)]}'
{"specs/rocky/consistent-policy-attributes.rst":[{"author":{"_account_id":26674,"name":"Thomas Duval","email":"thomas.duval@orange.com","username":"asteroide"},"change_message_id":"303bdd96823966e0fddcac5647b1a8cb2d35f6ae","unresolved":false,"context_lines":[{"line_number":44,"context_line":"that, operators that need to write custom policy checks or invoking external"},{"line_number":45,"context_line":"policy enforcement points should be able to rely on that information"},{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_9c02dc3c","line":47,"updated":"2018-03-13 10:06:17.000000000","message":"You don\u0027t talk about the \"rule\" attribute. This attribute is mandatory and maybe it could be mentioned in the specification so the most important information will be clearly identified.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"773e25e690f1755b06fcb8611f1300975307feb8","unresolved":false,"context_lines":[{"line_number":44,"context_line":"that, operators that need to write custom policy checks or invoking external"},{"line_number":45,"context_line":"policy enforcement points should be able to rely on that information"},{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_b2d5b2e7","line":47,"in_reply_to":"df7087c5_9c02dc3c","updated":"2018-03-21 17:02:45.000000000","message":"The rule is a require parameter of enforce\u0027s method signature, it should always be passed in when enforce() is called [0][1]. This should be validation we get for free by just using python... \n\nDo you know if there is a specific service that is working around this? Is there a specific operation that doesn\u0027t provide that information to moon when the data is passed through http_check?\n\n[0] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L779\n[1] https://github.com/openstack/oslo.policy/blob/master/oslo_policy/_external.py#L44-L64","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":26674,"name":"Thomas Duval","email":"thomas.duval@orange.com","username":"asteroide"},"change_message_id":"869ecd4b71351ca36584c58e8c65028b2b60a531","unresolved":false,"context_lines":[{"line_number":44,"context_line":"that, operators that need to write custom policy checks or invoking external"},{"line_number":45,"context_line":"policy enforcement points should be able to rely on that information"},{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_4aeb28db","line":47,"in_reply_to":"df7087c5_b2d5b2e7","updated":"2018-03-22 08:33:56.000000000","message":"For example Neutron doesn\u0027t populate this value. And, moreover, when using the admin user, the http_check is never executed.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5638,"name":"Davanum Srinivas","email":"davanum@gmail.com","username":"dims-v"},"change_message_id":"9cbfa948946d518b0f01ee870ee0149712154478","unresolved":false,"context_lines":[{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":52,"context_line":"  typically handled by keystonemiddleware and oslo.context."}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_3a55ebc6","line":49,"updated":"2018-03-12 15:44:41.000000000","message":"This is so close to what we have in oslo.context :) do we want to look there to pick some more? (request_id?)","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"773e25e690f1755b06fcb8611f1300975307feb8","unresolved":false,"context_lines":[{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":52,"context_line":"  typically handled by keystonemiddleware and oslo.context."}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_d23e2628","line":49,"in_reply_to":"df7087c5_3a55ebc6","updated":"2018-03-21 17:02:45.000000000","message":"Possibly? I\u0027m not sure how we\u0027d write a policy for request IDs, but maybe someone has a use case. \n\nEven if the services passed their context object to oslo.policy, we\u0027d likely still need to ensure various keys exist at a minimum.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"3d8ec77982a858db57e20c11c4eebea006be346e","unresolved":false,"context_lines":[{"line_number":53,"context_line":"* ``project_id``: The unique identifier of the project the users is acting"},{"line_number":54,"context_line":"  upon. This is typically handled by keystonemiddleware and oslo.context."},{"line_number":55,"context_line":"* ``domain_id``: The unique identifier of the domain being acted upon. This is"},{"line_number":56,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The following are the proposed additional attributes to check for in the"},{"line_number":59,"context_line":"``target`` dictionary:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_5ffe91ae","line":56,"updated":"2018-03-12 15:20:44.000000000","message":"Both project_id and domain_id are conditional based on the token used. I wonder if we should generalize this a bit more to include system-scope information, too. That way we don\u0027t need to do another major version to add it later.