)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":1,"context_line":"Parent:     9f5da124 (Note that openstack-specs are not currently used)"},{"line_number":2,"context_line":"Author:     Lance Bragstad \u003clbragstad@gmail.com\u003e"},{"line_number":3,"context_line":"AuthorDate: 2017-11-29 19:40:24 +0000"},{"line_number":4,"context_line":"Commit:     Harry Rybacki \u003chrybacki@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2018-03-27 10:35:48 -0400"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Define a set of basic default roles"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":9,"id":"bf659307_8f8ad418","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":47},"updated":"2018-03-27 17:45:10.000000000","message":"I\u0027d say you should overwrite the author. Most of my contributions were boiler plate, if not reworked from Jamie\u0027s example.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"27691bfa91f8439e2188f3fb6592893d738f64e9","unresolved":false,"context_lines":[{"line_number":16,"context_line":"robust RBAC system that is better at modeling complex"},{"line_number":17,"context_line":"organization, ultimately being more useful in the real-world."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Co-authored-By: Lance Bragstad \u003clbagstad@gmail.com\u003e"},{"line_number":20,"context_line":"Co-Authored-By: Jamie Lennox \u003cjamielennox@gmail.com\u003e"},{"line_number":21,"context_line":""},{"line_number":22,"context_line":"Change-Id: I643a2e668599ae77eb615d1b292a59e5066dcbb5"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":10,"id":"bf659307_929517e7","line":19,"range":{"start_line":19,"start_character":32,"end_line":19,"end_character":40},"updated":"2018-03-28 15:23:14.000000000","message":"possible candidate for \"casual nick friday\"","commit_id":"e2783f694bc89e9fb50f75e47722016a5ae8f5f9"}],"specs/define-default-roles.rst":[{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"37521dfe1cfc571fa4abc33f6c0e029206aa60f4","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Introduction paragraph -- why are we doing anything?"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Managing Role Based Access Control (RBAC) across OpenStack is one of the"},{"line_number":35,"context_line":"hardest pain points for operators to deal with. It is not uncommon for"},{"line_number":36,"context_line":"operators to have to dig through source code and keep notes about oddities in"},{"line_number":37,"context_line":"RBAC implementations across OpenStack just to offer basic RBAC capabilities to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff82abbf_5ae86bb1","line":34,"range":{"start_line":34,"start_character":9,"end_line":34,"end_character":41},"updated":"2017-11-29 20:59:48.000000000","message":"citation needed?","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fe68009913cd7b0d4d1ccbc0575e1b1954853d5d","unresolved":false,"context_lines":[{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Introduction paragraph -- why are we doing anything?"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"Managing Role Based Access Control (RBAC) across OpenStack is one of the"},{"line_number":35,"context_line":"hardest pain points for operators to deal with. It is not uncommon for"},{"line_number":36,"context_line":"operators to have to dig through source code and keep notes about oddities in"},{"line_number":37,"context_line":"RBAC implementations across OpenStack just to offer basic RBAC capabilities to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f91af0f_56cb0d71","line":34,"range":{"start_line":34,"start_character":9,"end_line":34,"end_character":41},"in_reply_to":"ff82abbf_5ae86bb1","updated":"2018-01-03 22:55:45.000000000","message":"Done","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"37521dfe1cfc571fa4abc33f6c0e029206aa60f4","unresolved":false,"context_lines":[{"line_number":42,"context_line":"Problem description"},{"line_number":43,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"OpenStack\u0027s initial implementation of RBAC was very simple and it worked"},{"line_number":46,"context_line":"trivial deployments. As OpenStack APIs evolved and deployment started"},{"line_number":47,"context_line":"modeling large, complex organizations, the RBAC implementation failed to evolve"},{"line_number":48,"context_line":"with it. As a result, operators are stuck using existing tooling to implement"},{"line_number":49,"context_line":"more sophisticated RBAC solutions. This is a confusing and incredibly tough"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff82abbf_1af7438d","line":46,"range":{"start_line":45,"start_character":43,"end_line":46,"end_character":7},"updated":"2017-11-29 20:59:48.000000000","message":"rephrase: \u0027was simple and worked for trivial ...\u0027","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fe68009913cd7b0d4d1ccbc0575e1b1954853d5d","unresolved":false,"context_lines":[{"line_number":42,"context_line":"Problem description"},{"line_number":43,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":44,"context_line":""},{"line_number":45,"context_line":"OpenStack\u0027s initial implementation of RBAC was very simple and it worked"},{"line_number":46,"context_line":"trivial deployments. As OpenStack APIs evolved and deployment started"},{"line_number":47,"context_line":"modeling large, complex organizations, the RBAC implementation failed to evolve"},{"line_number":48,"context_line":"with it. As a result, operators are stuck using existing tooling to implement"},{"line_number":49,"context_line":"more sophisticated RBAC solutions. This is a confusing and incredibly tough"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f91af0f_5690ed4e","line":46,"range":{"start_line":45,"start_character":43,"end_line":46,"end_character":7},"in_reply_to":"ff82abbf_1af7438d","updated":"2018-01-03 22:55:45.000000000","message":"Done","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"37521dfe1cfc571fa4abc33f6c0e029206aa60f4","unresolved":false,"context_lines":[{"line_number":46,"context_line":"trivial deployments. As OpenStack APIs evolved and deployment started"},{"line_number":47,"context_line":"modeling large, complex organizations, the RBAC implementation failed to evolve"},{"line_number":48,"context_line":"with it. As a result, operators are stuck using existing tooling to implement"},{"line_number":49,"context_line":"more sophisticated RBAC solutions. This is a confusing and incredibly tough"},{"line_number":50,"context_line":"maintenance burden."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Proposed change"},{"line_number":53,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff82abbf_3a5a4782","line":50,"range":{"start_line":49,"start_character":35,"end_line":50,"end_character":18},"updated":"2017-11-29 20:59:48.000000000","message":"I think the way that this is worded sounds like an issue for the engineers (maintenance) rather than operators.","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fe68009913cd7b0d4d1ccbc0575e1b1954853d5d","unresolved":false,"context_lines":[{"line_number":46,"context_line":"trivial deployments. As OpenStack APIs evolved and deployment started"},{"line_number":47,"context_line":"modeling large, complex organizations, the RBAC implementation failed to evolve"},{"line_number":48,"context_line":"with it. As a result, operators are stuck using existing tooling to implement"},{"line_number":49,"context_line":"more sophisticated RBAC solutions. This is a confusing and incredibly tough"},{"line_number":50,"context_line":"maintenance burden."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Proposed change"},{"line_number":53,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f91af0f_36952941","line":50,"range":{"start_line":49,"start_character":35,"end_line":50,"end_character":18},"in_reply_to":"ff82abbf_3a5a4782","updated":"2018-01-03 22:55:45.000000000","message":"Done","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"37521dfe1cfc571fa4abc33f6c0e029206aa60f4","unresolved":false,"context_lines":[{"line_number":52,"context_line":"Proposed change"},{"line_number":53,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"As a platform, OpenStack should offer a very basic and easy to understand RBAC"},{"line_number":56,"context_line":"implementation with reasonable default values. The process of implementing this"},{"line_number":57,"context_line":"will give operators more flexibility out-of-the-box, meaning they are less"},{"line_number":58,"context_line":"likely to introduce inconsistencies across deployment as a result of a lacking"},{"line_number":59,"context_line":"RBAC implementation."}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff82abbf_ba4df7c4","line":56,"range":{"start_line":55,"start_character":40,"end_line":56,"end_character":45},"updated":"2017-11-29 20:59:48.000000000","message":"rephrase: \u0027a basic, easy to understand RBAC implementation using clear, reasonable default values.","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fe68009913cd7b0d4d1ccbc0575e1b1954853d5d","unresolved":false,"context_lines":[{"line_number":52,"context_line":"Proposed change"},{"line_number":53,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"As a platform, OpenStack should offer a very basic and easy to understand RBAC"},{"line_number":56,"context_line":"implementation with reasonable default values. The process of implementing this"},{"line_number":57,"context_line":"will give operators more flexibility out-of-the-box, meaning they are less"},{"line_number":58,"context_line":"likely to introduce inconsistencies across deployment as a result of a lacking"},{"line_number":59,"context_line":"RBAC implementation."}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f91af0f_b68ff921","line":56,"range":{"start_line":55,"start_character":40,"end_line":56,"end_character":45},"in_reply_to":"ff82abbf_ba4df7c4","updated":"2018-01-03 22:55:45.000000000","message":"Done","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"37521dfe1cfc571fa4abc33f6c0e029206aa60f4","unresolved":false,"context_lines":[{"line_number":53,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"As a platform, OpenStack should offer a very basic and easy to understand RBAC"},{"line_number":56,"context_line":"implementation with reasonable default values. The process of implementing this"},{"line_number":57,"context_line":"will give operators more flexibility out-of-the-box, meaning they are less"},{"line_number":58,"context_line":"likely to introduce inconsistencies across deployment as a result of a lacking"},{"line_number":59,"context_line":"RBAC implementation."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"With some of the work done in the Queens release, and documented in the `Policy"},{"line_number":62,"context_line":"Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_, OpenStack project"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff82abbf_9accb335","line":59,"range":{"start_line":56,"start_character":47,"end_line":59,"end_character":20},"updated":"2017-11-29 20:59:48.000000000","message":"I would break this into two sentences.","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fe68009913cd7b0d4d1ccbc0575e1b1954853d5d","unresolved":false,"context_lines":[{"line_number":53,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"As a platform, OpenStack should offer a very basic and easy to understand RBAC"},{"line_number":56,"context_line":"implementation with reasonable default values. The process of implementing this"},{"line_number":57,"context_line":"will give operators more flexibility out-of-the-box, meaning they are less"},{"line_number":58,"context_line":"likely to introduce inconsistencies across deployment as a result of a lacking"},{"line_number":59,"context_line":"RBAC implementation."},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"With some of the work done in the Queens release, and documented in the `Policy"},{"line_number":62,"context_line":"Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_, OpenStack project"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f91af0f_969c355e","line":59,"range":{"start_line":56,"start_character":47,"end_line":59,"end_character":20},"in_reply_to":"ff82abbf_9accb335","updated":"2018-01-03 22:55:45.000000000","message":"Done","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"37521dfe1cfc571fa4abc33f6c0e029206aa60f4","unresolved":false,"context_lines":[{"line_number":62,"context_line":"Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_, OpenStack project"},{"line_number":63,"context_line":"teams have the tools necessary to improve default role definitions. The"},{"line_number":64,"context_line":"changing defaults can be consumed by operators in ways that are consistent with"},{"line_number":65,"context_line":"changing configuration options. This ensures a graceful transition."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Default Roles"},{"line_number":68,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ff82abbf_dadd5bdd","line":65,"range":{"start_line":65,"start_character":32,"end_line":65,"end_character":66},"updated":"2017-11-29 20:59:48.000000000","message":"I might open your paragraph with this -- it gives the reader a better feel as to why the Queens work is helpful","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"fe68009913cd7b0d4d1ccbc0575e1b1954853d5d","unresolved":false,"context_lines":[{"line_number":62,"context_line":"Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_, OpenStack project"},{"line_number":63,"context_line":"teams have the tools necessary to improve default role definitions. The"},{"line_number":64,"context_line":"changing defaults can be consumed by operators in ways that are consistent with"},{"line_number":65,"context_line":"changing configuration options. This ensures a graceful transition."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Default Roles"},{"line_number":68,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f91af0f_96eaf5a9","line":65,"range":{"start_line":65,"start_character":32,"end_line":65,"end_character":66},"in_reply_to":"ff82abbf_dadd5bdd","updated":"2018-01-03 22:55:45.000000000","message":"Done","commit_id":"34033875f4c4a066149b38a4737887f1cb83897f"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":"  This template should be in ReSTructured text.  For help with syntax,"},{"line_number":3,"context_line":"  see http://sphinx-doc.org/rest.html"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"  To test out your formatting, build the docs using tox, or see:"},{"line_number":6,"context_line":"  http://rst.ninjs.org"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"  The filename in the git repository should match the launchpad URL,"},{"line_number":9,"context_line":"  for example a URL of"},{"line_number":10,"context_line":"  https://blueprints.launchpad.net/openstack/+spec/awesome-thing should be"},{"line_number":11,"context_line":"  named specs/awesome-thing.rst."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"  Wrap text at 79 columns."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"  Do not delete any of the sections in this template.  If you have"},{"line_number":16,"context_line":"  nothing to say for a whole section, just write: None"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"  If you would like to provide a diagram with your spec, ascii"},{"line_number":19,"context_line":"  diagrams are required.  http://asciiflow.com/ is a very nice tool to"},{"line_number":20,"context_line":"  assist with making ascii diagrams.  The reason for this is that the"},{"line_number":21,"context_line":"  tool used to review specs is based purely on plain text.  Plain text"},{"line_number":22,"context_line":"  will allow review to proceed without having to look at additional"},{"line_number":23,"context_line":"  files which can not be viewed in gerrit.  It will also allow inline"},{"line_number":24,"context_line":"  feedback on the diagram itself."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":"Basic Default Roles"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_bdaad16d","line":24,"range":{"start_line":1,"start_character":0,"end_line":24,"end_character":33},"updated":"2017-11-29 21:50:15.000000000","message":"remove all this","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":"  This template should be in ReSTructured text.  For help with syntax,"},{"line_number":3,"context_line":"  see http://sphinx-doc.org/rest.html"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"  To test out your formatting, build the docs using tox, or see:"},{"line_number":6,"context_line":"  http://rst.ninjs.org"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"  The filename in the git repository should match the launchpad URL,"},{"line_number":9,"context_line":"  for example a URL of"},{"line_number":10,"context_line":"  https://blueprints.launchpad.net/openstack/+spec/awesome-thing should be"},{"line_number":11,"context_line":"  named specs/awesome-thing.rst."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"  Wrap text at 79 columns."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"  Do not delete any of the sections in this template.  If you have"},{"line_number":16,"context_line":"  nothing to say for a whole section, just write: None"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"  If you would like to provide a diagram with your spec, ascii"},{"line_number":19,"context_line":"  diagrams are required.  http://asciiflow.com/ is a very nice tool to"},{"line_number":20,"context_line":"  assist with making ascii diagrams.  The reason for this is that the"},{"line_number":21,"context_line":"  tool used to review specs is based purely on plain text.  Plain text"},{"line_number":22,"context_line":"  will allow review to proceed without having to look at additional"},{"line_number":23,"context_line":"  files which can not be viewed in gerrit.  It will also allow inline"},{"line_number":24,"context_line":"  feedback on the diagram itself."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":"Basic Default Roles"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_b6e9391b","line":24,"range":{"start_line":1,"start_character":0,"end_line":24,"end_character":33},"in_reply_to":"ff82abbf_bdaad16d","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Problem description"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"OpenStack\u0027s initial implementation of RBAC was very simple and it worked"},{"line_number":44,"context_line":"trivial deployments. As OpenStack evolved and deployment started modeling"},{"line_number":45,"context_line":"larger, more complex organizations, the RBAC implementation failed to evolve"},{"line_number":46,"context_line":"with it. As a result, operators are stuck using existing tooling to provide the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_9dbd8db8","line":43,"range":{"start_line":43,"start_character":66,"end_line":43,"end_character":72},"updated":"2017-11-29 21:50:15.000000000","message":"worked for","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":40,"context_line":"Problem description"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":42,"context_line":""},{"line_number":43,"context_line":"OpenStack\u0027s initial implementation of RBAC was very simple and it worked"},{"line_number":44,"context_line":"trivial deployments. As OpenStack evolved and deployment started modeling"},{"line_number":45,"context_line":"larger, more complex organizations, the RBAC implementation failed to evolve"},{"line_number":46,"context_line":"with it. As a result, operators are stuck using existing tooling to provide the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_56d8ed7d","line":43,"range":{"start_line":43,"start_character":66,"end_line":43,"end_character":72},"in_reply_to":"ff82abbf_9dbd8db8","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":56,"context_line":"introduce inconsistencies across deployments due to the limitations of the"},{"line_number":57,"context_line":"existing implementation."