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    role:admin and system_scope:all"},{"line_number":43,"context_line":"        User is admin to all service APIs, including Octavia."},{"line_number":44,"context_line":""},{"line_number":45,"context_line":".. note::"}],"source_content_type":"text/x-rst","patch_set":13,"id":"38eadf7f_0af84926","line":42,"range":{"start_line":42,"start_character":15,"end_line":42,"end_character":35},"in_reply_to":"9d830889_052bbe85","updated":"2021-02-23 14:26:00.000000000","message":"These are actually context attributes, which should be translated to valid policy checks in oslo.policy during enforcement.\n\nThis is a separate technique for enforcing scope that doesn\u0027t rely on the `enforce_scope` parameter.","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"594e59c85c8f440ed1fcc97eba5e2e5029b2309d","unresolved":true,"context_lines":[{"line_number":36,"context_line":"        User is considered an admin for quota APIs only."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    role:load-balancer_admin"},{"line_number":39,"context_line":"        User is considered an admin for all load-balnacer APIs including"},{"line_number":40,"context_line":"        resources owned by others."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    role:admin and system_scope:all"}],"source_content_type":"text/x-rst","patch_set":14,"id":"86db1282_a5463762","line":39,"range":{"start_line":39,"start_character":49,"end_line":39,"end_character":57},"updated":"2021-02-24 10:32:23.000000000","message":"not yours, but could you fix the typo?","commit_id":"45dba4eee314894beea8c30468398ad4c7c10510"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"06798b98c205cceec4c31166d0478cc01ee4eed5","unresolved":false,"context_lines":[{"line_number":36,"context_line":"        User is considered an admin for quota APIs only."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    role:load-balancer_admin"},{"line_number":39,"context_line":"        User is considered an admin for all load-balnacer APIs including"},{"line_number":40,"context_line":"        resources owned by others."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"    role:admin and system_scope:all"}],"source_content_type":"text/x-rst","patch_set":14,"id":"5be462b6_5663cfbb","line":39,"range":{"start_line":39,"start_character":49,"end_line":39,"end_character":57},"in_reply_to":"86db1282_a5463762","updated":"2021-02-24 15:38:47.000000000","message":"Done","commit_id":"45dba4eee314894beea8c30468398ad4c7c10510"}],"etc/policy/README.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fcb406d6ef38a04db927e94a496ef6a3fd9a3e09","unresolved":true,"context_lines":[{"line_number":23,"context_line":"* System scoped - Admin"},{"line_number":24,"context_line":"* System scoped - Reader"},{"line_number":25,"context_line":"* Project scoped - Reader"},{"line_number":26,"context_line":"* Project scoped - Member"}],"source_content_type":"text/x-rst","patch_set":3,"id":"7564a13f_4c3414b1","line":26,"updated":"2021-02-17 14:20:36.000000000","message":"We have some documentation the helps define these personas consistently, in case it\u0027s helpful for you.\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"}],"etc/policy/keystone_default_roles-policy.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a909bb2ab6ba85287e4462c186a19d2ac1669149","unresolved":true,"context_lines":[{"line_number":26,"context_line":"\"load-balancer:read-quota-reader\": \"is_admin:True or"},{"line_number":27,"context_line":"                                    rule:system_reader or"},{"line_number":28,"context_line":"                                    rule:project_reader or"},{"line_number":29,"context_line":"                                    rule:project_member\""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"\"load-balancer:read-quota-global\": \"is_admin:True or rule:system_reader\""},{"line_number":32,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"acab92ef_77df2dd7","line":29,"range":{"start_line":29,"start_character":36,"end_line":29,"end_character":56},"updated":"2021-02-18 14:57:11.000000000","message":"I don\u0027t think this is necessary since keystone will use implied roles by default. Anyone with the member