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5638,"name":"Davanum Srinivas","email":"davanum@gmail.com","username":"dims-v"},"change_message_id":"9cbfa948946d518b0f01ee870ee0149712154478","unresolved":false,"context_lines":[{"line_number":53,"context_line":"* ``project_id``: The unique identifier of the project the users is acting"},{"line_number":54,"context_line":"  upon. This is typically handled by keystonemiddleware and oslo.context."},{"line_number":55,"context_line":"* ``domain_id``: The unique identifier of the domain being acted upon. This is"},{"line_number":56,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The following are the proposed additional attributes to check for in the"},{"line_number":59,"context_line":"``target`` dictionary:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_7a3cc3c7","line":56,"in_reply_to":"df7087c5_5ffe91ae","updated":"2018-03-12 15:44:41.000000000","message":"makes sense","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"773e25e690f1755b06fcb8611f1300975307feb8","unresolved":false,"context_lines":[{"line_number":53,"context_line":"* ``project_id``: The unique identifier of the project the users is acting"},{"line_number":54,"context_line":"  upon. This is typically handled by keystonemiddleware and oslo.context."},{"line_number":55,"context_line":"* ``domain_id``: The unique identifier of the domain being acted upon. This is"},{"line_number":56,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The following are the proposed additional attributes to check for in the"},{"line_number":59,"context_line":"``target`` dictionary:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_9248aecc","line":56,"in_reply_to":"df7087c5_7a3cc3c7","updated":"2018-03-21 17:02:45.000000000","message":"So maybe something like:\n\n  scope \u003d ENUM(\u0027project\u0027, \u0027domain\u0027, \u0027system\u0027)\n  {\u0027id\u0027: $ID, \u0027scope\u0027: scope}\n\nIf it\u0027s system, then id would be None for now. But that should give external PDPs enough information about the scope, shouldn\u0027t it?","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":26674,"name":"Thomas Duval","email":"thomas.duval@orange.com","username":"asteroide"},"change_message_id":"869ecd4b71351ca36584c58e8c65028b2b60a531","unresolved":false,"context_lines":[{"line_number":53,"context_line":"* ``project_id``: The unique identifier of the project the users is acting"},{"line_number":54,"context_line":"  upon. This is typically handled by keystonemiddleware and oslo.context."},{"line_number":55,"context_line":"* ``domain_id``: The unique identifier of the domain being acted upon. This is"},{"line_number":56,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"The following are the proposed additional attributes to check for in the"},{"line_number":59,"context_line":"``target`` dictionary:"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_8ac62049","line":56,"in_reply_to":"df7087c5_9248aecc","updated":"2018-03-22 08:33:56.000000000","message":"I agree.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5638,"name":"Davanum Srinivas","email":"davanum@gmail.com","username":"dims-v"},"change_message_id":"9cbfa948946d518b0f01ee870ee0149712154478","unresolved":false,"context_lines":[{"line_number":58,"context_line":"The following are the proposed additional attributes to check for in the"},{"line_number":59,"context_line":"``target`` dictionary:"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":62,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_9a93d7a3","line":61,"updated":"2018-03-12 15:44:41.000000000","message":"do we have a way to say that the resource_id is resource managed by \"nova\" (or \"compute\") service?","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":26674,"name":"Thomas Duval","email":"thomas.duval@orange.com","username":"asteroide"},"change_message_id":"303bdd96823966e0fddcac5647b1a8cb2d35f6ae","unresolved":false,"context_lines":[{"line_number":58,"context_line":"The following are the proposed additional attributes to check for in the"},{"line_number":59,"context_line":"``target`` dictionary:"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":62,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_5c29a498","line":61,"in_reply_to":"df7087c5_9a93d7a3","updated":"2018-03-13 10:06:17.000000000","message":"In my understanding, at this time, we can only know about the component which is the source of the request by looking at the \u0027rule\u0027 attribute. Because each rule is unique across OpenStack. But there is no guarantee for that. \nMaybe, it could be interesting to add an attribute in the target dictionary (for example component_id) to set this information.