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"With some of the work done in the Queens release, and documented in the `Policy"},{"line_number":60,"context_line":"Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_, OpenStack project"},{"line_number":61,"context_line":"teams have the tools necessary to improve default role definitions. The"},{"line_number":62,"context_line":"changing defaults can be consumed by operators in ways that are consistent with"},{"line_number":63,"context_line":"changing configuration options. This ensures a graceful transition."}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_3d332164","line":60,"range":{"start_line":59,"start_character":50,"end_line":60,"end_character":56},"updated":"2017-11-29 21:50:15.000000000","message":"I don\u0027t know about referencing Trello here... If you want to reference something maybe point to the actual specs or implementations? Trello not being official and all. Would also make it clearer which items you\u0027re referring to. I assume this is a) policy-and-docs-in-code and b) the ability to deprecate policies... anything else?","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":56,"context_line":"introduce inconsistencies across deployments due to the limitations of the"},{"line_number":57,"context_line":"existing implementation."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"With some of the work done in the Queens release, and documented in the `Policy"},{"line_number":60,"context_line":"Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_, OpenStack project"},{"line_number":61,"context_line":"teams have the tools necessary to improve default role definitions. The"},{"line_number":62,"context_line":"changing defaults can be consumed by operators in ways that are consistent with"},{"line_number":63,"context_line":"changing configuration options. This ensures a graceful transition."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_f6bfc1f8","line":60,"range":{"start_line":59,"start_character":50,"end_line":60,"end_character":56},"in_reply_to":"ff82abbf_3d332164","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"**admin**: We need to keep this around for backwards compatibility. Ideally,"},{"line_number":69,"context_line":"this role will be considered appropriate for all administrator-like operations,"},{"line_number":70,"context_line":"depending on the scope. An example project-scoped administrator operation would"},{"line_number":71,"context_line":"be resizing a virtual machine (``os_compute_api:servers:resize``). An example"},{"line_number":72,"context_line":"system-scoped administrator operation would be creating an endpoint for a"},{"line_number":73,"context_line":"service (``identity:create_endpoint``)."}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_1d53bd6c","line":70,"updated":"2017-11-29 21:50:15.000000000","message":"I would probably leave scope out of this entirely. As discussed on irc earlier today, that\u0027s really a parallel discussion. I really don\u0027t want to confuse the two, or have this get sidetracked with comments about scope.","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":67,"context_line":""},{"line_number":68,"context_line":"**admin**: We need to keep this around for backwards compatibility. Ideally,"},{"line_number":69,"context_line":"this role will be considered appropriate for all administrator-like operations,"},{"line_number":70,"context_line":"depending on the scope. An example project-scoped administrator operation would"},{"line_number":71,"context_line":"be resizing a virtual machine (``os_compute_api:servers:resize``). An example"},{"line_number":72,"context_line":"system-scoped administrator operation would be creating an endpoint for a"},{"line_number":73,"context_line":"service (``identity:create_endpoint``)."}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_b637f9b0","line":70,"in_reply_to":"ff82abbf_1d53bd6c","updated":"2018-01-03 22:46:51.000000000","message":"Yeah - it\u0027s a parallel discussion but I think the example helps describe where we want to go.","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":73,"context_line":"service (``identity:create_endpoint``)."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"System-scope is an effort currently being implemented in keystone. More"},{"line_number":76,"context_line":"information about system-scope can be found in the `specification \u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_,"},{"line_number":77,"context_line":"along with relevant historical context justifying the need for system-scope."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"**writer**: This role introduces a granularity between the administrator and"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_fd6e192d","line":76,"updated":"2017-11-29 21:50:15.000000000","message":"this is a really long line!","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":73,"context_line":"service (``identity:create_endpoint``)."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"System-scope is an effort currently being implemented in keystone. More"},{"line_number":76,"context_line":"information about system-scope can be found in the `specification \u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_,"},{"line_number":77,"context_line":"along with relevant historical context justifying the need for system-scope."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"**writer**: This role introduces a granularity between the administrator and"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_7641710b","line":76,"in_reply_to":"ff82abbf_fd6e192d","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":76,"context_line":"information about system-scope can be found in the `specification \u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_,"},{"line_number":77,"context_line":"along with relevant historical context justifying the need for system-scope."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"**writer**: This role introduces a granularity between the administrator and"},{"line_number":80,"context_line":"everyone else. An example project-scoped application of this role would be"},{"line_number":81,"context_line":"creating an instance (``os_compute_api:servers:create``). An example"},{"line_number":82,"context_line":"system-scope application of this role would be updating a user"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_887b098a","line":79,"updated":"2017-11-29 21:50:15.000000000","message":"It bears mentioning that this is equivalent to what folks think of as \"member\". And we may even want to call it that.","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":76,"context_line":"information about system-scope can be found in the `specification \u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_,"},{"line_number":77,"context_line":"along with relevant historical context justifying the need for system-scope."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"**writer**: This role introduces a granularity between the administrator and"},{"line_number":80,"context_line":"everyone else. An example project-scoped application of this role would be"},{"line_number":81,"context_line":"creating an instance (``os_compute_api:servers:create``). An example"},{"line_number":82,"context_line":"system-scope application of this role would be updating a user"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_165025d4","line":79,"in_reply_to":"ff82abbf_887b098a","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":80,"context_line":"everyone else. An example project-scoped application of this role would be"},{"line_number":81,"context_line":"creating an instance (``os_compute_api:servers:create``). An example"},{"line_number":82,"context_line":"system-scope application of this role would be updating a user"},{"line_number":83,"context_line":"(``identity:update_user``)."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"**reader**: This role fills an extremely popular request from operators. It"},{"line_number":86,"context_line":"should only be used for read-only APIs and operations. An example"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_dd8b15bd","line":83,"updated":"2017-11-29 21:50:15.000000000","message":"users are scoped to a domain, not system. But (and I\u0027m doing exactly what I warned about above, sidetracking this with scope comments) I think update_user is more complicated than that, too... you should need to have the admin role on the domain to update *another* user but probably only need the writer role on the domain or project to update yourself, or at least certain things about yourself.\n\nYou\u0027ll remember that I\u0027ve mentioned before that we will sometimes need multiple policy checks for a single API... one to see if you can call the API at all (writer in this case) and another to see if you can do certain things you\u0027re requesting (e.g. touching another user vs. yourself). So identity:update_user vs. identity:update_user:another_user","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":80,"context_line":"everyone else. An example project-scoped application of this role would be"},{"line_number":81,"context_line":"creating an instance (``os_compute_api:servers:create``). An example"},{"line_number":82,"context_line":"system-scope application of this role would be updating a user"},{"line_number":83,"context_line":"(``identity:update_user``)."},{"line_number":84,"context_line":""},{"line_number":85,"context_line":"**reader**: This role fills an extremely popular request from operators. It"},{"line_number":86,"context_line":"should only be used for read-only APIs and operations. An example"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_b605b9c4","line":83,"in_reply_to":"ff82abbf_dd8b15bd","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":97,"context_line":"::"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    # scope_types \u003d (\u0027project\u0027)"},{"line_number":100,"context_line":"    \"os_compute_api:servers:index\": \"role:reader OR role:writer OR role:admin\""},{"line_number":101,"context_line":"    \"os_compute_api:servers:create\": \"role:writer OR role:admin\""},{"line_number":102,"context_line":"    \"os_compute_api:servers:delete\": \"role:writer OR role:admin\""},{"line_number":103,"context_line":"    \"os_compute_api:servers:update\": \"role:writer OR role:admin\""}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_e89975c3","line":100,"updated":"2017-11-29 21:50:15.000000000","message":"Can we use implied roles and not need these OR conditions? The hurdle there will be how to make sure the implied roles are setup.\n\nOr use rules that do what implied roles would do? E.g.:\n\n   \"writer\": \"role:writer or role:admin\"\n   \"reader\": \"role:reader or rule:writer\"\n...\n   \"os_compute_api:servers:index\": \"rule:reader\",\n   \"os_compute_api:servers:create\": \"rule:writer\",","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":97,"context_line":"::"},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"    # scope_types \u003d (\u0027project\u0027)"},{"line_number":100,"context_line":"    \"os_compute_api:servers:index\": \"role:reader OR role:writer OR role:admin\""},{"line_number":101,"context_line":"    \"os_compute_api:servers:create\": \"role:writer OR role:admin\""},{"line_number":102,"context_line":"    \"os_compute_api:servers:delete\": \"role:writer OR role:admin\""},{"line_number":103,"context_line":"    \"os_compute_api:servers:update\": \"role:writer OR role:admin\""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_16fee5ad","line":100,"in_reply_to":"ff82abbf_e89975c3","updated":"2018-01-03 22:46:51.000000000","message":"I more-so did this to show the relationship between the three roles and how they relate to different policies. I can refactor this but I wouldn\u0027t expect it to get pulled into a policy.","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":125,"context_line":"    \"identity:delete_user\": \"role:admin\""},{"line_number":126,"context_line":""},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"- **Bob** has role **admin** on system"},{"line_number":131,"context_line":"- **Alice** has role **admin** on the compute service"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_a8528ddc","line":128,"updated":"2017-11-29 21:50:15.000000000","message":"getting into a lot of scoping here...","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":125,"context_line":"    \"identity:delete_user\": \"role:admin\""},{"line_number":126,"context_line":""},{"line_number":127,"context_line":""},{"line_number":128,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"- **Bob** has role **admin** on system"},{"line_number":131,"context_line":"- **Alice** has role **admin** on the compute service"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_b6d37938","line":128,"in_reply_to":"ff82abbf_a8528ddc","updated":"2018-01-03 22:46:51.000000000","message":"Yeah, agreed. I just think it helps paint the picture of where we want to end up.\n\nIn the shoes of someone who might not be all that familiar with what we\u0027re trying to accomplish, so long as I understand the concept of a projects, users, the system, and a role assignment, I should be able to piece together the idea.","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":200,"context_line":""},{"line_number":201,"context_line":"This work is dependent on the following:"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"* Implementing `system-scope \u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_"},{"line_number":204,"context_line":"  in keystone"},{"line_number":205,"context_line":"* `Registering and documenting \u003chttps://governance.openstack.org/tc/goals/queens/policy-in-code.html\u003e`_"},{"line_number":206,"context_line":"  all policies in code"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_4810a100","line":203,"updated":"2017-11-29 21:50:15.000000000","message":"should not be dependent on this","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":200,"context_line":""},{"line_number":201,"context_line":"This work is dependent on the following:"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"* Implementing `system-scope \u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_"},{"line_number":204,"context_line":"  in keystone"},{"line_number":205,"context_line":"* `Registering and documenting \u003chttps://governance.openstack.org/tc/goals/queens/policy-in-code.html\u003e`_"},{"line_number":206,"context_line":"  all policies in code"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_f6f021cc","line":203,"in_reply_to":"ff82abbf_4810a100","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":10608,"name":"Matthew Edmonds","email":"edmondsw@us.ibm.com","username":"edmondsw"},"change_message_id":"1d432805c935f0a07e341b874277a9b28b59598e","unresolved":false,"context_lines":[{"line_number":204,"context_line":"  in keystone"},{"line_number":205,"context_line":"* `Registering and documenting \u003chttps://governance.openstack.org/tc/goals/queens/policy-in-code.html\u003e`_"},{"line_number":206,"context_line":"  all policies in code"},{"line_number":207,"context_line":"* Implementing `scope_types \u003chttp://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html\u003e`_"},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Full dependencies can be found in the `Policy Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_."},{"line_number":210,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"ff82abbf_e8fad5ba","line":207,"updated":"2017-11-29 21:50:15.000000000","message":"should not be dependent on this","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"42527e16453ef2724a02d3f01d8c0dbf3b809788","unresolved":false,"context_lines":[{"line_number":204,"context_line":"  in keystone"},{"line_number":205,"context_line":"* `Registering and documenting \u003chttps://governance.openstack.org/tc/goals/queens/policy-in-code.html\u003e`_"},{"line_number":206,"context_line":"  all policies in code"},{"line_number":207,"context_line":"* Implementing `scope_types \u003chttp://specs.openstack.org/openstack/oslo-specs/specs/queens/include-scope-in-policy.html\u003e`_"},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"Full dependencies can be found in the `Policy Roadmap \u003chttps://trello.com/b/bpWycnwa/policy-roadmap\u003e`_."},{"line_number":210,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"9f91af0f_b6bcd9dc","line":207,"in_reply_to":"ff82abbf_e8fad5ba","updated":"2018-01-03 22:46:51.000000000","message":"Done","commit_id":"02443d80997daed01f91cefc7ed084360c843a49"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"c9678f2ac5dc6f621dc25d87830657ba43ea4c9b","unresolved":false,"context_lines":[{"line_number":33,"context_line":"limitations of the existing implementation."},{"line_number":34,"context_line":""},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"To help unsure a graceful transition, `improvements"},{"line_number":37,"context_line":"\u003chttp://specs.openstack.org/openstack/oslo-specs/specs/queens/policy-deprecation.html\u003e`_"},{"line_number":38,"context_line":"were made to the oslo policy library and a community `goal"},{"line_number":39,"context_line":"\u003chttps://governance.openstack.org/tc/goals/queens/policy-in-code.html\u003e`_ put in"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9f91af0f_56230d06","line":36,"range":{"start_line":36,"start_character":8,"end_line":36,"end_character":14},"updated":"2018-01-03 23:03:14.000000000","message":"typo: ensure","commit_id":"55381dc091fa437c68ca094f2bb345ccceaf8c52"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":17,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"OpenStack\u0027s initial implementation of RBAC was simple and worked for trivial"},{"line_number":20,"context_line":"deployments. As OpenStack evolved and deployment started modeling larger, more"},{"line_number":21,"context_line":"complex organizations, the RBAC implementation failed to evolve with it. As a"},{"line_number":22,"context_line":"result, operators are stuck using existing tooling to provide the facade of a"},{"line_number":23,"context_line":"more sophisticated RBAC solution. This is a confusing and incredibly tough"}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_7a651eb4","line":20,"range":{"start_line":20,"start_character":38,"end_line":20,"end_character":48},"updated":"2018-03-16 15:29:43.000000000","message":"deployments","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":21,"context_line":"complex organizations, the RBAC implementation failed to evolve with it. As a"},{"line_number":22,"context_line":"result, operators are stuck using existing tooling to provide the facade of a"},{"line_number":23,"context_line":"more sophisticated RBAC solution. This is a confusing and incredibly tough"},{"line_number":24,"context_line":"maintenance burden for operators who customize policy."},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"It\u0027s not uncommon to see various services hardcode operations to a specific"},{"line_number":27,"context_line":"role. While the operation may require that role, the role to policy mapping"}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_9a6b5283","line":24,"updated":"2018-03-16 15:29:43.000000000","message":"++","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":42,"context_line":"were made to the oslo policy library and a community `goal"},{"line_number":43,"context_line":"\u003chttps://governance.openstack.org/tc/goals/queens/policy-in-code.html\u003e`_ put in"},{"line_number":44,"context_line":"place to help projects teams register defaults policies in code and provide"},{"line_number":45,"context_line":"documentation. This works gives OpenStack project teams the tools necessary to"},{"line_number":46,"context_line":"improve default role definitions. The changing defaults can be consumed by"},{"line_number":47,"context_line":"operators in ways that are consistent with changing configuration options."