role on a project will automatically have the reader role, which should be covered by the previous check?","commit_id":"61d5af7374169a4a1ccd860bae94c3fcb16b53e3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ab0622123bd3532c0ed6953238b501f2bb987fee","unresolved":true,"context_lines":[{"line_number":18,"context_line":"                              rule:system_reader or"},{"line_number":19,"context_line":"                              rule:project_reader\""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"\"load-balancer:read-global\": \"is_admin:True or rule:system_reader\""},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"\"load-balancer:write-member\": \"is_admin:True or rule:project_member\""},{"line_number":24,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":12,"id":"0f7b18fd_5f5c9943","line":21,"range":{"start_line":21,"start_character":30,"end_line":21,"end_character":47},"updated":"2021-02-19 17:21:56.000000000","message":"Technically, the system-admin user will have the `admin`, `member`, and `reader` roles present in their tokens through keystone role implication feature [0].\n\nThis let\u0027s us simplify check strings if we want to:\n\n  \"get:foo\": \"rule:system_reader\"\n\nThat will allow anyone with the `admin`, `member`, or `reader` roles on a the system to GET /foo.\n\nWe might be able to simplify this to: \n\n  \"load-balancer:read-global\": \"rule:system_reader\"\n\n[0] http://paste.openstack.org/show/802831/","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"b1f45f8e047e7e60f030130131f0c9df478a52d9","unresolved":true,"context_lines":[{"line_number":18,"context_line":"                              rule:system_reader or"},{"line_number":19,"context_line":"                              rule:project_reader\""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"\"load-balancer:read-global\": \"is_admin:True or rule:system_reader\""},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"\"load-balancer:write-member\": \"is_admin:True or rule:project_member\""},{"line_number":24,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":12,"id":"25e9892e_18db3855","line":21,"range":{"start_line":21,"start_character":30,"end_line":21,"end_character":47},"in_reply_to":"0f7b18fd_5f5c9943","updated":"2021-02-19 17:50:10.000000000","message":"Yeah, this is a trade off. The \"is_admin\" is something we cooked up (a long time ago) to allow setting auth_strategy \"noAuth\" in our configuration file to disable keystone use. If noAuth is enabled, everyone is an \"admin\" in the eyes of the Octavia API.\nIt\u0027s used for testing and deployments that do not want keystone.\nHistorically we have honored it with the override files.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cd2d01292b12c63ca0acb9777726d6e885d7d9bb","unresolved":true,"context_lines":[{"line_number":18,"context_line":"                              rule:system_reader or"},{"line_number":19,"context_line":"                              rule:project_reader\""},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"\"load-balancer:read-global\": \"is_admin:True or rule:system_reader\""},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"\"load-balancer:write-member\": \"is_admin:True or rule:project_member\""},{"line_number":24,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":12,"id":"479c9e88_d3297bb5","line":21,"range":{"start_line":21,"start_character":30,"end_line":21,"end_character":47},"in_reply_to":"25e9892e_18db3855","updated":"2021-02-19 19:05:26.000000000","message":"Oh, good call.\n\nThat makes sense with the NoAuth case now that you describe it. Another way I\u0027ve seen projects deal with that is by short-circuiting calls to enforce() if CONF.auth_strategy \u003d\u003d \u0027noauth\u0027.\n\nBut I think either is fine.\n\nThanks for clarifying.