)]}'
{"doc/source/admin/policy-yaml-file.rst":[{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"9b193fb0d3871a637b507fd57d847cf7d0b1ba46","unresolved":false,"context_lines":[{"line_number":245,"context_line":""},{"line_number":246,"context_line":"During a debug logging phase, it\u0027s common to have the target object"},{"line_number":247,"context_line":"attributes retrieved in the API calls. Comparing the API call on the logs"},{"line_number":248,"context_line":"with the policy enforce for the corresponding API, you can check which API"},{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_5c019669","line":248,"range":{"start_line":248,"start_character":16,"end_line":248,"end_character":23},"updated":"2020-08-10 20:00:13.000000000","message":"enforced","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b7eb338a8622f956a0717539611c6d850ec9b183","unresolved":false,"context_lines":[{"line_number":245,"context_line":""},{"line_number":246,"context_line":"During a debug logging phase, it\u0027s common to have the target object"},{"line_number":247,"context_line":"attributes retrieved in the API calls. Comparing the API call on the logs"},{"line_number":248,"context_line":"with the policy enforce for the corresponding API, you can check which API"},{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_dc99fdd0","line":248,"range":{"start_line":248,"start_character":16,"end_line":248,"end_character":23},"in_reply_to":"9f560f44_5c019669","updated":"2021-01-18 13:17:35.000000000","message":"Done","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"9b193fb0d3871a637b507fd57d847cf7d0b1ba46","unresolved":false,"context_lines":[{"line_number":246,"context_line":"During a debug logging phase, it\u0027s common to have the target object"},{"line_number":247,"context_line":"attributes retrieved in the API calls. Comparing the API call on the logs"},{"line_number":248,"context_line":"with the policy enforce for the corresponding API, you can check which API"},{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_bcfb9276","line":249,"range":{"start_line":249,"start_character":58,"end_line":249,"end_character":60},"updated":"2020-08-10 20:00:13.000000000","message":"in","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b7eb338a8622f956a0717539611c6d850ec9b183","unresolved":false,"context_lines":[{"line_number":246,"context_line":"During a debug logging phase, it\u0027s common to have the target object"},{"line_number":247,"context_line":"attributes retrieved in the API calls. Comparing the API call on the logs"},{"line_number":248,"context_line":"with the policy enforce for the corresponding API, you can check which API"},{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_bc9ec9b5","line":249,"range":{"start_line":249,"start_character":58,"end_line":249,"end_character":60},"in_reply_to":"9f560f44_bcfb9276","updated":"2021-01-18 13:17:35.000000000","message":"Done","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"9b193fb0d3871a637b507fd57d847cf7d0b1ba46","unresolved":false,"context_lines":[{"line_number":247,"context_line":"attributes retrieved in the API calls. Comparing the API call on the logs"},{"line_number":248,"context_line":"with the policy enforce for the corresponding API, you can check which API"},{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_dcec86bc","line":250,"range":{"start_line":250,"start_character":0,"end_line":250,"end_character":8},"updated":"2020-08-10 20:00:13.000000000","message":"for the Nova","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b7eb338a8622f956a0717539611c6d850ec9b183","unresolved":false,"context_lines":[{"line_number":247,"context_line":"attributes retrieved in the API calls. Comparing the API call on the logs"},{"line_number":248,"context_line":"with the policy enforce for the corresponding API, you can check which API"},{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_1ca41508","line":250,"range":{"start_line":250,"start_character":0,"end_line":250,"end_character":8},"in_reply_to":"9f560f44_dcec86bc","updated":"2021-01-18 13:17:35.000000000","message":"Done","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"9b193fb0d3871a637b507fd57d847cf7d0b1ba46","unresolved":false,"context_lines":[{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"},{"line_number":254,"context_line":"``project_id`` attribute."},{"line_number":255,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_3c2dc2fd","line":252,"range":{"start_line":252,"start_character":72,"end_line":252,"end_character":75},"updated":"2020-08-10 20:00:13.000000000","message":"in","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b7eb338a8622f956a0717539611c6d850ec9b183","unresolved":false,"context_lines":[{"line_number":249,"context_line":"attribute has been used as the target object. For example on the policy.yaml"},{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"},{"line_number":254,"context_line":"``project_id`` attribute."},{"line_number":255,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_fca841dc","line":252,"range":{"start_line":252,"start_character":72,"end_line":252,"end_character":75},"in_reply_to":"9f560f44_3c2dc2fd","updated":"2021-01-18 13:17:35.000000000","message":"Done","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":11904,"name":"Sean McGinnis","email":"sean.mcginnis@gmail.com","username":"SeanM"},"change_message_id":"9b193fb0d3871a637b507fd57d847cf7d0b1ba46","unresolved":false,"context_lines":[{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"},{"line_number":254,"context_line":"``project_id`` attribute."