},{"line_number":48,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_fa47ee1b","line":45,"range":{"start_line":45,"start_character":20,"end_line":45,"end_character":25},"updated":"2018-03-16 15:29:43.000000000","message":"work","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"ec932d9f24ece8a0818c48b21a255a83623df3ab","unresolved":false,"context_lines":[{"line_number":49,"context_line":"Default Roles"},{"line_number":50,"context_line":"-------------"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"**admin**: We need to keep this around for backwards compatibility. Ideally,"},{"line_number":53,"context_line":"this role will be considered appropriate for all administrator-like operations,"},{"line_number":54,"context_line":"depending on the scope. An example project-scoped administrator operation would"},{"line_number":55,"context_line":"be resizing a virtual machine (``os_compute_api:servers:resize``). An example"}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_31b4ffd0","line":52,"updated":"2018-03-14 05:22:08.000000000","message":"Each Service needs two roles:  an operator role, and a consumer role.  Consumer can further be split into reader and writer. \n\nMember implies Consumer on the basic services.\nadmin (today) implies operator on all services.\nImplied Roles are essential here.  For example, the norm may be for Member to imply Consumer on Neutron, but a deployment may want to reserve all Neturon operations for the provisioning system.\n\nThere are two System level roles that need to apply across a large set of operations.  The first is \"deleter\" which is used to clean up orphaned items that have had their containing project deleted.  The second is \"reader\" or \"reporter\" which is used to \"roll up\" statistics about all activity on an endpoint.","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":56,"context_line":"system-scoped administrator operation would be creating an endpoint for a"},{"line_number":57,"context_line":"service (``identity:create_endpoint``)."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"System-scope is an effort currently being implemented in keystone. More"},{"line_number":60,"context_line":"information about system-scope can be found in the `specification"},{"line_number":61,"context_line":"\u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_,"},{"line_number":62,"context_line":"along with relevant historical context justifying the need for system-scope."}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_1a266269","line":59,"range":{"start_line":59,"start_character":57,"end_line":59,"end_character":65},"updated":"2018-03-16 15:29:43.000000000","message":"Keystone","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":62,"context_line":"along with relevant historical context justifying the need for system-scope."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"**writer**: This role introduces a granularity between the administrator and"},{"line_number":65,"context_line":"everyone else. This role is sometimes referred to as ``member``. An example"},{"line_number":66,"context_line":"project-scoped application of this role would be creating an instance"},{"line_number":67,"context_line":"(``os_compute_api:servers:create``). An example system-scope application of"},{"line_number":68,"context_line":"this role would be updating a project (``identity:update_project``)."}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_3a29e635","line":65,"range":{"start_line":65,"start_character":55,"end_line":65,"end_character":61},"updated":"2018-03-16 15:29:43.000000000","message":"Member or _member_","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"ec7fab65e01401133ab24e15e74d77d38b84db37","unresolved":false,"context_lines":[{"line_number":100,"context_line":"    \"os_compute_api:os-hypervisors\": \"role:reader OR role:writer OR role:admin\""},{"line_number":101,"context_line":"    \"os_compute_api:os-migrate-server:migrate_live\": \"role:writer OR role:admin\""},{"line_number":102,"context_line":""},{"line_number":103,"context_line":"    # scope_types \u003d (\u0027system\u0027, \u0027service\u0027)"},{"line_number":104,"context_line":"    \"identity:list_endpoints\": \"role:reader OR role:writer OR role:admin\""},{"line_number":105,"context_line":"    \"identity:get_endpoint\": \"role:reader OR role:writer OR role:admin\""},{"line_number":106,"context_line":"    \"identity:create_endpoint\": \"role:admin\""}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_234e6dc1","line":103,"range":{"start_line":103,"start_character":31,"end_line":103,"end_character":40},"updated":"2018-03-19 23:34:51.000000000","message":"I think we should include a sample policy.DocumentedRuleDefault for these.\n\nI\u0027m not sure I understand this system/service/project scoping. I thought I had a grasp on the new system, but service throws me off a bit.","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":115,"context_line":"    \"identity:delete_user\": \"role:admin\""},{"line_number":116,"context_line":""},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"- **Bob** has role **admin** on system"},{"line_number":121,"context_line":"- **Alice** has role **admin** on the compute service"}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_7ae2fed6","line":118,"range":{"start_line":118,"start_character":43,"end_line":118,"end_character":48},"updated":"2018-03-16 15:29:43.000000000","message":"exists","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"ec7fab65e01401133ab24e15e74d77d38b84db37","unresolved":false,"context_lines":[{"line_number":123,"context_line":"- **Bill** has role **reader** on system"},{"line_number":124,"context_line":"- **Jane** has role **admin** on Project Alpha"},{"line_number":125,"context_line":"- **Steve** has role **reader** on Project Beta"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"Given the above assignments and policies, the following would be possible:"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"**Bob** can list compute hypervisors, live migrate instances, in addition to"}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_a3811dc6","line":126,"updated":"2018-03-19 23:34:51.000000000","message":"Can we have an example here for a user that has read access to a method that includes objects across projects?\nWe get the request to have \"auditor\" roles that can, for example, list all load balancers in the cloud (LBs owned by multiple projects). We called it rule:load-balancer:read-global.","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"ec7fab65e01401133ab24e15e74d77d38b84db37","unresolved":false,"context_lines":[{"line_number":127,"context_line":"Given the above assignments and policies, the following would be possible:"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"**Bob** can list compute hypervisors, live migrate instances, in addition to"},{"line_number":130,"context_line":"managing users and endpoints. Bob cannot create instances or project-specific"},{"line_number":131,"context_line":"users with his system scope."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"**Alice** can list compute hypervisors and live migrate instances. She cannot"},{"line_number":134,"context_line":"manage users, endpoints, or instances."}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_236c2d9b","line":131,"range":{"start_line":130,"start_character":61,"end_line":131,"end_character":27},"updated":"2018-03-19 23:34:51.000000000","message":"I don\u0027t follow this one. It looks to me like line 113 would allow Bob to create users.","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":130,"context_line":"managing users and endpoints. Bob cannot create instances or project-specific"},{"line_number":131,"context_line":"users with his system scope."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"**Alice** can list compute hypervisors and live migrate instances. She cannot"},{"line_number":134,"context_line":"manage users, endpoints, or instances."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"**Charlie** can get, list, and update existing system-wide users and endpoints."}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_7a30be56","line":133,"updated":"2018-03-16 15:29:43.000000000","message":"The distinction between admin/writer isn\u0027t clear to me. The sentences on L64-65 above are a bit vague.","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":133,"context_line":"**Alice** can list compute hypervisors and live migrate instances. She cannot"},{"line_number":134,"context_line":"manage users, endpoints, or instances."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"**Charlie** can get, list, and update existing system-wide users and endpoints."},{"line_number":137,"context_line":"She cannot create or delete endpoints or users. She also cannot manage"},{"line_number":138,"context_line":"instances or compute hosts of any kind."},{"line_number":139,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_9ad8321e","line":136,"updated":"2018-03-16 15:29:43.000000000","message":"Charlie can update but not create?","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":152,"context_line":""},{"line_number":153,"context_line":"We could keep things as they are and force operators to continue maintaining"},{"line_number":154,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at"},{"line_number":155,"context_line":"all."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"Implementation"},{"line_number":158,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_3a0fa688","line":155,"updated":"2018-03-16 15:29:43.000000000","message":"++","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"be094b0b97ccfec329052334a494daeadadde139","unresolved":false,"context_lines":[{"line_number":181,"context_line":"* Set up a way to track progress (e.g. using launchpad bugs, community goal"},{"line_number":182,"context_line":"  completion artifacts, burndown charts, etc...)"},{"line_number":183,"context_line":"* Coordinate the changes in *each* OpenStack project and assist `patrole"},{"line_number":184,"context_line":"  \u003chttps://github.com/openstack/patrole\u003e`_ with test coverage"},{"line_number":185,"context_line":"* Provide How-To documentation for deployments that still need to customize"},{"line_number":186,"context_line":"  policy"},{"line_number":187,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"df7087c5_7a7e7ee4","line":184,"updated":"2018-03-16 15:29:43.000000000","message":"I will update the spec in KS soon","commit_id":"4d03cafea570ae9e15e04aabd1c06cf8882bee4c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_4f703ca6","line":58,"range":{"start_line":58,"start_character":39,"end_line":58,"end_character":40},"updated":"2018-03-27 17:45:10.000000000","message":"nit: Member*","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":83,"context_line":"currently being implemented in Keystone. More information about system-scope can be found"},{"line_number":84,"context_line":"in the `specification"},{"line_number":85,"context_line":"\u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_,"},{"line_number":86,"context_line":"along with relevant historical context justifying the need for system-scope."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Examples"},{"line_number":89,"context_line":"--------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_6f5ae02a","line":86,"range":{"start_line":86,"start_character":54,"end_line":86,"end_character":58},"updated":"2018-03-27 17:45:10.000000000","message":"This could be a link to bug 968696, since that contains about all the context one can possibly handle...","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":83,"context_line":"currently being implemented in Keystone. More information about system-scope can be found"},{"line_number":84,"context_line":"in the `specification"},{"line_number":85,"context_line":"\u003chttp://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\u003e`_,"},{"line_number":86,"context_line":"along with relevant historical context justifying the need for system-scope."},{"line_number":87,"context_line":""},{"line_number":88,"context_line":"Examples"},{"line_number":89,"context_line":"--------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_6b7714d6","line":86,"range":{"start_line":86,"start_character":54,"end_line":86,"end_character":58},"in_reply_to":"bf659307_6f5ae02a","updated":"2018-03-28 15:35:16.000000000","message":"Done","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7dd1e90aab4aad738775a8bc1f57f1ae5258f7ae","unresolved":false,"context_lines":[{"line_number":95,"context_line":""},{"line_number":96,"context_line":"`Writer:`"},{"line_number":97,"context_line":"An example project-scoped application of this role would be creating a volume (``volume:create``)."},{"line_number":98,"context_line":"An example domain-scope application of this role would be updating a user  ``identity:update_user``)."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"`Admin:`"},{"line_number":101,"context_line":"An example project-scoped administrator operation would be deleting a volume (``volume:delete``)."}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_52353f45","line":98,"range":{"start_line":98,"start_character":11,"end_line":98,"end_character":35},"updated":"2018-03-27 18:44:48.000000000","message":"Do we really want to go down this rabbit hole in this spec? Oslo.policy doesn\u0027t understand domain scope in the literal sense. As it stands today, update user is a system-scoped operation.\n\nPlus, updating a user either in a system or domain scope is really an admin operation. You could just be honest and say this role typically applies only to project scope.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7dd1e90aab4aad738775a8bc1f57f1ae5258f7ae","unresolved":false,"context_lines":[{"line_number":98,"context_line":"An example domain-scope application of this role would be updating a user  ``identity:update_user``)."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"`Admin:`"},{"line_number":101,"context_line":"An example project-scoped administrator operation would be deleting a volume (``volume:delete``)."},{"line_number":102,"context_line":"An example system-scoped administrator operation would be creating an endpoint for a service"},{"line_number":103,"context_line":"(``identity:create_endpoint``)."},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_52469f7e","line":101,"updated":"2018-03-27 18:44:48.000000000","message":"I would expect a \"writer\" to be able to delete a volume. Apparently \"volume:force_delete\" is what defaults to rule:admin_api. Quota management is also something I might associate with a project admin.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6219a52a189d031396ab5f91a1faee2ba1ae7096","unresolved":false,"context_lines":[{"line_number":98,"context_line":"An example domain-scope application of this role would be updating a user  ``identity:update_user``)."},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"`Admin:`"},{"line_number":101,"context_line":"An example project-scoped administrator operation would be deleting a volume (``volume:delete``)."},{"line_number":102,"context_line":"An example system-scoped administrator operation would be creating an endpoint for a service"},{"line_number":103,"context_line":"(``identity:create_endpoint``)."},{"line_number":104,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_24960640","line":101,"in_reply_to":"bf659307_52469f7e","updated":"2018-03-29 20:23:17.000000000","message":"I go back an forth on if we need to be supplying a list of rules for each role to help make this easier for service to implement and consume.\n\nAn alternative would be to map out each policy and include it in this spec, which doesn\u0027t seem like a good idea.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"The following table is neither a final nor a comprehensive list of all possible rules/polices."},{"line_number":107,"context_line":"It serves merely as a snippet of existing rules and where they may fall. Reviews specific to"},{"line_number":108,"context_line":"each service’s API will need to be conducted between its developers with the Keystone team to"},{"line_number":109,"context_line":"assist in the process."},{"line_number":110,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_cfbf6cf9","line":107,"updated":"2018-03-27 17:45:10.000000000","message":"nit: I\u0027d amend the second sentence with:\n\n  It serves merely as a snippet of existing rules to showcase\n  how policies, scope, and the new default roles can work\n  together to provide a richer policy experience.\n\nOr whatever wording makes sense. Only highlighting this so that people know it\u0027s an example of how we want scopes to work.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":104,"context_line":""},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"The following table is neither a final nor a comprehensive list of all possible rules/polices."},{"line_number":107,"context_line":"It serves merely as a snippet of existing rules and where they may fall. Reviews specific to"},{"line_number":108,"context_line":"each service’s API will need to be conducted between its developers with the Keystone team to"},{"line_number":109,"context_line":"assist in the process."},{"line_number":110,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_8badc832","line":107,"in_reply_to":"bf659307_cfbf6cf9","updated":"2018-03-28 15:35:16.000000000","message":"Done","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":141,"context_line":"    \"volume:update\": \"role:writer OR role:admin\""},{"line_number":142,"context_line":"    \"volume:delete\": \"role:admin\""},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"    # scope_types \u003d (\u0027domain\u0027)"},{"line_number":145,"context_line":"    \"identity:get_user\": \"role:reader OR role:writer OR role:admin\""},{"line_number":146,"context_line":"    \"identity:update_user\": \"role:writer OR role:admin\""},{"line_number":147,"context_line":"    \"identity:create_user\": \"role:admin\""}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_af31d8a4","line":144,"range":{"start_line":144,"start_character":22,"end_line":144,"end_character":28},"updated":"2018-03-27 17:45:10.000000000","message":"we should include \u0027system\u0027 here, because it shows that system-administrators aren\u0027t losing control of this resource.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":156,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- **Bob** has role **admin** on system"},{"line_number":159,"context_line":"- **Alice** has role **admin** on the volume service"},{"line_number":160,"context_line":"- **Charlie** has role **writer** on the identity service"},{"line_number":161,"context_line":"- **Bill** has role **reader** on system"},{"line_number":162,"context_line":"- **Jane** has role **admin** on Domain Alpha"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_af08f8d8","line":159,"range":{"start_line":159,"start_character":0,"end_line":159,"end_character":52},"updated":"2018-03-27 17:45:10.000000000","message":"I wonder if we should continue to use this in the example since we don\u0027t really go into a lot of detail on the concept of the ``service`` or a subset of the ``system``.