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"fe1738359747e752fca3f4761c907e0b915e92bf","unresolved":true,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# API Rules"},{"line_number":18,"context_line":"\"load-balancer:admin\": \"is_admin:True or"},{"line_number":19,"context_line":"                        rule:system_admin or"},{"line_number":20,"context_line":"                        role:load-balancer_admin\""},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"\"load-balancer:read\": \"is_admin:True or"}],"source_content_type":"text/x-yaml","patch_set":18,"id":"8cd2ba7e_db7660a1","line":19,"range":{"start_line":19,"start_character":24,"end_line":19,"end_character":41},"updated":"2021-03-08 16:33:02.000000000","message":"system_admin definition is missing","commit_id":"d4a2e5c8f0d866cb384414f91cde3098f03a3419"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"20ff42c7e043ee388359b06da719f5b27bdeb412","unresolved":false,"context_lines":[{"line_number":16,"context_line":""},{"line_number":17,"context_line":"# API Rules"},{"line_number":18,"context_line":"\"load-balancer:admin\": \"is_admin:True or"},{"line_number":19,"context_line":"                        rule:system_admin or"},{"line_number":20,"context_line":"                        role:load-balancer_admin\""},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"\"load-balancer:read\": \"is_admin:True or"}],"source_content_type":"text/x-yaml","patch_set":18,"id":"bc82f142_46c2d6b6","line":19,"range":{"start_line":19,"start_character":24,"end_line":19,"end_character":41},"in_reply_to":"8cd2ba7e_db7660a1","updated":"2021-03-08 19:37:24.000000000","message":"Done","commit_id":"d4a2e5c8f0d866cb384414f91cde3098f03a3419"}],"lower-constraints.txt":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fcb406d6ef38a04db927e94a496ef6a3fd9a3e09","unresolved":true,"context_lines":[{"line_number":86,"context_line":"oslo.log\u003d\u003d4.3.0"},{"line_number":87,"context_line":"oslo.messaging\u003d\u003d12.4.0"},{"line_number":88,"context_line":"oslo.middleware\u003d\u003d4.0.1"},{"line_number":89,"context_line":"oslo.policy\u003d\u003d3.1.0"},{"line_number":90,"context_line":"oslo.reports\u003d\u003d1.18.0"},{"line_number":91,"context_line":"oslo.serialization\u003d\u003d2.28.1"},{"line_number":92,"context_line":"oslo.service\u003d\u003d1.30.0"}],"source_content_type":"text/plain","patch_set":3,"id":"970d6db0_bafc1a4b","line":89,"range":{"start_line":89,"start_character":13,"end_line":89,"end_character":18},"updated":"2021-02-17 14:20:36.000000000","message":"We recommend using 3.6.2, which is more responsible about modifying only objects it creates.\n\nVersions of oslo.policy prior to 3.6.2 caused intermittent issues with tests running in parallel, specifically with different configurations.\n\nhttps://bugs.launchpad.net/oslo.policy/+bug/1914095","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"3eee2e2f8b863961b3432b06109279b1700fe798","unresolved":true,"context_lines":[{"line_number":86,"context_line":"oslo.log\u003d\u003d4.3.0"},{"line_number":87,"context_line":"oslo.messaging\u003d\u003d12.4.0"},{"line_number":88,"context_line":"oslo.middleware\u003d\u003d4.0.1"},{"line_number":89,"context_line":"oslo.policy\u003d\u003d3.1.0"},{"line_number":90,"context_line":"oslo.reports\u003d\u003d1.18.0"},{"line_number":91,"context_line":"oslo.serialization\u003d\u003d2.28.1"},{"line_number":92,"context_line":"oslo.service\u003d\u003d1.30.0"}],"source_content_type":"text/plain","patch_set":3,"id":"5fcaea01_88906b8c","line":89,"range":{"start_line":89,"start_character":13,"end_line":89,"end_character":18},"in_reply_to":"970d6db0_bafc1a4b","updated":"2021-02-18 00:24:04.000000000","message":"Ok, I just grabbed the first version to support the required configuration setting.\nI will advance this in a respin.\nI probably would have seen this once I started rebasing the other patches upstream.","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"}],"octavia/common/constants.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a909bb2ab6ba85287e4462c186a19d2ac1669149","unresolved":true,"context_lines":[{"line_number":770,"context_line":"RBAC_GET_STATS \u003d \u0027get_stats\u0027"},{"line_number":771,"context_line":"RBAC_GET_STATUS \u003d \u0027get_status\u0027"},{"line_number":772,"context_line":"RBAC_ROLES_DEPRECATED_REASON \u003d ("},{"line_number":773,"context_line":"    \u0027The Octavia API now requires the OpenStack default roles. \u0027"},{"line_number":774,"context_line":"    \u0027See https://docs.openstack.org/octavia/latest/configuration/policy.html \u0027"},{"line_number":775,"context_line":"    \u0027and https://docs.openstack.org/keystone/latest/contributor/\u0027"},{"line_number":776,"context_line":"    \u0027services.html#reusable-default-roles for more information.