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5638,"name":"Davanum Srinivas","email":"davanum@gmail.com","username":"dims-v"},"change_message_id":"9cbfa948946d518b0f01ee870ee0149712154478","unresolved":false,"context_lines":[{"line_number":59,"context_line":"``target`` dictionary:"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":62,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_ba41fb0d","line":62,"updated":"2018-03-12 15:44:41.000000000","message":"Do we need a way to say that the operation is on a nova resource but it is also about a cinder volume being mounted? (\"related\" resource_id(s) of some sort)","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":26674,"name":"Thomas Duval","email":"thomas.duval@orange.com","username":"asteroide"},"change_message_id":"303bdd96823966e0fddcac5647b1a8cb2d35f6ae","unresolved":false,"context_lines":[{"line_number":59,"context_line":"``target`` dictionary:"},{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":62,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_b71fbb59","line":62,"in_reply_to":"df7087c5_ba41fb0d","updated":"2018-03-13 10:06:17.000000000","message":"Each request is atomic ; you will have a request to get the cinder volume and an other request for the nova resource. So I think it is not necessary.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":26674,"name":"Thomas Duval","email":"thomas.duval@orange.com","username":"asteroide"},"change_message_id":"303bdd96823966e0fddcac5647b1a8cb2d35f6ae","unresolved":false,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":62,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_9c541c55","line":63,"updated":"2018-03-13 10:06:17.000000000","message":"Some requests may come without a resource_id because there is no resource for that action. An example could be: when a user requests the list of all virtual machines in Nova. The rule is compute:list_servers and the resource_id is None. From an external enforcement perspective, it is sufficient.","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"773e25e690f1755b06fcb8611f1300975307feb8","unresolved":false,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":62,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":63,"context_line":""},{"line_number":64,"context_line":"Alternatives"},{"line_number":65,"context_line":"------------"},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"df7087c5_f2224a01","line":63,"in_reply_to":"df7087c5_9c541c55","updated":"2018-03-21 17:02:45.000000000","message":"++","commit_id":"df9fcfff891f981e01605e65a6c4259121c23270"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"9c41179d3aa608f74de691590e235d0aa3cc8a5f","unresolved":false,"context_lines":[{"line_number":14,"context_line":"The oslo.policy library is used by most OpenStack services to make"},{"line_number":15,"context_line":"authoritative decisions about what a user can do. This decision is done when a"},{"line_number":16,"context_line":"service calls the ``enforce()`` method on an instance of oslo.policy\u0027s"},{"line_number":17,"context_line":"``Enforcer`` object. A service can optionally supply addition information to"},{"line_number":18,"context_line":"``enforce`` by using the ``creds`` and ``target`` arguments. These arguments"},{"line_number":19,"context_line":"are dictionaries that are supposed to contain as much information about the"},{"line_number":20,"context_line":"user making the request (``creds``) and the resource involved in the policy"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_dbd8e7f1","line":17,"range":{"start_line":17,"start_character":53,"end_line":17,"end_character":61},"updated":"2018-04-04 16:11:38.000000000","message":"s/addition/additional/","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":14,"context_line":"The oslo.policy library is used by most OpenStack services to make"},{"line_number":15,"context_line":"authoritative decisions about what a user can do. This decision is done when a"},{"line_number":16,"context_line":"service calls the ``enforce()`` method on an instance of oslo.policy\u0027s"},{"line_number":17,"context_line":"``Enforcer`` object. A service can optionally supply addition information to"},{"line_number":18,"context_line":"``enforce`` by using the ``creds`` and ``target`` arguments. These arguments"},{"line_number":19,"context_line":"are dictionaries that are supposed to contain as much information about the"},{"line_number":20,"context_line":"user making the request (``creds``) and the resource involved in the policy"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_01b5fb7d","line":17,"range":{"start_line":17,"start_character":53,"end_line":17,"end_character":61},"in_reply_to":"bf659307_dbd8e7f1","updated":"2018-04-11 16:33:42.000000000","message":"Done","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"08ca9aef60d6c36d70652ebbb53c58ad8ead7606","unresolved":false,"context_lines":[{"line_number":37,"context_line":"``enforce()``. Once we have that list specified, we can implement checks in"},{"line_number":38,"context_line":"``enforce()`` that expect them to always be present. Since this would be a"},{"line_number":39,"context_line":"backwards incompatible change, and might break services, the release this"},{"line_number":40,"context_line":"change is included in should be a new major version of the oslo.policy library."