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":156,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"- **Bob** has role **admin** on system"},{"line_number":159,"context_line":"- **Alice** has role **admin** on the volume service"},{"line_number":160,"context_line":"- **Charlie** has role **writer** on the identity service"},{"line_number":161,"context_line":"- **Bill** has role **reader** on system"},{"line_number":162,"context_line":"- **Jane** has role **admin** on Domain Alpha"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_0bcbf81d","line":159,"range":{"start_line":159,"start_character":0,"end_line":159,"end_character":52},"in_reply_to":"bf659307_af08f8d8","updated":"2018-03-28 15:35:16.000000000","message":"yanked for brevity and clarity","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7dd1e90aab4aad738775a8bc1f57f1ae5258f7ae","unresolved":false,"context_lines":[{"line_number":188,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Using implied roles. Too complicated. Why? Requires modifying the bootstrap process a lot."},{"line_number":191,"context_line":"Affects upgrade path in bad ways? What else?"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":194,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_4d57e403","line":191,"range":{"start_line":191,"start_character":0,"end_line":191,"end_character":44},"updated":"2018-03-27 18:44:48.000000000","message":"Seems like this is covered in the next two paragraphs?","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":188,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Using implied roles. Too complicated. Why? Requires modifying the bootstrap process a lot."},{"line_number":191,"context_line":"Affects upgrade path in bad ways? What else?"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":194,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_4b1d70bb","line":191,"range":{"start_line":191,"start_character":0,"end_line":191,"end_character":44},"in_reply_to":"bf659307_4d57e403","updated":"2018-03-28 15:35:16.000000000","message":"Done","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":187,"context_line":"- We could keep things as they are and force operators to continue maintaining"},{"line_number":188,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Using implied roles. Too complicated. Why? Requires modifying the bootstrap process a lot."},{"line_number":191,"context_line":"Affects upgrade path in bad ways? What else?"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":194,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"},{"line_number":195,"context_line":"the reader role. A user with the writer role on a project would effectively be able to do"},{"line_number":196,"context_line":"all the things a reader can do via the implied role association. This tool is handy for"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_cf1bec18","line":193,"range":{"start_line":190,"start_character":0,"end_line":193,"end_character":2},"updated":"2018-03-27 17:45:10.000000000","message":"Does this need to be removed?","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":187,"context_line":"- We could keep things as they are and force operators to continue maintaining"},{"line_number":188,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Using implied roles. Too complicated. Why? Requires modifying the bootstrap process a lot."},{"line_number":191,"context_line":"Affects upgrade path in bad ways? What else?"},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":194,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"},{"line_number":195,"context_line":"the reader role. A user with the writer role on a project would effectively be able to do"},{"line_number":196,"context_line":"all the things a reader can do via the implied role association. This tool is handy for"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_0b669852","line":193,"range":{"start_line":190,"start_character":0,"end_line":193,"end_character":2},"in_reply_to":"bf659307_cf1bec18","updated":"2018-03-28 15:35:16.000000000","message":"It\u0027s a separate item from the first point. \u0027Do nothing. Use implied roles.\u0027","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":219,"context_line":"Primary assignee:"},{"line_number":220,"context_line":"  Lance Bragstad lbragstad lbragstad@gmail.com"},{"line_number":221,"context_line":"  Harry Rybacki hrybacki hrybacki@redhat.com"},{"line_number":222,"context_line":"  You?"},{"line_number":223,"context_line":"  Your friends?"},{"line_number":224,"context_line":"  Your coworkers?"},{"line_number":225,"context_line":"  Interns?"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"Work Items"},{"line_number":228,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_8fd3b438","line":225,"range":{"start_line":222,"start_character":0,"end_line":225,"end_character":10},"updated":"2018-03-27 17:45:10.000000000","message":"I suppose we could remove this now, too","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":219,"context_line":"Primary assignee:"},{"line_number":220,"context_line":"  Lance Bragstad lbragstad lbragstad@gmail.com"},{"line_number":221,"context_line":"  Harry Rybacki hrybacki hrybacki@redhat.com"},{"line_number":222,"context_line":"  You?"},{"line_number":223,"context_line":"  Your friends?"},{"line_number":224,"context_line":"  Your coworkers?"},{"line_number":225,"context_line":"  Interns?"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"Work Items"},{"line_number":228,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_8b238805","line":225,"range":{"start_line":222,"start_character":0,"end_line":225,"end_character":10},"in_reply_to":"bf659307_8fd3b438","updated":"2018-03-28 15:35:16.000000000","message":"Done","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7dd1e90aab4aad738775a8bc1f57f1ae5258f7ae","unresolved":false,"context_lines":[{"line_number":228,"context_line":"----------"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"* Reach consensus on a basic set of default roles project developers can move"},{"line_number":231,"context_line":"  towards"},{"line_number":232,"context_line":"* Determine if this is something that needs to be implemented using a"},{"line_number":233,"context_line":"  `community goal \u003chttps://governance.openstack.org/tc/goals/\u003e`_"},{"line_number":234,"context_line":"* Set up a way to track progress (e.g. using launchpad bugs, community goal"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_cd4a1454","line":231,"updated":"2018-03-27 18:44:48.000000000","message":"Is that not what this spec is doing?","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":228,"context_line":"----------"},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"* Reach consensus on a basic set of default roles project developers can move"},{"line_number":231,"context_line":"  towards"},{"line_number":232,"context_line":"* Determine if this is something that needs to be implemented using a"},{"line_number":233,"context_line":"  `community goal \u003chttps://governance.openstack.org/tc/goals/\u003e`_"},{"line_number":234,"context_line":"* Set up a way to track progress (e.g. using launchpad bugs, community goal"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_eb1484a2","line":231,"in_reply_to":"bf659307_cd4a1454","updated":"2018-03-28 15:35:16.000000000","message":"Fair -- I\u0027ll remove this","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"47daf21d0f34b89ee4238e345c7f6876e385062c","unresolved":false,"context_lines":[{"line_number":236,"context_line":"* Coordinate the changes in *each* OpenStack project and assist `patrole"},{"line_number":237,"context_line":"  \u003chttps://github.com/openstack/patrole\u003e`_ with test coverage"},{"line_number":238,"context_line":"* Provide How-To documentation for deployments that still need to customize"},{"line_number":239,"context_line":"  policy"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"Dependencies"},{"line_number":242,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_8fa174ac","line":239,"updated":"2018-03-27 17:45:10.000000000","message":"We might need some TC input here. But I wonder if we should right up a community tag for this?\n\n\nI think it might be a stretch for some services to get this done in a single release. A tag might be a better way to help those projects focus on the goal and assert basic roles once they have it implemented (it\u0027s also a nice way to to advertise projects that adhere to the goal to operators and users).","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"7dd1e90aab4aad738775a8bc1f57f1ae5258f7ae","unresolved":false,"context_lines":[{"line_number":236,"context_line":"* Coordinate the changes in *each* OpenStack project and assist `patrole"},{"line_number":237,"context_line":"  \u003chttps://github.com/openstack/patrole\u003e`_ with test coverage"},{"line_number":238,"context_line":"* Provide How-To documentation for deployments that still need to customize"},{"line_number":239,"context_line":"  policy"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"Dependencies"},{"line_number":242,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_ed5ef810","line":239,"in_reply_to":"bf659307_8fa174ac","updated":"2018-03-27 18:44:48.000000000","message":"What\u0027s the thing you want to assert with the tag? Uses the reader role? Implements policy in code?","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6219a52a189d031396ab5f91a1faee2ba1ae7096","unresolved":false,"context_lines":[{"line_number":236,"context_line":"* Coordinate the changes in *each* OpenStack project and assist `patrole"},{"line_number":237,"context_line":"  \u003chttps://github.com/openstack/patrole\u003e`_ with test coverage"},{"line_number":238,"context_line":"* Provide How-To documentation for deployments that still need to customize"},{"line_number":239,"context_line":"  policy"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"Dependencies"},{"line_number":242,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_e4cc8e6b","line":239,"in_reply_to":"bf659307_cb38a03e","updated":"2018-03-29 20:23:17.000000000","message":"Yeah - I guess the tag I want is assert:basic-rbac. The criteria for the tag would be that a service has implemented these roles as defaults for all their policies and that they test them.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"021b90752b817a6a6d3ac647ea4f845baa78b7fb","unresolved":false,"context_lines":[{"line_number":236,"context_line":"* Coordinate the changes in *each* OpenStack project and assist `patrole"},{"line_number":237,"context_line":"  \u003chttps://github.com/openstack/patrole\u003e`_ with test coverage"},{"line_number":238,"context_line":"* Provide How-To documentation for deployments that still need to customize"},{"line_number":239,"context_line":"  policy"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"Dependencies"},{"line_number":242,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":9,"id":"bf659307_cb38a03e","line":239,"in_reply_to":"bf659307_ed5ef810","updated":"2018-03-28 15:35:16.000000000","message":"The tag should assert that they have implemented the default roles proposed here in their respective policy files.","commit_id":"839ae7f7a380148d16ae9cb6778db14817bfac34"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"b63640e7c109a8ecafac981d5eeaec5d774e0147","unresolved":false,"context_lines":[{"line_number":53,"context_line":"-------------"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_b6ef8f1c","line":56,"range":{"start_line":56,"start_character":17,"end_line":56,"end_character":24},"updated":"2018-03-31 17:02:08.000000000","message":"I prefer this name to \"reader\", partly because...","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"b63640e7c109a8ecafac981d5eeaec5d774e0147","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_16de7b6c","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"updated":"2018-03-31 17:02:08.000000000","message":"...this seems like an odd name. I get it\u0027s read-only vs. the ability to modify things, but \"writing\" has a different connotation to me than \"ability to change configuration.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"6a0eb0f5c217b5e40e81cf8820fb7680a6157884","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_32c844a4","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_122f4088","updated":"2018-04-03 14:57:10.000000000","message":"@Zane, thank you for noting this. What would you propose? There is lots of /do nots/ without many proposed alternatives.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"776e2ca784463dc3fd0b76d11e206894d2c65aed","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_da533a6a","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_16de7b6c","updated":"2018-04-02 15:10:03.000000000","message":"Sean, is there an alternative you have in mind? We were thinking along the lines is *nix permissions levels here but that metaphor  breaks down with the \u0027admin\u0027 role.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"e034cd8c36b0bd8d00e09b7e284aeb51cb10c533","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_cf304559","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_6fa9f98d","updated":"2018-04-03 14:37:30.000000000","message":"Okay, I\u0027ll bring this up at today\u0027s meeting. I\u0027m fine with the change -- but the whole team should be on board with this. Perhaps we can start to list out areas where this language is in place and will need to be reviewed/revised.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"6eeefe11edbca86782ec9b343c62eae35733c53a","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_ba2766ca","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_9a7aa2b7","updated":"2018-04-02 15:15:20.000000000","message":"Haha, it can be. This is an easy item to bike shed on for sure. I\u0027m not opposed to operator. \n\nPerhaps `auditor, operator, and admin` are more intuitive?","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"afe0c1f477ec12bd5af27d745a169c7fbeab277f","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_da0b3a27","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_ba2766ca","updated":"2018-04-02 15:17:05.000000000","message":"Oooh, I kind of like that!","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"f973ee4d8737e8ab782fcc07479c3bf8c3ce728d","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_122f4088","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_cf304559","updated":"2018-04-03 14:53:38.000000000","message":"We use the term \u0027operator\u0027 *everywhere* to refer to the operator of an OpenStack cloud (i.e. admin). It\u0027s the one word we can rely on to distinguish the people running OpenStack clouds from the people running workloads on top of OpenStack clouds.\n\nPlease please please don\u0027t use the term \u0027operator\u0027 as the Role name for an ordinary user.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ffcf5b2f62765893f16246e8068a6f52150b06d3","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_6fa9f98d","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_da0b3a27","updated":"2018-04-03 14:34:49.000000000","message":"Despite being consumed in this terminology for year, I don\u0027t object to changing it.\n\nJust so long as it\u0027s more intuitive than \"member\". I think either \"operator\" or \"writer\" do that. The only thing that I fear is the fact that we have used the terms \"operator\" and \"admin\" interchangeably. Not only will we have to change that moving forward, but also teach users about the change, too.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"11e1294f3065b0e6c0980903392f63c74ae2bd95","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**reader**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``auditor``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**writer**: Sometimes referred to as ``Member`` or ``_member_``, it serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_9a7aa2b7","line":58,"range":{"start_line":58,"start_character":2,"end_line":58,"end_character":8},"in_reply_to":"bf659307_da533a6a","updated":"2018-04-02 15:13:08.000000000","message":"Hmm, it\u0027s a lot easier to call out what doesn\u0027t sit right than to actually come up with a better alternative. :)\n\nMaybe \"operator\"?","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"b63640e7c109a8ecafac981d5eeaec5d774e0147","unresolved":false,"context_lines":[{"line_number":104,"context_line":"(``identity:create_endpoint``)."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"The following table is neither a final nor a comprehensive list of all possible rules/polices."},{"line_number":108,"context_line":"It serves merely as a snippet of existing rules and where they may fall. It serves merely as"},{"line_number":109,"context_line":"a snippet of existing rules to showcase how policies, scope, and the new default roles can work"},{"line_number":110,"context_line":"together to provide a richer policy experience. Reviews specific to each service’s API will need"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_d6e32333","line":107,"range":{"start_line":107,"start_character":86,"end_line":107,"end_character":93},"updated":"2018-03-31 17:02:08.000000000","message":"policies","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"776e2ca784463dc3fd0b76d11e206894d2c65aed","unresolved":false,"context_lines":[{"line_number":104,"context_line":"(``identity:create_endpoint``)."},{"line_number":105,"context_line":""},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"The following table is neither a final nor a comprehensive list of all possible rules/polices."},{"line_number":108,"context_line":"It serves merely as a snippet of existing rules and where they may fall. It serves merely as"},{"line_number":109,"context_line":"a snippet of existing rules to showcase how policies, scope, and the new default roles can work"},{"line_number":110,"context_line":"together to provide a richer policy experience. Reviews specific to each service’s API will need"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_fa9dde09","line":107,"range":{"start_line":107,"start_character":86,"end_line":107,"end_character":93},"in_reply_to":"bf659307_d6e32333","updated":"2018-04-02 15:10:03.000000000","message":"Done","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6219a52a189d031396ab5f91a1faee2ba1ae7096","unresolved":false,"context_lines":[{"line_number":105,"context_line":""},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"The following table is neither a final nor a comprehensive list of all possible rules/polices."},{"line_number":108,"context_line":"It serves merely as a snippet of existing rules and where they may fall. It serves merely as"},{"line_number":109,"context_line":"a snippet of existing rules to showcase how policies, scope, and the new default roles can work"},{"line_number":110,"context_line":"together to provide a richer policy experience. Reviews specific to each service’s API will need"},{"line_number":111,"context_line":"to be conducted between its developers with the Keystone team to assist in the process."}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_44ce9ab4","line":108,"range":{"start_line":108,"start_character":0,"end_line":108,"end_character":72},"updated":"2018-03-29 20:23:17.000000000","message":"Judging by the next sentence, it looks like this can be removed.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"776e2ca784463dc3fd0b76d11e206894d2c65aed","unresolved":false,"context_lines":[{"line_number":105,"context_line":""},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"The following table is neither a final nor a comprehensive list of all possible rules/polices."},{"line_number":108,"context_line":"It serves merely as a snippet of existing rules and where they may fall. It serves merely as"},{"line_number":109,"context_line":"a snippet of existing rules to showcase how policies, scope, and the new default roles can work"},{"line_number":110,"context_line":"together to provide a richer policy experience. Reviews specific to each service’s API will need"},{"line_number":111,"context_line":"to be conducted between its developers with the Keystone team to assist in the process."