\u0027)"}],"source_content_type":"text/x-python","patch_set":4,"id":"d1182972_a4461d09","line":773,"updated":"2021-02-18 14:57:11.000000000","message":"We could also mention that Octavia supports system-scope, which should be a familiar concept with other deprecation messages in other services.","commit_id":"61d5af7374169a4a1ccd860bae94c3fcb16b53e3"}],"octavia/policies/base.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fcb406d6ef38a04db927e94a496ef6a3fd9a3e09","unresolved":true,"context_lines":[{"line_number":98,"context_line":"    # New default taking into account OpenStack default roles"},{"line_number":99,"context_line":"    policy.RuleDefault(\u0027load-balancer:write-member\u0027,"},{"line_number":100,"context_line":"                       \u0027rule:load-balancer:write and \u0027"},{"line_number":101,"context_line":"                       \u0027role:member\u0027),"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"    policy.RuleDefault(\u0027load-balancer:read-quota\u0027,"},{"line_number":104,"context_line":"                       \u0027rule:load-balancer:observer_and_owner or \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"01c75834_d4893336","line":101,"updated":"2021-02-17 14:20:36.000000000","message":"FWIW - oslo.policy will handle deprecation cases for you so you don\u0027t need to OR the deprecated policy with the new default.\n\nIs that why you\u0027re maintaining the old checks with the new defaults?","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"3eee2e2f8b863961b3432b06109279b1700fe798","unresolved":true,"context_lines":[{"line_number":98,"context_line":"    # New default taking into account OpenStack default roles"},{"line_number":99,"context_line":"    policy.RuleDefault(\u0027load-balancer:write-member\u0027,"},{"line_number":100,"context_line":"                       \u0027rule:load-balancer:write and \u0027"},{"line_number":101,"context_line":"                       \u0027role:member\u0027),"},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"    policy.RuleDefault(\u0027load-balancer:read-quota\u0027,"},{"line_number":104,"context_line":"                       \u0027rule:load-balancer:observer_and_owner or \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"4b021ef2_d31a2da8","line":101,"in_reply_to":"01c75834_d4893336","updated":"2021-02-18 00:24:04.000000000","message":"Yes, I had to create a new rule \"write-member\" to include the new \"member\" default role as required. The rules write and write-member will be used in the policies and deprecated policy.\n\nHmm, this \"and role:member\" might be requiring too much. I think I need to re-work this compound rule.","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a909bb2ab6ba85287e4462c186a19d2ac1669149","unresolved":true,"context_lines":[{"line_number":80,"context_line":""},{"line_number":81,"context_line":"    policy.RuleDefault(\u0027load-balancer:global_observer\u0027,"},{"line_number":82,"context_line":"                       \u0027role:load-balancer_global_observer or \u0027"},{"line_number":83,"context_line":"                       \u0027rule:system-reader\u0027),"},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"    # TODO(johnsom) deprecated since Wallaby due to OpenStack default roles"},{"line_number":86,"context_line":"    policy.RuleDefault(\u0027load-balancer:member_and_owner\u0027,"}],"source_content_type":"text/x-python","patch_set":4,"id":"43dd73c9_a529f419","line":83,"updated":"2021-02-18 14:57:11.000000000","message":"We can use oslo.policy to handle the deprecations for us if you want.