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Once a new library is available for services to consume, we can iteratively"},{"line_number":43,"context_line":"step through each service and help them populate the missing fields. After"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_2977e43c","line":40,"updated":"2018-04-10 19:29:02.000000000","message":"It won\u0027t be sufficient to make it a major version release. We will need to add a new API to replace enforce() so that we can have both APIs in a release at one time. \n\nThe first release to include the new API will be a feature-version bump. The release to remove enforce() would be an API-breaking major version bump.\n\nI will leave it up to others to work out what the name of the new method should be.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":37,"context_line":"``enforce()``. Once we have that list specified, we can implement checks in"},{"line_number":38,"context_line":"``enforce()`` that expect them to always be present. Since this would be a"},{"line_number":39,"context_line":"backwards incompatible change, and might break services, the release this"},{"line_number":40,"context_line":"change is included in should be a new major version of the oslo.policy library."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"Once a new library is available for services to consume, we can iteratively"},{"line_number":43,"context_line":"step through each service and help them populate the missing fields. After"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_049c290c","line":40,"in_reply_to":"bf659307_2977e43c","updated":"2018-04-11 16:33:42.000000000","message":"Thanks for the information. I reworked the example to take those details into account.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"08ca9aef60d6c36d70652ebbb53c58ad8ead7606","unresolved":false,"context_lines":[{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":52,"context_line":"  typically handled by keystonemiddleware and oslo.context."}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_69a2bc9c","line":49,"updated":"2018-04-10 19:29:02.000000000","message":"Rather than continuing to rely on an API that uses dictionaries, let\u0027s make some classes and add required arguments to the new method. For the user identity info can we use a context object, for example?","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":52,"context_line":"  typically handled by keystonemiddleware and oslo.context."}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_a48c5dd7","line":49,"in_reply_to":"bf659307_69a2bc9c","updated":"2018-04-11 16:33:42.000000000","message":"++ that\u0027s a good idea.\n\nIf we rely on the oslo.context library, is it fair to just require a user_id, rule, and context object?","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"78840579291feb1e167b1ef547254144d8cd1456","unresolved":false,"context_lines":[{"line_number":46,"context_line":"consistently."},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"The following are the proposed additional attributes to check for in"},{"line_number":49,"context_line":"the ``creds`` dictionary:"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":52,"context_line":"  typically handled by keystonemiddleware and oslo.context."}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_ba0eb438","line":49,"in_reply_to":"bf659307_a48c5dd7","updated":"2018-04-11 17:36:50.000000000","message":"The user_id is part of the context, so unless you need/want it to be a different value I think you can just require the context and the rule. I don\u0027t know about the resource, though. I suppose we might want a ResourceDescription object that holds values like owner ID, etc. to let the rules access some of those other values.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"08ca9aef60d6c36d70652ebbb53c58ad8ead7606","unresolved":false,"context_lines":[{"line_number":51,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":52,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":53,"context_line":"* ``scope``: This is a dictionary that contains information about the scope"},{"line_number":54,"context_line":"  being used. It should contain an ``id`` attribute and a ``type`` attribute."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"An example project ``scope`` dictionary is as follows:"},{"line_number":57,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_09bb00c4","line":54,"updated":"2018-04-10 19:29:02.000000000","message":"If we know what should always be present, it sounds like we can at least use a named tuple to hold the values. A proper class may make it easier to add optional arguments later.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"08ca9aef60d6c36d70652ebbb53c58ad8ead7606","unresolved":false,"context_lines":[{"line_number":62,"context_line":"    scope \u003d {"},{"line_number":63,"context_line":"       \u0027id\u0027: project_id,"},{"line_number":64,"context_line":"       \u0027type\u0027: \u0027project\u0027"},{"line_number":65,"context_line":"    }"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"An example domain ``scope`` dictionary is as follows:"},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_69cb9c52","line":65,"updated":"2018-04-10 19:29:02.000000000","message":"Why make the caller do this? If we pass the context as one arg and the scope as a second one, oslo.policy can get the project id from the context.