}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_3a98361a","line":108,"range":{"start_line":108,"start_character":0,"end_line":108,"end_character":72},"in_reply_to":"bf659307_44ce9ab4","updated":"2018-04-02 15:10:03.000000000","message":"Done","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6219a52a189d031396ab5f91a1faee2ba1ae7096","unresolved":false,"context_lines":[{"line_number":183,"context_line":"------------"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"- We could keep things as they are and force operators to continue maintaining"},{"line_number":186,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":189,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_0449822f","line":186,"updated":"2018-03-29 20:23:17.000000000","message":"This second line will have to be indented to line up with \"We\" on the line above in order to render properly.\n\nWe could remove this bit since \"doing nothing\" isn\u0027t a viable option (not sure why I felt compelled to put there in here originally).\n\nThen we could get rid of the list and just have this section comparing the pros and cons of using implied roles.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"776e2ca784463dc3fd0b76d11e206894d2c65aed","unresolved":false,"context_lines":[{"line_number":183,"context_line":"------------"},{"line_number":184,"context_line":""},{"line_number":185,"context_line":"- We could keep things as they are and force operators to continue maintaining"},{"line_number":186,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":189,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_5af64a65","line":186,"in_reply_to":"bf659307_0449822f","updated":"2018-04-02 15:10:03.000000000","message":"Good call. Although doing nothing is an alternative I think maintaining it doesn\u0027t server a valid purpose.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6219a52a189d031396ab5f91a1faee2ba1ae7096","unresolved":false,"context_lines":[{"line_number":186,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":189,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"},{"line_number":190,"context_line":"the reader role. A user with the writer role on a project would effectively be able to do"},{"line_number":191,"context_line":"all the things a reader can do via the implied role association. This tool is handy for"},{"line_number":192,"context_line":"managing large sets of roles. Instead of requiring a user to have dozens of role assignments,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_a451b6db","line":189,"updated":"2018-03-29 20:23:17.000000000","message":"Same comment here about indentation.","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"776e2ca784463dc3fd0b76d11e206894d2c65aed","unresolved":false,"context_lines":[{"line_number":186,"context_line":"complicated policies, but that doesn\u0027t really seem like a viable alternative at all."},{"line_number":187,"context_line":""},{"line_number":188,"context_line":"- Keystone offers an API that allows deployers to build associations between roles. With"},{"line_number":189,"context_line":"the example roles above, using this API would make it possible for the writer role to imply"},{"line_number":190,"context_line":"the reader role. A user with the writer role on a project would effectively be able to do"},{"line_number":191,"context_line":"all the things a reader can do via the implied role association. This tool is handy for"},{"line_number":192,"context_line":"managing large sets of roles. Instead of requiring a user to have dozens of role assignments,"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_9ade22d8","line":189,"in_reply_to":"bf659307_a451b6db","updated":"2018-04-02 15:10:03.000000000","message":"Done","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6219a52a189d031396ab5f91a1faee2ba1ae7096","unresolved":false,"context_lines":[{"line_number":212,"context_line":"work across a team of people who understand the change makes sense."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"Primary assignee:"},{"line_number":215,"context_line":"  Lance Bragstad lbragstad lbragstad@gmail.com"},{"line_number":216,"context_line":"  Harry Rybacki hrybacki hrybacki@redhat.com"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"Work Items"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_642f1e3f","line":215,"updated":"2018-03-29 20:23:17.000000000","message":"We\u0027ll need a newline after Primary assignee: in order for this to render as a list:\n\n  Primary assignee:\n\n    - name 1\n    - name 2","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"776e2ca784463dc3fd0b76d11e206894d2c65aed","unresolved":false,"context_lines":[{"line_number":212,"context_line":"work across a team of people who understand the change makes sense."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"Primary assignee:"},{"line_number":215,"context_line":"  Lance Bragstad lbragstad lbragstad@gmail.com"},{"line_number":216,"context_line":"  Harry Rybacki hrybacki hrybacki@redhat.com"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"Work Items"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bf659307_3af35676","line":215,"in_reply_to":"bf659307_642f1e3f","updated":"2018-04-02 15:10:03.000000000","message":"Done","commit_id":"e23cc60d954f8ad3ec11f41dc437628ff4a0ca1e"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a7a869db6d129c1fa642d25d6721c3dca063258d","unresolved":false,"context_lines":[{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**domain-scope**: Domain-scope relates to authorization for operating at a domain-level,"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bf659307_d9a476a8","line":73,"updated":"2018-05-21 17:28:43.000000000","message":"Did we want to include user-scope? (ducks)","commit_id":"dc903ee12112d673ec915543f2f319f6eac2f885"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"50b6b4bef4a29b6a89d942665df40ceb8b48c1b2","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**domain-scope**: Domain-scope relates to authorization for operating at a domain-level,"},{"line_number":77,"context_line":"above that of the user and projects contained therein (typically as a domain-level"},{"line_number":78,"context_line":"administrator)."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":81,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bf659307_58129db6","line":78,"updated":"2018-04-04 15:19:09.000000000","message":"Oh - this one could be removed too. It might be easier to keep MVP just project and system scope for now. Once we find out how we want to communicate \"domain\" scope, we can write something up specific to that work.","commit_id":"dc903ee12112d673ec915543f2f319f6eac2f885"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"0b8df3a2951f20d42f8c3d71018a7e16232b2d5e","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**domain-scope**: Domain-scope relates to authorization for operating at a domain-level,"},{"line_number":77,"context_line":"above that of the user and projects contained therein (typically as a domain-level"},{"line_number":78,"context_line":"administrator)."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":81,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bf659307_58937d01","line":78,"in_reply_to":"bf659307_58129db6","updated":"2018-04-04 15:25:55.000000000","message":"Agreed. Colleen made a very good point. Removed.","commit_id":"dc903ee12112d673ec915543f2f319f6eac2f885"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"91b582ff82d3ad6ae4e3643fec2a40e5693c5592","unresolved":false,"context_lines":[{"line_number":118,"context_line":"|             |                           | * volume:create             | * volume:create             |"},{"line_number":119,"context_line":"|             |                           | * volume:update             | * volume:update             |"},{"line_number":120,"context_line":"|             |                           |                             | * volume:delete             |"},{"line_number":121,"context_line":"+-------------+---------------------------+-----------------------------+-----------------------------+"},{"line_number":122,"context_line":"| **Domain**  | * identity:get_user       | * identity:get_user         | * identity:get_user         |"},{"line_number":123,"context_line":"|             |                           | * identity:update_user      | * identity:update_user      |"},{"line_number":124,"context_line":"|             |                           |                             | * identity:create_user      |"},{"line_number":125,"context_line":"|             |                           |                             | * identity:delete_user      |"},{"line_number":126,"context_line":"+-------------+---------------------------+-----------------------------+-----------------------------+"},{"line_number":127,"context_line":"| **System**  | * identity:list_endpoints | * identity:list_endpoints   | * identity:list_endpoints   |"},{"line_number":128,"context_line":"|             | * identity:get_endpoint   | * identity:get_endpoint     | * identity:get_endpoint     |"},{"line_number":129,"context_line":"|             |                           | * identity:update_endpoint  | * identity:update_endpoint  |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bf659307_f8f4d189","line":126,"range":{"start_line":121,"start_character":0,"end_line":126,"end_character":103},"updated":"2018-04-04 15:18:00.000000000","message":"Per Colleen\u0027s concern, we should remove these bits. All-in-all it will be a good thing because it will simplify the document a bit and really focus on project-scope and system-scope.","commit_id":"dc903ee12112d673ec915543f2f319f6eac2f885"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"0b8df3a2951f20d42f8c3d71018a7e16232b2d5e","unresolved":false,"context_lines":[{"line_number":118,"context_line":"|             |                           | * volume:create             | * volume:create             |"},{"line_number":119,"context_line":"|             |                           | * volume:update             | * volume:update             |"},{"line_number":120,"context_line":"|             |                           |                             | * volume:delete             |"},{"line_number":121,"context_line":"+-------------+---------------------------+-----------------------------+-----------------------------+"},{"line_number":122,"context_line":"| **Domain**  | * identity:get_user       | * identity:get_user         | * identity:get_user         |"},{"line_number":123,"context_line":"|             |                           | * identity:update_user      | * identity:update_user      |"},{"line_number":124,"context_line":"|             |                           |                             | * identity:create_user      |"},{"line_number":125,"context_line":"|             |                           |                             | * identity:delete_user      |"},{"line_number":126,"context_line":"+-------------+---------------------------+-----------------------------+-----------------------------+"},{"line_number":127,"context_line":"| **System**  | * identity:list_endpoints | * identity:list_endpoints   | * identity:list_endpoints   |"},{"line_number":128,"context_line":"|             | * identity:get_endpoint   | * identity:get_endpoint     | * identity:get_endpoint     |"},{"line_number":129,"context_line":"|             |                           | * identity:update_endpoint  | * identity:update_endpoint  |"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bf659307_7898c11a","line":126,"range":{"start_line":121,"start_character":0,"end_line":126,"end_character":103},"in_reply_to":"bf659307_f8f4d189","updated":"2018-04-04 15:25:55.000000000","message":"Done","commit_id":"dc903ee12112d673ec915543f2f319f6eac2f885"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"91b582ff82d3ad6ae4e3643fec2a40e5693c5592","unresolved":false,"context_lines":[{"line_number":158,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"- **Alice** has role **admin** on system"},{"line_number":161,"context_line":"- **Charlie** has role **writer** on the identity service"},{"line_number":162,"context_line":"- **Bill** has role **reader** on system"},{"line_number":163,"context_line":"- **Jane** has role **admin** on Domain Alpha"},{"line_number":164,"context_line":"- **Steve** has role **reader** on Project Beta"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bf659307_b8d5f9e7","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":57},"updated":"2018-04-04 15:18:00.000000000","message":"Since we don\u0027t really have a concept of breaking the system into smaller services in keystone, yet, we can remove this.","commit_id":"dc903ee12112d673ec915543f2f319f6eac2f885"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"0b8df3a2951f20d42f8c3d71018a7e16232b2d5e","unresolved":false,"context_lines":[{"line_number":158,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"- **Alice** has role **admin** on system"},{"line_number":161,"context_line":"- **Charlie** has role **writer** on the identity service"},{"line_number":162,"context_line":"- **Bill** has role **reader** on system"},{"line_number":163,"context_line":"- **Jane** has role **admin** on Domain Alpha"},{"line_number":164,"context_line":"- **Steve** has role **reader** on Project Beta"}],"source_content_type":"text/x-rst","patch_set":12,"id":"bf659307_38a2494d","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":57},"in_reply_to":"bf659307_b8d5f9e7","updated":"2018-04-04 15:25:55.000000000","message":"Done","commit_id":"dc903ee12112d673ec915543f2f319f6eac2f885"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"99c5dbdfdf36af28e7495d40bc97d82f71e81f2d","unresolved":false,"context_lines":[{"line_number":47,"context_line":"operators in ways that are consistent with changing configuration options."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"This specification proposes that each service interested in offering basic RBAC,"},{"line_number":50,"context_line":"implement the following default roles."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Default Roles"},{"line_number":53,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_3e44711b","line":50,"range":{"start_line":50,"start_character":0,"end_line":50,"end_character":9},"updated":"2018-04-04 16:31:46.000000000","message":"nit: incorporate the following default roles into the service\u0027s default policies.","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":47,"context_line":"operators in ways that are consistent with changing configuration options."},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"This specification proposes that each service interested in offering basic RBAC,"},{"line_number":50,"context_line":"implement the following default roles."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Default Roles"},{"line_number":53,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_c14318af","line":50,"range":{"start_line":50,"start_character":0,"end_line":50,"end_character":9},"in_reply_to":"bf659307_3e44711b","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"99c5dbdfdf36af28e7495d40bc97d82f71e81f2d","unresolved":false,"context_lines":[{"line_number":142,"context_line":""},{"line_number":143,"context_line":"Let\u0027s assume the following role assignment exist:"},{"line_number":144,"context_line":""},{"line_number":145,"context_line":"- **Alice** has role **admin** on system"},{"line_number":146,"context_line":"- **Bill** has role **auditor** on system"},{"line_number":147,"context_line":"- **Jane** has role **admin** on Domain Alpha"},{"line_number":148,"context_line":"- **Steve** has role **auditor** on Project Beta"}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_9e001dae","line":145,"updated":"2018-04-04 16:31:46.000000000","message":"We could include:\n\n  - **Bob** has role **member** on the system","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"99c5dbdfdf36af28e7495d40bc97d82f71e81f2d","unresolved":false,"context_lines":[{"line_number":144,"context_line":""},{"line_number":145,"context_line":"- **Alice** has role **admin** on system"},{"line_number":146,"context_line":"- **Bill** has role **auditor** on system"},{"line_number":147,"context_line":"- **Jane** has role **admin** on Domain Alpha"},{"line_number":148,"context_line":"- **Steve** has role **auditor** on Project Beta"},{"line_number":149,"context_line":""},{"line_number":150,"context_line":"Given the above assignments and policies, the following would be possible:"}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_5e2cc549","line":147,"updated":"2018-04-04 16:31:46.000000000","message":"I missed this in the last revision, but we should remove the reference to Domain Alpha since we concluded that domain is out of scope of this specification.\n\nWe could also include:\n\n  - **Christine** has role **member** on Project Beta","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"99c5dbdfdf36af28e7495d40bc97d82f71e81f2d","unresolved":false,"context_lines":[{"line_number":153,"context_line":"users with his system scope."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"**Bill** can list endpoints. He cannot manage users or instances."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"**Jane** can manage users within her domain. She can also manage volumes on projects underneath"},{"line_number":158,"context_line":"Domain Alpha. She cannot manage endpoints or create users outside of Domain Alpha."},{"line_number":159,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_1edbad4f","line":156,"updated":"2018-04-04 16:31:46.000000000","message":"nit:\n\n  **Bob** can retrieve specific endpoints, list them, and update them. Bob cannot create new endpoints, or delete existing ones. Bob cannot do any project specific operations since his authorization is limited to the deployment system.","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":153,"context_line":"users with his system scope."},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"**Bill** can list endpoints. He cannot manage users or instances."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"**Jane** can manage users within her domain. She can also manage volumes on projects underneath"},{"line_number":158,"context_line":"Domain Alpha. She cannot manage endpoints or create users outside of Domain Alpha."},{"line_number":159,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_8c879762","line":156,"in_reply_to":"bf659307_1edbad4f","updated":"2018-04-05 14:28:05.000000000","message":"\u003e nit:\n \u003e \n \u003e **Bob** can retrieve specific endpoints, list them, and update\n \u003e them. Bob cannot create new endpoints, or delete existing ones. Bob\n \u003e cannot do any project specific operations since his authorization\n \u003e is limited to the deployment system.","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"99c5dbdfdf36af28e7495d40bc97d82f71e81f2d","unresolved":false,"context_lines":[{"line_number":156,"context_line":""},{"line_number":157,"context_line":"**Jane** can manage users within her domain. She can also manage volumes on projects underneath"},{"line_number":158,"context_line":"Domain Alpha. She cannot manage endpoints or create users outside of Domain Alpha."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"**Steve** can list instances and users in Project Beta. He cannot manage users"},{"line_number":161,"context_line":"or volumes at all and he cannot do any system-level operations."},{"line_number":162,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_5eba85e1","line":159,"updated":"2018-04-04 16:31:46.000000000","message":"nit:\n\n  - **Chistine** can list volumes, create new volumes, and get details about a specific volume. She cannot delete volumes from the project. She also cannot perform any system specific policies since her authorization is only on a single project.","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":156,"context_line":""},{"line_number":157,"context_line":"**Jane** can manage users within her domain. She can also manage volumes on projects underneath"},{"line_number":158,"context_line":"Domain Alpha. She cannot manage endpoints or create users outside of Domain Alpha."