\n\nhttps://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.html#oslo_policy.policy.DeprecatedRule","commit_id":"61d5af7374169a4a1ccd860bae94c3fcb16b53e3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ab0622123bd3532c0ed6953238b501f2bb987fee","unresolved":true,"context_lines":[{"line_number":40,"context_line":"        name\u003d\u0027system-admin\u0027,"},{"line_number":41,"context_line":"        check_str\u003d\u0027role:admin and \u0027"},{"line_number":42,"context_line":"                  \u0027system_scope:all\u0027,"},{"line_number":43,"context_line":"        scope_types\u003d[constants.RBAC_SCOPE_SYSTEM]),"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"    # System scoped Reader"},{"line_number":46,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":12,"id":"f74542fa_6401c453","line":43,"range":{"start_line":43,"start_character":8,"end_line":43,"end_character":49},"updated":"2021-02-19 17:21:56.000000000","message":"We (the oslo.policy team) have debated setting scope_types on these types of rules because you\u0027re already setting it on rules that are consuming this, like on line 143.\n\nWe haven\u0027t decided if it\u0027s a good idea to nest scope types inside of rules. For now, we\u0027re just setting the scope types on the policy, like \u0027load-balancer:read-quota\u0027, because it\u0027s the case we\u0027ve tested the most.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cd2d01292b12c63ca0acb9777726d6e885d7d9bb","unresolved":true,"context_lines":[{"line_number":40,"context_line":"        name\u003d\u0027system-admin\u0027,"},{"line_number":41,"context_line":"        check_str\u003d\u0027role:admin and \u0027"},{"line_number":42,"context_line":"                  \u0027system_scope:all\u0027,"},{"line_number":43,"context_line":"        scope_types\u003d[constants.RBAC_SCOPE_SYSTEM]),"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"    # System scoped Reader"},{"line_number":46,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":12,"id":"95ba20fd_af40cebe","line":43,"range":{"start_line":43,"start_character":8,"end_line":43,"end_character":49},"in_reply_to":"2249c0b4_d6aba126","updated":"2021-02-19 19:05:26.000000000","message":"Full disclosure - I don\u0027t *think* it will hurt to have these defined here and in the rules below, but I haven\u0027t tested it.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"b1f45f8e047e7e60f030130131f0c9df478a52d9","unresolved":true,"context_lines":[{"line_number":40,"context_line":"        name\u003d\u0027system-admin\u0027,"},{"line_number":41,"context_line":"        check_str\u003d\u0027role:admin and \u0027"},{"line_number":42,"context_line":"                  \u0027system_scope:all\u0027,"},{"line_number":43,"context_line":"        scope_types\u003d[constants.RBAC_SCOPE_SYSTEM]),"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"    # System scoped Reader"},{"line_number":46,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":12,"id":"2249c0b4_d6aba126","line":43,"range":{"start_line":43,"start_character":8,"end_line":43,"end_character":49},"in_reply_to":"f74542fa_6401c453","updated":"2021-02-19 17:50:10.000000000","message":"I also debated it for a while. I decided in the end to add it just in case someone incorrectly referenced this rule in a patch instead of the API rules below.","commit_id":"6a5be37c36df3f8f088687b50478dbfb74eaa69f"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"594e59c85c8f440ed1fcc97eba5e2e5029b2309d","unresolved":true,"context_lines":[{"line_number":77,"context_line":"    # role:load-balancer_member"},{"line_number":78,"context_line":"    #     User has access to load-balancer read and write APIs"},{"line_number":79,"context_line":"    # role:load-balancer_admin"},{"line_number":80,"context_line":"    #     User is considered an admin for all load-balnacer APIs including"},{"line_number":81,"context_line":"    #     resources owned by others."},{"line_number":82,"context_line":"    # role:admin and system_scope:all"},{"line_number":83,"context_line":"    #     User is admin to all service APIs, including Octavia."}],"source_content_type":"text/x-python","patch_set":13,"id":"255321a5_c01727f0","line":80,"range":{"start_line":80,"start_character":51,"end_line":80,"end_character":59},"updated":"2021-02-24 10:32:23.000000000","message":"same here","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"06798b98c205cceec4c31166d0478cc01ee4eed5","unresolved":false,"context_lines":[{"line_number":77,"context_line":"    # role:load-balancer_member"},{"line_number":78,"context_line":"    #     User has access to load-balancer read and write APIs"},{"line_number":79,"context_line":"    # role:load-balancer_admin"},{"line_number":80,"context_line":"    #     User is considered an admin for all load-balnacer APIs including"},{"line_number":81,"context_line":"    #     resources owned by others."