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":62,"context_line":"    scope \u003d {"},{"line_number":63,"context_line":"       \u0027id\u0027: project_id,"},{"line_number":64,"context_line":"       \u0027type\u0027: \u0027project\u0027"},{"line_number":65,"context_line":"    }"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"An example domain ``scope`` dictionary is as follows:"},{"line_number":68,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_84a83920","line":65,"in_reply_to":"bf659307_69cb9c52","updated":"2018-04-11 16:33:42.000000000","message":"Done","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"9c41179d3aa608f74de691590e235d0aa3cc8a5f","unresolved":false,"context_lines":[{"line_number":80,"context_line":".. code-block:: python"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    scope \u003d {"},{"line_number":83,"context_line":"       \u0027id\u0027: None,"},{"line_number":84,"context_line":"       \u0027type\u0027: \u0027system\u0027"},{"line_number":85,"context_line":"    }"},{"line_number":86,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_3bbb2373","line":83,"range":{"start_line":83,"start_character":12,"end_line":83,"end_character":18},"updated":"2018-04-04 16:11:38.000000000","message":"Why this is the case may not be apparent to readers. Could we link to additional info regarding system Scope?","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":80,"context_line":".. code-block:: python"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"    scope \u003d {"},{"line_number":83,"context_line":"       \u0027id\u0027: None,"},{"line_number":84,"context_line":"       \u0027type\u0027: \u0027system\u0027"},{"line_number":85,"context_line":"    }"},{"line_number":86,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_646965f7","line":83,"range":{"start_line":83,"start_character":12,"end_line":83,"end_character":18},"in_reply_to":"bf659307_3bbb2373","updated":"2018-04-11 16:33:42.000000000","message":"Removed this in favor of using oslo.context.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"08ca9aef60d6c36d70652ebbb53c58ad8ead7606","unresolved":false,"context_lines":[{"line_number":88,"context_line":"``target`` dictionary:"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":91,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"Alternatives"},{"line_number":94,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_c9e988b7","line":91,"updated":"2018-04-10 19:29:02.000000000","message":"Do we ever need more than one resource ID? If not, the resource ID is also available from the context.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"78840579291feb1e167b1ef547254144d8cd1456","unresolved":false,"context_lines":[{"line_number":88,"context_line":"``target`` dictionary:"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":91,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"Alternatives"},{"line_number":94,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_95162149","line":91,"in_reply_to":"bf659307_a453fd38","updated":"2018-04-11 17:36:50.000000000","message":"I agree. We can always add another method for dealing with multiple resources like that, since the semantics might be different (you need permission on at least one, you need permission on all of them, etc.).","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":88,"context_line":"``target`` dictionary:"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"* ``resource_id``: The unique identifier of the resource involved in the"},{"line_number":91,"context_line":"  request (e.g. nova instance ID, glance image ID, cinder volume ID, etc)."},{"line_number":92,"context_line":""},{"line_number":93,"context_line":"Alternatives"},{"line_number":94,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_a453fd38","line":91,"in_reply_to":"bf659307_c9e988b7","updated":"2018-04-11 16:33:42.000000000","message":"Not initially. I wouldn\u0027t mind waiting until we have a clear use case for including multiple resource IDs. Otherwise I feel this will turn into a slippery slope.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"08ca9aef60d6c36d70652ebbb53c58ad8ead7606","unresolved":false,"context_lines":[{"line_number":108,"context_line":"Any call to the ``enforce()`` or ``authorize()`` methods will need to be"},{"line_number":109,"context_line":"populated with the correct attributes, specified in the above section."},{"line_number":110,"context_line":"Otherwise an exception will be raised. The exception isn\u0027t necessarily intended"},{"line_number":111,"context_line":"for end users, but developers consuming the new version of oslo.policy."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Security impact"},{"line_number":114,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_49d578e4","line":111,"updated":"2018-04-10 19:29:02.000000000","message":"I think we\u0027re going to have to leave the existing APIs alone and add new ones, as described above.