},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"**Steve** can list instances and users in Project Beta. He cannot manage users"},{"line_number":161,"context_line":"or volumes at all and he cannot do any system-level operations."},{"line_number":162,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"bf659307_2c976b3d","line":159,"in_reply_to":"bf659307_5eba85e1","updated":"2018-04-05 14:28:05.000000000","message":"\u003e nit:\n \u003e \n \u003e - **Chistine** can list volumes, create new volumes, and get\n \u003e details about a specific volume. She cannot delete volumes from the\n \u003e project. She also cannot perform any system specific policies since\n \u003e her authorization is only on a single project.","commit_id":"55315cde3c1a4e59ff2ba613b1dc3894ba61187f"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd7e64705120f69c5fecb654bbb38c187d6f9347","unresolved":false,"context_lines":[{"line_number":53,"context_line":"-------------"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"**auditor**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``reader``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**member**: serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_521114ac","line":56,"updated":"2018-04-04 20:05:47.000000000","message":"++","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd7e64705120f69c5fecb654bbb38c187d6f9347","unresolved":false,"context_lines":[{"line_number":65,"context_line":"The desired outcome of implementing the roles above is that projects should"},{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_4d81794a","line":68,"updated":"2018-04-04 20:05:47.000000000","message":"If auditor/member/admin are the default roles, does that mean that operators no longer create and define roles themselves? The thing that\u0027s confusing to me is how you can have an \"auditor\" role where it only means \"auditor/reader\" if you, the operator, make sure you only place read-only APIs in the role. If you put write APIs in the role, then the name \"auditor\" no longer reflects what it does. Is the purpose of the default roles simply to guide operators on what they probably should do for role creation and definition?\n\nI keep thinking, I\u0027m not sure what the default roles give us if they can\u0027t inherently represent their names (that is, whether their names make sense depends on what APIs get assigned to each of them by the operator). It would seem more straightforward to me if operators create/define roles and select what APIs go in each role. Is that considered too open-ended?","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":65,"context_line":"The desired outcome of implementing the roles above is that projects should"},{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_7168c520","line":68,"in_reply_to":"bf659307_4d81794a","updated":"2018-04-05 14:28:05.000000000","message":"Very good questions -- please help me make the answers more clear/obvious in this spec (it can be tough after reading/revising something so many times)\n\nThe spec doesn\u0027t intend to limit operators ability to create and define roles. Rather, its intent is to lay the groundwork for some commonly accepted roles with intuitive names.\n\nWe aim to target a few services e.g. Keystone and Barbican, and audit their APIs together to determine which of these default roles should be applied to which endpoints. Again, the goal is to provide a solid `foundation` for deployments.\n\nAs noted above, many users have been asking explicitly for a read-only-role to limit users/accounts tied to auditing. Obviously there are many other use cases -- but this is one we\u0027ve been fielding requests from for many releases.\n\nOnce these basic roles have been tested by developers and operators alike (and inevitable kinks have been ironed out_ these defaults we have in /policy files/ can be moved into /policy-in-code/.\n\nCould deployments do this on their own? Yes. And we have examples of them doing so. However the ask for something from the upstream community that has been tested and \u0027accepted\u0027 by our community has not gone away. By implementing this spec, we will be answering our consumers\u0027 requests, get various projects to start thinking about what this means and how it affects them, and begin building the scaffolding for OpenStack wide default role discussion.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"b919d56a67573b479d48572f11bc8265ce3a2351","unresolved":false,"context_lines":[{"line_number":65,"context_line":"The desired outcome of implementing the roles above is that projects should"},{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_7409932f","line":68,"in_reply_to":"bf659307_7168c520","updated":"2018-04-05 15:09:05.000000000","message":"I think the tldr is that we want to be able to have `keystone-manage bootstrap` create these roles out of the box (keystone problem), and then to have them mean the same thing across all projects (cross-project problem). This spec is about getting all the projects on the same page about what name the role should have and what it should mean in everyone\u0027s policy definitions.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"5032deb244c40153bda20b52570788031c31b711","unresolved":false,"context_lines":[{"line_number":65,"context_line":"The desired outcome of implementing the roles above is that projects should"},{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_3b68e6b8","line":68,"in_reply_to":"bf659307_7409932f","updated":"2018-04-05 18:32:11.000000000","message":"+1 @Colleen","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ae59c65c405992b94fc99154bf4ae06fcc7d7a37","unresolved":false,"context_lines":[{"line_number":65,"context_line":"The desired outcome of implementing the roles above is that projects should"},{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_0006d121","line":68,"in_reply_to":"bf659307_7409932f","updated":"2018-04-05 18:36:51.000000000","message":"Okay, I think Colleen highlighted what I\u0027m asking. \u0027keystone-manage bootstrap\u0027 will create these roles for you and pre-populate them with the appropriate APIs from each component (nova/glance/cinder/?). That makes sense to me.\n\nThen, if operators choose to use the canned roles, that\u0027s cool. If they want to create their own custom roles and use them, that\u0027s cool. Sounds good to me.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd7e64705120f69c5fecb654bbb38c187d6f9347","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_2d3f6588","line":69,"updated":"2018-04-04 20:05:47.000000000","message":"Another role I\u0027m familiar with is something like \"on behalf of\" where there is a headless user that is allowed to perform actions on behalf of users like creating a volume for them, for example. Has there been anything thinking about something like that and do keystone tokens have any way of representing or otherwise logging both the user who authed (headless user) *and* the project/user the resource has been created for and will be owned by such that the owner can act upon the resource as well?","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"297e31e0a810aaab885dff4afd6c688bd79f07a5","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_f4d60328","line":69,"in_reply_to":"bf659307_114e29c1","updated":"2018-04-05 15:03:47.000000000","message":"I think this was a requirement from the folks at Oath. If I remember conversations from Dublin correctly, they wanted to be able to create instances \"on behalf of a user\". I think they actually have some software that sits in front of nova that pulls project IDs out of meta data in boot requests to provide something like this.\n\nThis brought up a slew of interesting discussions in Dublin and it seemed to depend on if you were in private cloud environments versus public cloud. In public cloud, it\u0027s more common to just give users authorization and then you, as the system/cloud administrator are very hands off. In private cloud deployments, it\u0027s not uncommon to see system administrators do things on behalf of their users. Specifically for support reasons.\n\nThe tricky part about providing an \"on-behalf-of\" token from keystone is tracking the audit logs. The discussion started to slow down when we approached the auditability hurdle (how we know we\u0027re tracking audit logs when we\u0027re giving someone the ability to do things without direct authorization on a resource).\n\nThere was also a lot of concern around reinventing the issues in bug 968696 with a feature like that. A possible workaround though, is to have the system administrator grant themselves authorization on the project, do what they need to, then remove the authorization when they\u0027re done. This maintains the same auditability we have today without re-introducing the security concern we\u0027re trying to fix.\n\nCertainly some things to think about here.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"b919d56a67573b479d48572f11bc8265ce3a2351","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_f4f36372","line":69,"in_reply_to":"bf659307_114e29c1","updated":"2018-04-05 15:09:05.000000000","message":"Responding since I see my name, but I don\u0027t think Melanie\u0027s question has to do with application credentials.\n\nThe \"on behalf of\" token header idea has been floated as a way to deal with the use case you describe, but we\u0027ve mostly shot it down in favor of requiring explicitly requiring users to scope to the project they need to operate on. To make that easier in cases where, for example, an admin wants to clean up volumes in many different projects, we\u0027d like to make improvements on our hierarchical project bootstrapping. But that\u0027s not within scope for this spec.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_114e29c1","line":69,"in_reply_to":"bf659307_2d3f6588","updated":"2018-04-05 14:28:05.000000000","message":"I may be misreading your overarching question but -- I believe what you are referring to may be handled by Application Credentials[1]. Colleen Murphy would be best to ask specifics there.\n\n[1] - https://docs.openstack.org/keystone/latest/user/application_credentials.html","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"733dba172b23cada038d359cacf91ff9fa0f7506","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_1703720f","line":69,"in_reply_to":"bf659307_3476b440","updated":"2018-04-05 21:38:51.000000000","message":"To be clear, I wasn\u0027t trying to highlight anything to warn about. For whatever reason, when I read this spec the first time I was thinking that the roles \"auditor\", \"member\", and \"admin\" were going to be provided *empty* and that operators would have to fill them out. And I was thinking, what if they do that wrong and the names don\u0027t make sense anymore? But I think that was just me thinking weirdly. Both the role and the containing APIs will be provided, so things are good-to-go from the start.\n\nAnd when I mentioned custom roles, I was just thinking I\u0027m sure operators will have things like, their idea of \"member\" might be more restricted (contain fewer APIs), for example, than the canned role. And in that case they might create their own custom role and use it in-place of the canned role. I wasn\u0027t trying to suggest any conflict between canned roles and custom roles.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"445a45cf7bcd5cced80df736aff7a6fb404c8b0f","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_3476b440","line":69,"in_reply_to":"bf659307_5baa7ad2","updated":"2018-04-05 21:09:56.000000000","message":"Hmm - that\u0027s a good point. If resources are tracked by the *user* and not the project, then I can totally see where having a system administrator come and do drive-bys would be problematic.\n\nI guess I was making an assumption (and probably a wrong one), that resource were only tracked by project ID, instead of a user/project pair (which is probably more correct). I might be under that impression because we currently don\u0027t support per-user resources in a generic way...\n\nI do think that Melanie brings up a good point in that we *are* supplying the defaults and projects can chose to map their existing policies to them, but mileage can totally vary. It\u0027ll ultimately depend on the service implementing the defaults and the custom policies a deployment already supports. I wouldn\u0027t be opposed to including a big red sticker somewhere in this specification that says _if_ a deployment is using the defaults _and_ their custom policies fall within the same ideology as the defaults we have, then things will likely work. Otherwise, it\u0027s totally possible for operators to define things to go 100% against what we trying to do here (here be dragons).","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ae59c65c405992b94fc99154bf4ae06fcc7d7a37","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_5baa7ad2","line":69,"in_reply_to":"bf659307_f4f36372","updated":"2018-04-05 18:36:51.000000000","message":"Thanks all for the thoughts on that. I think the snag with something like a sysadmin granting themselves auth and creating an instance (for example) is that the instance will be created with the sysadmin\u0027s project/user instead of the project/user of the person for whom the resource has been created.\n\nLike if I, sysadmin residing in projectA/user1, want to create an instance for projectB/user2 and have the instance have project_id \u003d projectB and user_id \u003d user2. I wasn\u0027t sure if keystone already has the concept of \"I auth as admin/admin but I receive a token scoped to projectB/user2 because I have permission to do so\" so when the instance is created it will be owned by projectB/user2.\n\nSorry for the tangent in this spec. Just something I was wondering if keystone already supports as far as the credentials presented -\u003e scoped token received.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"5032deb244c40153bda20b52570788031c31b711","unresolved":false,"context_lines":[{"line_number":66,"context_line":"start moving away from the practice of hardcoding operations to specific role"},{"line_number":67,"context_line":"names. Instead, each policy should have a reasonable default that can be"},{"line_number":68,"context_line":"overridden by operators."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Scope Type (Refresher)"},{"line_number":71,"context_line":"-------------"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_9ba812dc","line":69,"in_reply_to":"bf659307_f4f36372","updated":"2018-04-05 18:32:11.000000000","message":"Thanks for clearing that up @Colleen. Apologies for the red herring!","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"bd7e64705120f69c5fecb654bbb38c187d6f9347","unresolved":false,"context_lines":[{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"},{"line_number":79,"context_line":"currently being implemented in Keystone. More information about system-scope can be found"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_f26aa819","line":76,"updated":"2018-04-04 20:05:47.000000000","message":"I assume this means something like \"global-scope\" across all projects and domains for a particular API.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"ae59c65c405992b94fc99154bf4ae06fcc7d7a37","unresolved":false,"context_lines":[{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"},{"line_number":79,"context_line":"currently being implemented in Keystone. More information about system-scope can be found"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_3b96a696","line":76,"in_reply_to":"bf659307_d1619113","updated":"2018-04-05 18:36:51.000000000","message":"Thanks. I think this becomes clear now that I understand that the auditor, member, and admin roles will be pre-created and pre-populated by keystone-manage, so the APIs included in system-scope will intentionally not include things like \u0027volume:get_all\u0027, for example (which would mean the ability to read all volumes across a deployment).","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"},{"line_number":79,"context_line":"currently being implemented in Keystone. More information about system-scope can be found"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_d1619113","line":76,"in_reply_to":"bf659307_f26aa819","updated":"2018-04-05 14:28:05.000000000","message":"No, having system scope does not mean global scope or \u0027god mode\u0027 -- we have tried to make this clear as it\u0027s a common misconception. System scope /will be/* limited to actions that don\u0027t neatly tie into Domain or Project specific actions. Think of working with hypervisors. More info about this can be found here[2].\n\n[2] - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html\n\n* Presently, we don\u0027t have domain scoping as a first-class scope type. As a result, some APIs e.g. working with users, will fall into System scoping until that functionality has been implemented. Many steps in the \u0027fixing policy issues\u0027 list :) We\u0027re working on them though!","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":159,"context_line":""},{"line_number":160,"context_line":"Given the above assignments and policies, the following would be possible:"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"**Alice** can retrieve specific endpoint or users, list them, and delete them. Alice cannot"},{"line_number":163,"context_line":"do any project specific operations since his authorization is limited to the deployment system."},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"**Bob** can retrieve specific endpoints or users, list them, and update them. He cannot create new"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_8d023109","line":162,"range":{"start_line":162,"start_character":66,"end_line":162,"end_character":72},"updated":"2018-04-04 19:56:31.000000000","message":"If she only has the auditor role, she shouldn\u0027t be able to do this.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":159,"context_line":""},{"line_number":160,"context_line":"Given the above assignments and policies, the following would be possible:"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"**Alice** can retrieve specific endpoint or users, list them, and delete them. Alice cannot"},{"line_number":163,"context_line":"do any project specific operations since his authorization is limited to the deployment system."},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"**Bob** can retrieve specific endpoints or users, list them, and update them. He cannot create new"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_91447976","line":162,"range":{"start_line":162,"start_character":66,"end_line":162,"end_character":72},"in_reply_to":"bf659307_8d023109","updated":"2018-04-05 14:28:05.000000000","message":"Good call -- I flipped the order of these `admin/member/auditor` --\u003e `auditor/member/admin` to more closely align with the examples and earlier intro bits. Must have messed up my copying. Thanks!","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":160,"context_line":"Given the above assignments and policies, the following would be possible:"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"**Alice** can retrieve specific endpoint or users, list them, and delete them. Alice cannot"},{"line_number":163,"context_line":"do any project specific operations since his authorization is limited to the deployment system."