},{"line_number":82,"context_line":"    # role:admin and system_scope:all"},{"line_number":83,"context_line":"    #     User is admin to all service APIs, including Octavia."}],"source_content_type":"text/x-python","patch_set":13,"id":"c89b9c28_9d1b27b9","line":80,"range":{"start_line":80,"start_character":51,"end_line":80,"end_character":59},"in_reply_to":"255321a5_c01727f0","updated":"2021-02-24 15:38:47.000000000","message":"Done","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"}],"octavia/tests/unit/common/test_policy.py":[{"author":{"_account_id":7249,"name":"Ann Taraday","email":"akamyshnikova@mirantis.com","username":"AKamyshnikova"},"change_message_id":"5b9dde89bc907b190178d2d12059ded574082ad5","unresolved":true,"context_lines":[{"line_number":166,"context_line":"    #               this test will fail as \"system_scope:all\" will be required."},{"line_number":167,"context_line":"    #               This test and the conditional in common/policy.py can then"},{"line_number":168,"context_line":"    #               be removed in favor of test_check_is_admin_new_defaults()."},{"line_number":169,"context_line":"    def test_check_is_admin(self):"},{"line_number":170,"context_line":"        self.context \u003d context.Context(\u0027admin\u0027, \u0027fake\u0027, roles\u003d[\u0027AdMiN\u0027])"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"        self.assertTrue(policy.get_enforcer().check_is_admin(self.context))"}],"source_content_type":"text/x-python","patch_set":3,"id":"19c254e5_d6613227","line":169,"updated":"2021-02-17 06:14:34.000000000","message":"may be add explicitly\n  \n   conf \u003d oslo_fixture.Config(config.cfg.CONF)\n   conf.config(group\u003d\"oslo_policy\", enforce_new_defaults\u003dFalse)\n\nIn this case this test will always make sense for case of disabled option.","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"3eee2e2f8b863961b3432b06109279b1700fe798","unresolved":true,"context_lines":[{"line_number":166,"context_line":"    #               this test will fail as \"system_scope:all\" will be required."},{"line_number":167,"context_line":"    #               This test and the conditional in common/policy.py can then"},{"line_number":168,"context_line":"    #               be removed in favor of test_check_is_admin_new_defaults()."},{"line_number":169,"context_line":"    def test_check_is_admin(self):"},{"line_number":170,"context_line":"        self.context \u003d context.Context(\u0027admin\u0027, \u0027fake\u0027, roles\u003d[\u0027AdMiN\u0027])"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"        self.assertTrue(policy.get_enforcer().check_is_admin(self.context))"}],"source_content_type":"text/x-python","patch_set":3,"id":"e197c3a8_e158935a","line":169,"in_reply_to":"19c254e5_d6613227","updated":"2021-02-18 00:24:04.000000000","message":"Yes, I thought about that as well. My thought in leaving this one to accept the oslo.policy defaults was to be a signal that the deprecated tests/policy could be removed. I tried to capture that in the comments. \nDo you think I should still override this?","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"}],"releasenotes/notes/Added-RBAC-default-roles-and-scoping-0081627043f5c96d.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fcb406d6ef38a04db927e94a496ef6a3fd9a3e09","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"features:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Added support for keystone default roles and token scopes."},{"line_number":5,"context_line":"upgrade:"},{"line_number":6,"context_line":"  - |"},{"line_number":7,"context_line":"    Legacy Octavia Advanced RBAC policies will continue to function as before"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"4513bbec_21a1d505","line":4,"range":{"start_line":4,"start_character":49,"end_line":4,"end_character":54},"updated":"2021-02-17 14:20:36.000000000","message":"nit: Theoretically, octavia has always consumed project-scope. Here we\u0027re isolating administrative functionality behind system-scope.","commit_id":"5413dbdea15f8a3908d98b95a72705dc054e1413"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"21d6205a3be92f169ef1d16f2d18f6bb4436032d","unresolved":true,"context_lines":[{"line_number":10,"context_line":"    oslo.policy default). However, we highly recommend you udpate your"},{"line_number":11,"context_line":"    user roles to follow the new keystone default roles and start using scoped"},{"line_number":12,"context_line":"    tokens as appropriate."