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":108,"context_line":"Any call to the ``enforce()`` or ``authorize()`` methods will need to be"},{"line_number":109,"context_line":"populated with the correct attributes, specified in the above section."},{"line_number":110,"context_line":"Otherwise an exception will be raised. The exception isn\u0027t necessarily intended"},{"line_number":111,"context_line":"for end users, but developers consuming the new version of oslo.policy."},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Security impact"},{"line_number":114,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_44322112","line":111,"in_reply_to":"bf659307_49d578e4","updated":"2018-04-11 16:33:42.000000000","message":"Done","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"08ca9aef60d6c36d70652ebbb53c58ad8ead7606","unresolved":false,"context_lines":[{"line_number":133,"context_line":""},{"line_number":134,"context_line":"Developers might notice failures from oslo.policy when consuming the new"},{"line_number":135,"context_line":"version, which can be remedied by adjusting the service to always pass the"},{"line_number":136,"context_line":"expected attributes to ``enforce()``."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"Testing Impact"},{"line_number":139,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_89f4f088","line":136,"updated":"2018-04-10 19:29:02.000000000","message":"We shouldn\u0027t plan on this happening.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":133,"context_line":""},{"line_number":134,"context_line":"Developers might notice failures from oslo.policy when consuming the new"},{"line_number":135,"context_line":"version, which can be remedied by adjusting the service to always pass the"},{"line_number":136,"context_line":"expected attributes to ``enforce()``."},{"line_number":137,"context_line":""},{"line_number":138,"context_line":"Testing Impact"},{"line_number":139,"context_line":"--------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_37295d89","line":136,"in_reply_to":"bf659307_89f4f088","updated":"2018-04-11 16:33:42.000000000","message":"Done","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":11589,"name":"Harry Rybacki","email":"hrybacki@redhat.com","username":"hrybacki"},"change_message_id":"9c41179d3aa608f74de691590e235d0aa3cc8a5f","unresolved":false,"context_lines":[{"line_number":165,"context_line":"Milestones"},{"line_number":166,"context_line":"----------"},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Target Milestone for completion: rocky-2"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Work Items"},{"line_number":171,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_7e02e90b","line":168,"range":{"start_line":168,"start_character":38,"end_line":168,"end_character":39},"updated":"2018-04-04 16:11:38.000000000","message":"Is this realistic if it will require a major version bump to oslo.policy?","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"52be9c8954791eeeb10d590310b1469e37aee449","unresolved":false,"context_lines":[{"line_number":165,"context_line":"Milestones"},{"line_number":166,"context_line":"----------"},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Target Milestone for completion: rocky-2"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Work Items"},{"line_number":171,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_b7132d5c","line":168,"range":{"start_line":168,"start_character":38,"end_line":168,"end_character":39},"in_reply_to":"bf659307_7e02e90b","updated":"2018-04-11 16:33:42.000000000","message":"That\u0027s a good question. I\u0027ve never gone through a major version bump with oslo, so I\u0027d like to see if others have an opinion here.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"78840579291feb1e167b1ef547254144d8cd1456","unresolved":false,"context_lines":[{"line_number":165,"context_line":"Milestones"},{"line_number":166,"context_line":"----------"},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Target Milestone for completion: rocky-2"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Work Items"},{"line_number":171,"context_line":"----------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"bf659307_f51e7d5d","line":168,"range":{"start_line":168,"start_character":38,"end_line":168,"end_character":39},"in_reply_to":"bf659307_b7132d5c","updated":"2018-04-11 17:36:50.000000000","message":"If we add the new method we don\u0027t need a major version update at all.","commit_id":"1d023a6b569308fcecb3d4ac4457b9cd023c3059"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"9c020b76ced5162f0ea574f754aaefe0bcfaff3b","unresolved":false,"context_lines":[{"line_number":48,"context_line":""},{"line_number":49,"context_line":"* ``context``: An instance of ``RequestContext`` from the oslo.context library."