},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"**Bob** can retrieve specific endpoints or users, list them, and update them. He cannot create new"},{"line_number":166,"context_line":"endpoints, or delete existing ones. Bob cannot do any project specific operations since his"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_2d07651b","line":163,"range":{"start_line":163,"start_character":41,"end_line":163,"end_character":44},"updated":"2018-04-04 19:56:31.000000000","message":"her*","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":160,"context_line":"Given the above assignments and policies, the following would be possible:"},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"**Alice** can retrieve specific endpoint or users, list them, and delete them. Alice cannot"},{"line_number":163,"context_line":"do any project specific operations since his authorization is limited to the deployment system."},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"**Bob** can retrieve specific endpoints or users, list them, and update them. He cannot create new"},{"line_number":166,"context_line":"endpoints, or delete existing ones. Bob cannot do any project specific operations since his"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_b1497d8c","line":163,"range":{"start_line":163,"start_character":41,"end_line":163,"end_character":44},"in_reply_to":"bf659307_2d07651b","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":166,"context_line":"endpoints, or delete existing ones. Bob cannot do any project specific operations since his"},{"line_number":167,"context_line":"authorization is limited to the deployment system."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"**Charlie** can retrieve specific endpoint or users, and list them. She cannot create instances"},{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_4d25f9aa","line":169,"range":{"start_line":169,"start_character":53,"end_line":169,"end_character":66},"updated":"2018-04-04 19:56:31.000000000","message":"and create them, right? Since she is the overall administrator of the entire deployment.","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":166,"context_line":"endpoints, or delete existing ones. Bob cannot do any project specific operations since his"},{"line_number":167,"context_line":"authorization is limited to the deployment system."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"**Charlie** can retrieve specific endpoint or users, and list them. She cannot create instances"},{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_715be553","line":169,"range":{"start_line":169,"start_character":53,"end_line":169,"end_character":66},"in_reply_to":"bf659307_4d25f9aa","updated":"2018-04-05 14:28:05.000000000","message":"Good catch!","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":167,"context_line":"authorization is limited to the deployment system."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"**Charlie** can retrieve specific endpoint or users, and list them. She cannot create instances"},{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_6d26bdbd","line":170,"range":{"start_line":170,"start_character":79,"end_line":170,"end_character":82},"updated":"2018-04-04 19:56:31.000000000","message":"her","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":167,"context_line":"authorization is limited to the deployment system."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"**Charlie** can retrieve specific endpoint or users, and list them. She cannot create instances"},{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_0d0e2132","line":170,"range":{"start_line":170,"start_character":5,"end_line":170,"end_character":8},"updated":"2018-04-04 19:56:31.000000000","message":"her*","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":167,"context_line":"authorization is limited to the deployment system."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"**Charlie** can retrieve specific endpoint or users, and list them. She cannot create instances"},{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_11586954","line":170,"range":{"start_line":170,"start_character":5,"end_line":170,"end_character":8},"in_reply_to":"bf659307_0d0e2132","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":167,"context_line":"authorization is limited to the deployment system."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"**Charlie** can retrieve specific endpoint or users, and list them. She cannot create instances"},{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_31556d1e","line":170,"range":{"start_line":170,"start_character":79,"end_line":170,"end_character":82},"in_reply_to":"bf659307_6d26bdbd","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"},{"line_number":174,"context_line":"system specific policies since his authorization is on a single project."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"**Rebecca** can list volumes, create new volumes, get details about a specific volume, and update a volume"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_ed3e4db8","line":173,"range":{"start_line":173,"start_character":89,"end_line":173,"end_character":91},"updated":"2018-04-04 19:56:31.000000000","message":"She*?","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":170,"context_line":"with his system scope. Charlie cannot do any project specific operations since his authorization"},{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"},{"line_number":174,"context_line":"system specific policies since his authorization is on a single project."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"**Rebecca** can list volumes, create new volumes, get details about a specific volume, and update a volume"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_d12f51a5","line":173,"range":{"start_line":173,"start_character":89,"end_line":173,"end_character":91},"in_reply_to":"bf659307_ed3e4db8","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"},{"line_number":174,"context_line":"system specific policies since his authorization is on a single project."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"**Rebecca** can list volumes, create new volumes, get details about a specific volume, and update a volume"},{"line_number":177,"context_line":"within Project Alpha. She cannot perform any system specific policies since her authorization is on a"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_ad48555c","line":174,"range":{"start_line":174,"start_character":31,"end_line":174,"end_character":34},"updated":"2018-04-04 19:56:31.000000000","message":"her*?","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":171,"context_line":"is limited to the deployment system."},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"**Qiana** can list volumes and get details about a specific volume within Project Alpha. He cannont perform"},{"line_number":174,"context_line":"system specific policies since his authorization is on a single project."},{"line_number":175,"context_line":""},{"line_number":176,"context_line":"**Rebecca** can list volumes, create new volumes, get details about a specific volume, and update a volume"},{"line_number":177,"context_line":"within Project Alpha. She cannot perform any system specific policies since her authorization is on a"}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_f134d5fd","line":174,"range":{"start_line":174,"start_character":31,"end_line":174,"end_character":34},"in_reply_to":"bf659307_ad48555c","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":178,"context_line":"single project."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"**Steve** can list volumes, create new volumes, get details about a specific volume, update a volume,"},{"line_number":181,"context_line":"and delete volumes within Project Alpha. She cannot perform any system specific policies since her"},{"line_number":182,"context_line":"authorization is on a single project."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_6d747d9d","line":181,"range":{"start_line":181,"start_character":41,"end_line":181,"end_character":44},"updated":"2018-04-04 19:56:31.000000000","message":"He*?","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"658756cf8c28ca4b4f18cf3a81ffff2f782f5448","unresolved":false,"context_lines":[{"line_number":178,"context_line":"single project."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"**Steve** can list volumes, create new volumes, get details about a specific volume, update a volume,"},{"line_number":181,"context_line":"and delete volumes within Project Alpha. She cannot perform any system specific policies since her"},{"line_number":182,"context_line":"authorization is on a single project."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_2d6e85c9","line":181,"range":{"start_line":181,"start_character":95,"end_line":181,"end_character":98},"updated":"2018-04-04 19:56:31.000000000","message":"his*?","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":178,"context_line":"single project."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"**Steve** can list volumes, create new volumes, get details about a specific volume, update a volume,"},{"line_number":181,"context_line":"and delete volumes within Project Alpha. She cannot perform any system specific policies since her"},{"line_number":182,"context_line":"authorization is on a single project."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_9139d9f3","line":181,"range":{"start_line":181,"start_character":95,"end_line":181,"end_character":98},"in_reply_to":"bf659307_2d6e85c9","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"a714833926bbd67e1d98c74d5a4d9ff114b292ec","unresolved":false,"context_lines":[{"line_number":178,"context_line":"single project."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"**Steve** can list volumes, create new volumes, get details about a specific volume, update a volume,"},{"line_number":181,"context_line":"and delete volumes within Project Alpha. She cannot perform any system specific policies since her"},{"line_number":182,"context_line":"authorization is on a single project."},{"line_number":183,"context_line":""},{"line_number":184,"context_line":""}],"source_content_type":"text/x-rst","patch_set":14,"id":"bf659307_b13e5dd8","line":181,"range":{"start_line":181,"start_character":41,"end_line":181,"end_character":44},"in_reply_to":"bf659307_6d747d9d","updated":"2018-04-05 14:28:05.000000000","message":"Done","commit_id":"2fd2dee5fdf8c699d3ce448f4fd6feb10a0563ea"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"acaa578b017afd469f37fbe43d10ce0fa6f1ca27","unresolved":false,"context_lines":[{"line_number":53,"context_line":"-------------"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"**auditor**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``reader``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**member**: serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"}],"source_content_type":"text/x-rst","patch_set":15,"id":"bf659307_ba5e1b43","line":56,"updated":"2018-04-06 18:14:13.000000000","message":"Reading a link just now that Colleen posted earlier, it occurs to me that we\u0027re missing a possible distinction that AWS makes: between someone who is allowed to simply list what resources exist, vs. someone who has full read access to them.\n\nI suspect that most projects are not set up to make a distinction (i.e. listing stuff returns quite a lot of data already in most cases), so adding a separate role for listing seem a bit overambitious, but it does make me wonder if we should use a name like \u0027viewer\u0027 for this role instead, to keep room for an even more limited-scope role in the future.","commit_id":"18419047adea96a4688a58115c8d7046c84cbfa2"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"6b9588d542618bf7c1030827343693de065de66a","unresolved":false,"context_lines":[{"line_number":53,"context_line":"-------------"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"**auditor**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``reader``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**member**: serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"}],"source_content_type":"text/x-rst","patch_set":15,"id":"bf659307_c76756b7","line":56,"in_reply_to":"bf659307_ba5e1b43","updated":"2018-04-09 15:30:25.000000000","message":"I\u0027m not sure the distinction between ``viewer`` and ``auditor`` is readily apparent. IMO using either one is fine -- but clearly documenting which one does what is of key importance.\n\nYou raise a very good point though -- I do envision more \u0027default\u0027 roles, filling more granular niches, coming in the future if this work is accepted.","commit_id":"18419047adea96a4688a58115c8d7046c84cbfa2"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"63f18fe632297f24ce58d0421fa38e71b93d9ae5","unresolved":false,"context_lines":[{"line_number":53,"context_line":"-------------"},{"line_number":54,"context_line":""},{"line_number":55,"context_line":"**auditor**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``reader``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**member**: serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"}],"source_content_type":"text/x-rst","patch_set":15,"id":"bf659307_2d92b0a0","line":56,"in_reply_to":"bf659307_c76756b7","updated":"2018-04-09 18:19:29.000000000","message":"As an example, you might want an auditor to be able to get a list of how many servers there are of each flavor, so you can figure out where your money is going. But a viewer (observer?) can also see e.g. the server\u0027s user_data.","commit_id":"18419047adea96a4688a58115c8d7046c84cbfa2"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"acaa578b017afd469f37fbe43d10ce0fa6f1ca27","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**auditor**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``reader``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**member**: serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"bf659307_3a19ab87","line":58,"range":{"start_line":58,"start_character":0,"end_line":58,"end_character":10},"updated":"2018-04-06 18:14:13.000000000","message":"I\u0027m glad we went back to \u0027member\u0027; since this role is typically given to members of a project team, it really does make the most sense IMO.","commit_id":"18419047adea96a4688a58115c8d7046c84cbfa2"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"6b9588d542618bf7c1030827343693de065de66a","unresolved":false,"context_lines":[{"line_number":55,"context_line":"**auditor**: It should only be used for read-only APIs and operations. Alternatively"},{"line_number":56,"context_line":"referred to as ``reader``, this role fills an extremely popular need from operators."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"**member**: serves as the"},{"line_number":59,"context_line":"general purpose ‘do-er’ role. It introduces granularity between the administrator(s)"},{"line_number":60,"context_line":"and everyone else."},{"line_number":61,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"bf659307_27273267","line":58,"range":{"start_line":58,"start_character":0,"end_line":58,"end_character":10},"in_reply_to":"bf659307_3a19ab87","updated":"2018-04-09 15:30:25.000000000","message":"I agree with you about member after discussing it with the Keystone team. But this is not (will not) be universally agreed upon -- it always amazes me how strongly folks feel one way or the other for a multitude of current and historical reasons.","commit_id":"18419047adea96a4688a58115c8d7046c84cbfa2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"785a3b15afe44bd5c433fe89311cdacfb2943b9a","unresolved":false,"context_lines":[{"line_number":180,"context_line":"and delete volumes within Project Alpha. He cannot perform any system specific policies because his"},{"line_number":181,"context_line":"authorization is on a single project."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"Alternatives"},{"line_number":185,"context_line":"------------"},{"line_number":186,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"bf659307_2a3176ed","line":183,"updated":"2018-04-05 15:51:22.000000000","message":"Please add a section here or nearabouts to address the following:\n\nThere are two risks that should be called out and mitigated\n\n1. That we define a new role that has the same meaning as a role that a operator has already defined.  Here the answer is to Use implied roles to map from one to the other.\n\n2.  That we define a role that matches the name an operator has defined by that has a different semantic meaning.You might remember the _member_ role from Keystone.  This was named this way to avoid conflicting with Member, which, while not standard, was a very common name that we wished to avoid duplicating.","commit_id":"18419047adea96a4688a58115c8d7046c84cbfa2"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"6b9588d542618bf7c1030827343693de065de66a","unresolved":false,"context_lines":[{"line_number":180,"context_line":"and delete volumes within Project Alpha. He cannot perform any system specific policies because his"},{"line_number":181,"context_line":"authorization is on a single project."},{"line_number":182,"context_line":""},{"line_number":183,"context_line":""},{"line_number":184,"context_line":"Alternatives"},{"line_number":185,"context_line":"------------"},{"line_number":186,"context_line":""}],"source_content_type":"text/x-rst","patch_set":15,"id":"bf659307_2783b206","line":183,"in_reply_to":"bf659307_2a3176ed","updated":"2018-04-09 15:30:25.000000000","message":"WRT 1: Great point -- will add!\n\nWRT 2: This is a tricky point -- and one which this spec (and future work related to it) will hopefully help prevent from reoccurring later down the road. \n\nWill add relevant sections in the next PS. Thanks, Adam!","commit_id":"18419047adea96a4688a58115c8d7046c84cbfa2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"22d1de5f852413823a8be667f98d7f37b07f8aff","unresolved":false,"context_lines":[{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_63167758","line":75,"updated":"2018-04-09 20:12:13.000000000","message":"Add Domain Scope: like project scop, but for Domain specific resources, which to date are such as Users, Groups, and top level projects.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"ffa35db47ac559a05e357ad6b16e1bdaf626db60","unresolved":false,"context_lines":[{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_c3ff2a65","line":75,"in_reply_to":"bf659307_233146a3","updated":"2018-04-10 16:10:37.000000000","message":"ayoung++ I\u0027m fine with keeping domain scope out of this for now, for the sake of making progress on this.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"f82d3d9d35f8a54c8c7ce4dca4aed5159d34c63d","unresolved":false,"context_lines":[{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_f6679c50","line":75,"in_reply_to":"bf659307_3e409407","updated":"2018-04-10 04:00:03.000000000","message":"It as least needs to be addressed.  There is a lot of clousample based policy out there, and so we should not indicate that those people are going to be abandonded, and it fits in with the existing scheme.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b2a0d26462e60f1d98753c905c40122fb8a8e19f","unresolved":false,"context_lines":[{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_233146a3","line":75,"in_reply_to":"bf659307_62a73ca9","updated":"2018-04-10 16:00:04.000000000","message":"I think a simple note like this is appropriate here.\n\n\"Some operations are scoped to Domains.  However, these are Specific to Keystone.  In general, Domain scoped operations should not be used in services other than Keystone.\"","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b9e8627e61b0da81a0f39bcbedfc3ba86437c126","unresolved":false,"context_lines":[{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_3e409407","line":75,"in_reply_to":"bf659307_63167758","updated":"2018-04-09 20:15:42.000000000","message":"This was added in a previous patch and removed for the sake of simplicity.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"175edb9a5407ee70754e91776d6856cd1b7d96ff","unresolved":false,"context_lines":[{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_62a73ca9","line":75,"in_reply_to":"bf659307_e86c9409","updated":"2018-04-10 14:50:14.000000000","message":"Good catch, Jim. I agree that we should update the example or remove it.