},{"line_number":13,"context_line":"    See the `Ocatvia Policies"},{"line_number":14,"context_line":"    \u003chttps://docs.openstack.org/octavia/latest/configuration/policy.html\u003e`_"},{"line_number":15,"context_line":"    administration guide for more information."},{"line_number":16,"context_line":"deprecations:"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"32de818f_2eb43f55","line":13,"range":{"start_line":13,"start_character":13,"end_line":13,"end_character":20},"updated":"2021-02-18 15:18:27.000000000","message":"s/Octavia","commit_id":"61d5af7374169a4a1ccd860bae94c3fcb16b53e3"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"581df50d827052a331fbfc2250e0b35f0555156e","unresolved":false,"context_lines":[{"line_number":10,"context_line":"    oslo.policy default). However, we highly recommend you udpate your"},{"line_number":11,"context_line":"    user roles to follow the new keystone default roles and start using scoped"},{"line_number":12,"context_line":"    tokens as appropriate."},{"line_number":13,"context_line":"    See the `Ocatvia Policies"},{"line_number":14,"context_line":"    \u003chttps://docs.openstack.org/octavia/latest/configuration/policy.html\u003e`_"},{"line_number":15,"context_line":"    administration guide for more information."},{"line_number":16,"context_line":"deprecations:"}],"source_content_type":"text/x-yaml","patch_set":4,"id":"098ac8c3_ff8a4a9d","line":13,"range":{"start_line":13,"start_character":13,"end_line":13,"end_character":20},"in_reply_to":"32de818f_2eb43f55","updated":"2021-02-18 23:10:42.000000000","message":"Done","commit_id":"61d5af7374169a4a1ccd860bae94c3fcb16b53e3"},{"author":{"_account_id":29244,"name":"Gregory Thiemonge","email":"gthiemon@redhat.com","username":"gthiemonge"},"change_message_id":"b6ec9fc559e952fb7c4b55733c80298e6495dac2","unresolved":true,"context_lines":[{"line_number":7,"context_line":"    Legacy Octavia Advanced RBAC policies will continue to function as before"},{"line_number":8,"context_line":"    as long as the [oslo_policy] enforce_scope \u003d False and"},{"line_number":9,"context_line":"    enforce_new_defaults \u003d False settings are present (this is the current"},{"line_number":10,"context_line":"    oslo.policy default). However, we highly recommend you udpate your"},{"line_number":11,"context_line":"    user roles to follow the new keystone default roles and start using scoped"},{"line_number":12,"context_line":"    tokens as appropriate."},{"line_number":13,"context_line":"    See the `Octavia Policies"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"d93fe1ef_5b642479","line":10,"range":{"start_line":10,"start_character":59,"end_line":10,"end_character":65},"updated":"2021-02-22 18:11:17.000000000","message":"update","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"9827bfdcfa7b13e81f7c65f6774f9ec23f079b3c","unresolved":false,"context_lines":[{"line_number":7,"context_line":"    Legacy Octavia Advanced RBAC policies will continue to function as before"},{"line_number":8,"context_line":"    as long as the [oslo_policy] enforce_scope \u003d False and"},{"line_number":9,"context_line":"    enforce_new_defaults \u003d False settings are present (this is the current"},{"line_number":10,"context_line":"    oslo.policy default). However, we highly recommend you udpate your"},{"line_number":11,"context_line":"    user roles to follow the new keystone default roles and start using scoped"},{"line_number":12,"context_line":"    tokens as appropriate."},{"line_number":13,"context_line":"    See the `Octavia Policies"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"63520487_cdf3a913","line":10,"range":{"start_line":10,"start_character":59,"end_line":10,"end_character":65},"in_reply_to":"d93fe1ef_5b642479","updated":"2021-02-23 23:26:04.000000000","message":"Done","commit_id":"19825a5a2441ffbd9906e9ad9bc2a613ec7eee93"}]}