},{"line_number":50,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":51,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":52,"context_line":"* ``rule``: The policy rule being accessed"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Alternatives"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bf659307_b541e53b","line":51,"updated":"2018-04-11 17:38:20.000000000","message":"The user_id is in the context, so we shouldn\u0027t need to pass it separately.","commit_id":"d2356a55050da23486e02987e69a4f0899bdfe46"},{"author":{"_account_id":26674,"name":"Thomas Duval","email":"thomas.duval@orange.com","username":"asteroide"},"change_message_id":"6ef1f2eb198dd59b503bfecb8d22809c79c9dac2","unresolved":false,"context_lines":[{"line_number":49,"context_line":"* ``context``: An instance of ``RequestContext`` from the oslo.context library."},{"line_number":50,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":51,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":52,"context_line":"* ``rule``: The policy rule being accessed"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Alternatives"},{"line_number":55,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bf659307_a00509c4","line":52,"updated":"2018-04-12 15:14:35.000000000","message":"We need here the \u0027resource_id\u0027, this is dramatically missing when trying to authorize requests through an external policy decision point. Unless we can find it in the context object so we have to check if this attribute exists.","commit_id":"d2356a55050da23486e02987e69a4f0899bdfe46"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"70d36fad019f70eccb535657bd26407c1a6d256d","unresolved":false,"context_lines":[{"line_number":49,"context_line":"* ``context``: An instance of ``RequestContext`` from the oslo.context library."},{"line_number":50,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":51,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":52,"context_line":"* ``rule``: The policy rule being accessed"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Alternatives"},{"line_number":55,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9f6a8fd7_e4479a4b","line":52,"in_reply_to":"9f6a8fd7_c9662fc2","updated":"2018-04-23 14:33:59.000000000","message":"Yes, that\u0027s my preference. The alternative is that we have 2 classes being used system-wide to refer to a lot of the same information, each of which is likely only partially filled in. Let\u0027s just get everyone using the same context base class and providing all of the necessary values.","commit_id":"d2356a55050da23486e02987e69a4f0899bdfe46"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0361e0b6141713c12ffebccc60f9aeb71b918dd2","unresolved":false,"context_lines":[{"line_number":49,"context_line":"* ``context``: An instance of ``RequestContext`` from the oslo.context library."},{"line_number":50,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":51,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":52,"context_line":"* ``rule``: The policy rule being accessed"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Alternatives"},{"line_number":55,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9f6a8fd7_c9662fc2","line":52,"in_reply_to":"bf659307_627131a8","updated":"2018-04-23 14:13:27.000000000","message":"Looks like it\u0027s called resource_uuid, but I\u0027d say this falls into the same boat in that it\u0027s hard to know if each project is actually filling this out properly.\n\nThat said, I think I like the idea of having oslo.policy just process a context object instead of making oslo.policy learn all these new arguments. That might make it easier for people to adopt/fix in their code because they only have to really fill out one thing, which is the context object, and that is used with policy enforcement. As opposed to creating a request object and then creating a couple specialized dictionaries to pass to oslo.policy that contain much of the same information.\n\nSo do we ultimately just make oslo.policy smart enough to handle a context object?","commit_id":"d2356a55050da23486e02987e69a4f0899bdfe46"},{"author":{"_account_id":2472,"name":"Doug Hellmann","email":"dhellmann@redhat.com","username":"doug-hellmann"},"change_message_id":"9ec51339e4f2bef837bdf0dee0c1f3c44a8d09cd","unresolved":false,"context_lines":[{"line_number":49,"context_line":"* ``context``: An instance of ``RequestContext`` from the oslo.context library."},{"line_number":50,"context_line":"* ``user_id``: The unique identifier of the user making the request. This is"},{"line_number":51,"context_line":"  typically handled by keystonemiddleware and oslo.context."},{"line_number":52,"context_line":"* ``rule``: The policy rule being accessed"},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Alternatives"},{"line_number":55,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bf659307_627131a8","line":52,"in_reply_to":"bf659307_a00509c4","updated":"2018-04-12 18:36:39.000000000","message":"The context does have a field for resource_uuid. I don\u0027t know if it is filled in consistently.","commit_id":"d2356a55050da23486e02987e69a4f0899bdfe46"}]}