\n\nIn talking about this, there is some hesitation to pursue domain scope in addition to project and system scope. In a perfect world, domain scope should totally be a thing IMO. It\u0027s awesome for providing another layer of flexibility in between project level authorization and system level authorization. Users and groups were *built* to belong to a domain.\n\nThat said, I understand what that is going to mean for other services implementing this. A service consuming domain scope is going to require addition information about the domain from keystone. Then the service needs to reason about those things. Listing servers within a project is a good example. If I have the \"member\" role on a project and I use a project-scoped token to list instances, I would expect a list of all instances within that project. If I have the \"member\" role on a domain, and I use a domain-scoped token to list instances, I would expect the result to be a list of all instances owned by every project within that domain. This will require work on the service side to ask keystone for all projects within the domain, and then curate a list of servers for each project before handing that back to the user.\n\nIMO, we have a couple options:\n\n1.) We can work the domain-scope back into the specification\n\nThis will provide a much clearer picture of the ideal system we want to see, including deployments with authorization built into domain administrator roles.\n\n2.) We keep the domain-scope examples separate and focus on isolating operations into project or system scope.\n\nThe advantage here would be that is should simplify some of the implementation for projects. We could include a snippet here about a subsequent specification for additional domain-scoped work, too. At the same time, we\u0027re fixing the crux of OpenStack admin-ness problem (bug 968696), but leaving things open later to elaborate on domain scope.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"3b7bce09295b6dcf5f22e6c076171fdcd016d678","unresolved":false,"context_lines":[{"line_number":72,"context_line":""},{"line_number":73,"context_line":"**project-scope**: Project-scope express relates to authorization for operating in a"},{"line_number":74,"context_line":"specific tenancy of the cloud."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"**system-scope**: System-scope relates to authorization for operating with APIs that"},{"line_number":77,"context_line":"do not fall nicely into concepts of either Domain or Project scope. It is **not**"},{"line_number":78,"context_line":"meant to cover *all* APIs across a deployment. Note that this level of scope is an effort"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_e86c9409","line":75,"in_reply_to":"bf659307_f6679c50","updated":"2018-04-10 11:27:20.000000000","message":"Domain scope is used in the \u0027member\u0027 example on line 93 - if we\u0027re going to use it as an example, we should define it here. Or change the example, either way :)","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"22d1de5f852413823a8be667f98d7f37b07f8aff","unresolved":false,"context_lines":[{"line_number":93,"context_line":"`member:`"},{"line_number":94,"context_line":"An example project-scoped application of this role would be creating a volume (``volume:create``)."},{"line_number":95,"context_line":"An example domain-scope application of this role would be updating a user  ``identity:update_user``)."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"`admin:`"},{"line_number":98,"context_line":"An example project-scoped administrator operation would be deleting a volume (``volume:delete``)."},{"line_number":99,"context_line":"An example system-scoped administrator operation would be creating an endpoint for a service"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_9e2a007c","line":96,"updated":"2018-04-09 20:12:13.000000000","message":"Suggestion: I would like to see a role in between admimn and member that is \"admin but only for project operations\"  split from \"admin, but for service level operations\".  I\u0027ve use the term \"project-manager\" for this in the past.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b9e8627e61b0da81a0f39bcbedfc3ba86437c126","unresolved":false,"context_lines":[{"line_number":93,"context_line":"`member:`"},{"line_number":94,"context_line":"An example project-scoped application of this role would be creating a volume (``volume:create``)."},{"line_number":95,"context_line":"An example domain-scope application of this role would be updating a user  ``identity:update_user``)."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"`admin:`"},{"line_number":98,"context_line":"An example project-scoped administrator operation would be deleting a volume (``volume:delete``)."},{"line_number":99,"context_line":"An example system-scoped administrator operation would be creating an endpoint for a service"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_de4e3837","line":96,"in_reply_to":"bf659307_9e2a007c","updated":"2018-04-09 20:15:42.000000000","message":"I think that is something that can be accomplished with scopes, and avoids having to define yet another role.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"f82d3d9d35f8a54c8c7ce4dca4aed5159d34c63d","unresolved":false,"context_lines":[{"line_number":93,"context_line":"`member:`"},{"line_number":94,"context_line":"An example project-scoped application of this role would be creating a volume (``volume:create``)."},{"line_number":95,"context_line":"An example domain-scope application of this role would be updating a user  ``identity:update_user``)."},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"`admin:`"},{"line_number":98,"context_line":"An example project-scoped administrator operation would be deleting a volume (``volume:delete``)."},{"line_number":99,"context_line":"An example system-scoped administrator operation would be creating an endpoint for a service"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_b671240f","line":96,"in_reply_to":"bf659307_de4e3837","updated":"2018-04-10 04:00:03.000000000","message":"Agreed.  Suggestion Withdrawn.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b2a0d26462e60f1d98753c905c40122fb8a8e19f","unresolved":false,"context_lines":[{"line_number":117,"context_line":"+-------------+---------------------------+-----------------------------+-----------------------------+"},{"line_number":118,"context_line":"| **System**  | * identity:list_endpoints | * identity:list_endpoints   | * identity:list_endpoints   |"},{"line_number":119,"context_line":"|             | * identity:get_endpoint   | * identity:get_endpoint     | * identity:get_endpoint     |"},{"line_number":120,"context_line":"|             | * identity:get_user       | * identity:get_user         | * identity:get_user         |"},{"line_number":121,"context_line":"|             |                           | * identity:update_user      | * identity:update_user      |"},{"line_number":122,"context_line":"|             |                           | * identity:update_endpoint  | * identity:update_endpoint  |"},{"line_number":123,"context_line":"|             |                           |                             | * identity:create_endpoint  |"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_23d62629","line":120,"updated":"2018-04-10 16:00:04.000000000","message":"change the example to compute_api:get_hypervisor/update_hypervisor, as that is not a Keystone specific, and Domain scoped, object.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"22d1de5f852413823a8be667f98d7f37b07f8aff","unresolved":false,"context_lines":[{"line_number":124,"context_line":"|             |                           |                             | * identity:create_user      |"},{"line_number":125,"context_line":"|             |                           |                             | * identity:delete_user      |"},{"line_number":126,"context_line":"+-------------+---------------------------+-----------------------------+-----------------------------+"},{"line_number":127,"context_line":""},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"Example snippets of various policy files, or rendered snippets, could look like"},{"line_number":130,"context_line":"the following."}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_be34a4df","line":127,"updated":"2018-04-09 20:12:13.000000000","message":"The \"user\" ones from above should be domain scoped, not system.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"22d1de5f852413823a8be667f98d7f37b07f8aff","unresolved":false,"context_lines":[{"line_number":131,"context_line":""},{"line_number":132,"context_line":"::"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"    # scope_types \u003d (\u0027project\u0027)"},{"line_number":135,"context_line":"    \"volume:get\": \"role:auditor OR role:member OR role:admin\""},{"line_number":136,"context_line":"    \"volume:get_all\": \"role:auditor OR role:member OR role:admin\""},{"line_number":137,"context_line":"    \"volume:create\": \"role:member OR role:admin\""}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_5e59c832","line":134,"updated":"2018-04-09 20:12:13.000000000","message":"please use Implied roles to simplify these.  Member implies auditor, project-admin implies member.  You only need to specify the lowest level role.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"3b7bce09295b6dcf5f22e6c076171fdcd016d678","unresolved":false,"context_lines":[{"line_number":131,"context_line":""},{"line_number":132,"context_line":"::"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"    # scope_types \u003d (\u0027project\u0027)"},{"line_number":135,"context_line":"    \"volume:get\": \"role:auditor OR role:member OR role:admin\""},{"line_number":136,"context_line":"    \"volume:get_all\": \"role:auditor OR role:member OR role:admin\""},{"line_number":137,"context_line":"    \"volume:create\": \"role:member OR role:admin\""}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_8854f822","line":134,"in_reply_to":"bf659307_5e59c832","updated":"2018-04-10 11:27:20.000000000","message":"Probably best to be explicit here in a cross-project spec, given that not everyone reviewing this may know about implied roles or make this assumption.\n\nBut, now that I read further, we discuss implied roles. I still think this should be left as-is, given this spec doesn\u0027t propose making these implied roles yet.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"b2a0d26462e60f1d98753c905c40122fb8a8e19f","unresolved":false,"context_lines":[{"line_number":131,"context_line":""},{"line_number":132,"context_line":"::"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"    # scope_types \u003d (\u0027project\u0027)"},{"line_number":135,"context_line":"    \"volume:get\": \"role:auditor OR role:member OR role:admin\""},{"line_number":136,"context_line":"    \"volume:get_all\": \"role:auditor OR role:member OR role:admin\""},{"line_number":137,"context_line":"    \"volume:create\": \"role:member OR role:admin\""}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_c3b5eaef","line":134,"in_reply_to":"bf659307_8854f822","updated":"2018-04-10 16:00:04.000000000","message":"using implied roles will simplify and make management more stable:\n\"role:auditor OR role:member OR role:admin\"\nbecomes \n\"role:auditor\"\nAcross *ALL* the APIs.  Don\u0027t start a new bad habit here.  Please use Implied roles for these.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"ffa35db47ac559a05e357ad6b16e1bdaf626db60","unresolved":false,"context_lines":[{"line_number":131,"context_line":""},{"line_number":132,"context_line":"::"},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"    # scope_types \u003d (\u0027project\u0027)"},{"line_number":135,"context_line":"    \"volume:get\": \"role:auditor OR role:member OR role:admin\""},{"line_number":136,"context_line":"    \"volume:get_all\": \"role:auditor OR role:member OR role:admin\""},{"line_number":137,"context_line":"    \"volume:create\": \"role:member OR role:admin\""}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_e337ce4c","line":134,"in_reply_to":"bf659307_c3b5eaef","updated":"2018-04-10 16:10:37.000000000","message":"Yeah, fair point, actual \"code\" here will be cargo-culted. Let\u0027s make a note about implied roles above this section, then, with a link to more info.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b9e8627e61b0da81a0f39bcbedfc3ba86437c126","unresolved":false,"context_lines":[{"line_number":183,"context_line":"Risk Mitigation"},{"line_number":184,"context_line":"---------------"},{"line_number":185,"context_line":""},{"line_number":186,"context_line":"**Scenario One -- A role serving the purposes described in this spec exists under another name exists**:"},{"line_number":187,"context_line":"Let us assume that Deployment A already has ``Role X`` which serves the purpose of the proposed here as"},{"line_number":188,"context_line":"the ``auditor`` role. In this instance, it is reasonable to assume that operators may have custom policy"},{"line_number":189,"context_line":"work in place and do not want to port immediately."}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_deb2b849","line":186,"range":{"start_line":186,"start_character":95,"end_line":186,"end_character":101},"updated":"2018-04-09 20:15:42.000000000","message":"Duplicate \"exists\"?","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b9e8627e61b0da81a0f39bcbedfc3ba86437c126","unresolved":false,"context_lines":[{"line_number":196,"context_line":"**Scenario Two -- An existing ``auditor``, ``member``, or ``admin`` role already exists**: Let us assume"},{"line_number":197,"context_line":"that Deployment B already has a ``member`` role. Keystone will not attempt to overwrite any existing roles"},{"line_number":198,"context_line":"that have been populated. It will instead note that a role with the name ``member`` already exists in log"},{"line_number":199,"context_line":"output."},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"Alternatives"},{"line_number":202,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_7ed12c57","line":199,"updated":"2018-04-09 20:15:42.000000000","message":"++ this is what we do today when running ``keystone-manage bootstrap`` since it *should* be idempotent [0].\n\n[0] https://github.com/openstack/keystone/blob/7c4c6a5fb3e77723f3866c99fdf0825ba7cc0c5c/keystone/cmd/cli.py#L186-L194","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"22d1de5f852413823a8be667f98d7f37b07f8aff","unresolved":false,"context_lines":[{"line_number":214,"context_line":"  had implications, the service specific roles would need to be created and implied manually"},{"line_number":215,"context_line":"  anyway. Once we get adoption across a few OpenStack services and usage in real deployments,"},{"line_number":216,"context_line":"  we can propose a follow on specification that attempts to work through implying the"},{"line_number":217,"context_line":"  established defaults."},{"line_number":218,"context_line":""},{"line_number":219,"context_line":"- reader/writer/admin vs auditor/nember/admin. There was much debate regarding the naming"},{"line_number":220,"context_line":"  conventions for these roles. We have opted to use `auditor`, `member`, and `admin` as we"}],"source_content_type":"text/x-rst","patch_set":16,"id":"bf659307_9eebe010","line":217,"updated":"2018-04-09 20:12:13.000000000","message":"So...I disagree on two accounts.  First, the same role on a project and on a ssytem level can be used to provide access to an API.  Project level auditor can read data for a specific project, a system level auditor can read from all projects.\n\nHowever, even if we split the set of roles between what is required for project and system scoping, implied roles will still simplify the system.  IMplied roles were built for explicitly this use case, and should be part of the end solution.\n\nAdmin-\u003eMember-\u003eAuditor is the simplest chain.  \n\n-\u003e  meanis iplied.","commit_id":"4626620b8686e7ad85dee616e0edcade41985ac2"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"8c4ba9f536aa39f95efc10268a84ce4d7bc04135","unresolved":false,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"`member:`"},{"line_number":93,"context_line":"An example project-scoped application of this role would be creating a volume (``volume:create``)."},{"line_number":94,"context_line":"An example system-scope application of this role would be updating a user  ``identity:update_user``)."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"`admin:`"},{"line_number":97,"context_line":"An example project-scoped administrator operation would be deleting a volume (``volume:delete``)."}],"source_content_type":"text/x-rst","patch_set":17,"id":"bf659307_1f2ecea4","line":94,"updated":"2018-04-10 21:14:09.000000000","message":"please change this to a non-domain example, such as managing hypervisors or endpoints.","commit_id":"b52d69ba63c61366b484357a699afcacd35c3b24"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"8c4ba9f536aa39f95efc10268a84ce4d7bc04135","unresolved":false,"context_lines":[{"line_number":116,"context_line":"+-------------+---------------------------+-----------------------------+-----------------------------+"},{"line_number":117,"context_line":"| **System**  | * identity:list_endpoints | * identity:list_endpoints   | * identity:list_endpoints   |"},{"line_number":118,"context_line":"|             | * identity:get_endpoint   | * identity:get_endpoint     | * identity:get_endpoint     |"},{"line_number":119,"context_line":"|             | * identity:get_user       | * identity:get_user         | * identity:get_user         |"},{"line_number":120,"context_line":"|             |                           | * identity:update_user      | * identity:update_user      |"},{"line_number":121,"context_line":"|             |                           | * identity:update_endpoint  | * identity:update_endpoint  |"},{"line_number":122,"context_line":"|             |                           |                             | * identity:create_endpoint  |"}],"source_content_type":"text/x-rst","patch_set":17,"id":"bf659307_1a4a5c54","line":119,"updated":"2018-04-10 21:14:09.000000000","message":"drop the user examples, as those should really be domain scoped.  suggest \"os_compute_api:os-hypervisors\": Or \u0027os_compute_api:os-hosts\u0027","commit_id":"b52d69ba63c61366b484357a699afcacd35c3b24"},{"author":{"_account_id":782,"name":"John Garbutt","email":"john@johngarbutt.com","username":"johngarbutt"},"change_message_id":"a7a869db6d129c1fa642d25d6721c3dca063258d","unresolved":false,"context_lines":[{"line_number":113,"context_line":"|             | * volume:get_all          | * volume:get_all            | * volume:get_all                |"},{"line_number":114,"context_line":"|             |                           | * volume:create             | * volume:create                 |"},{"line_number":115,"context_line":"|             |                           | * volume:update             | * volume:update                 |"},{"line_number":116,"context_line":"|             |                           |                             | * volume:delete                 |"},{"line_number":117,"context_line":"+-------------+---------------------------+-----------------------------+---------------------------------+"},{"line_number":118,"context_line":"| **System**  | * identity:list_endpoints | * identity:list_endpoints   | * identity:list_endpoints       |"},{"line_number":119,"context_line":"|             | * identity:get_endpoint   | * identity:get_endpoint     | * identity:get_endpoint         |"}],"source_content_type":"text/x-rst","patch_set":18,"id":"5f7c97a3_eb910848","line":116,"updated":"2018-05-21 17:28:43.000000000","message":"Took a while to get my head around this line, but it’s growing on me","commit_id":"0d6658ca8752e51b8d54b8464166c149c8588938"}]}