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"``is_admin`` indicates that administrative privileges are granted via"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_7c33ba62","line":253,"range":{"start_line":253,"start_character":41,"end_line":253,"end_character":43},"updated":"2020-08-10 20:00:13.000000000","message":"in","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":8866,"name":"Raildo Mascena de Sousa Filho","email":"rmascena@redhat.com","username":"raildo"},"change_message_id":"b7eb338a8622f956a0717539611c6d850ec9b183","unresolved":false,"context_lines":[{"line_number":250,"context_line":"for Nova project you can find ``\"compute:start\"`` API, the policy will show as"},{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"},{"line_number":254,"context_line":"``project_id`` attribute."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"``is_admin`` indicates that administrative privileges are granted via"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_5cadede8","line":253,"range":{"start_line":253,"start_character":41,"end_line":253,"end_character":43},"in_reply_to":"9f560f44_7c33ba62","updated":"2021-01-18 13:17:35.000000000","message":"Done","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":6928,"name":"Ben Nemec","email":"openstack@nemebean.com","username":"bnemec"},"change_message_id":"e243c8eaa264d6f2d68f47292cfb68937b68f321","unresolved":false,"context_lines":[{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"},{"line_number":254,"context_line":"``project_id`` attribute."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"``is_admin`` indicates that administrative privileges are granted via"},{"line_number":257,"context_line":"the admin token mechanism (the ``--os-token`` option of the ``keystone``"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_67d0cc20","line":254,"updated":"2020-07-31 15:41:22.000000000","message":"I think this is a bit confusing. I see that Nova is populating the target object with project_id in some cases, but since that is also an API attribute it\u0027s awkward to use it as an example for the target attributes too.\n\nWhat I had in mind is more something like this possible glance policy: https://review.opendev.org/#/c/742810/3/doc/source/admin/interoperable-image-import.rst\n\nIn that case, \u0027visibility\u0027 is a key in the target that deployers can use in their custom policy. The question I want to answer in the documentation is how to find out all of the keys available in the target object, which requires looking at the debug log output because it\u0027s an arbitrary dict passed in by the service.\n\nThe other thing that we need to document (but doesn\u0027t necessarily need to be done in this change) is how to enable debug logging of oslo.policy. It isn\u0027t as simple as turning on debug in the service because oslo.policy is one of the overridden defaults in https://opendev.org/openstack/oslo.log/src/branch/master/oslo_log/_options.py#L30 That means you also have to override https://opendev.org/openstack/oslo.log/src/branch/master/oslo_log/_options.py#L175 in order to get debug output from oslo.policy.","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2b479dfc984263c209d24a3436ff073cdbfbb36f","unresolved":false,"context_lines":[{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and on this"},{"line_number":253,"context_line":"way you can check that the target object on the debug logging it needs to be a"},{"line_number":254,"context_line":"``project_id`` attribute."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"``is_admin`` indicates that administrative privileges are granted via"},{"line_number":257,"context_line":"the admin token mechanism (the ``--os-token`` option of the ``keystone``"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9f560f44_c65e4350","line":254,"in_reply_to":"9f560f44_67d0cc20","updated":"2020-09-30 20:48:09.000000000","message":"I agree with this. For deployers, it is not an easy way to determine that with what all value they can customize the policy until they deep dive into the code. One example is this: https://review.opendev.org/#/c/751152/1/nova/api/openstack/compute/servers.py\n\nI think we need some tools that can convert the passed target from service into the docstring per policy. If policy help or description can tell what all value for this policy is available to customize then it will solve the problem.","commit_id":"3023307cf822f2b18374e363a0db2a86ae070f39"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1a221b09481db0d70f291ca9c872dfac692bc4f8","unresolved":true,"context_lines":[{"line_number":251,"context_line":"``\"rule:admin_or_owner\"`` which will point for"},{"line_number":252,"context_line":"``\"admin_or_owner\":  \"is_admin:True or project_id:%(project_id)s\"`` and in this"},{"line_number":253,"context_line":"way you can check that the target object in the debug logging it needs to be a"},{"line_number":254,"context_line":"``project_id`` attribute."},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"``is_admin`` indicates that administrative privileges are granted via"},{"line_number":257,"context_line":"the admin token mechanism (the ``--os-token`` option of the ``keystone``"}],"source_content_type":"text/x-rst","patch_set":3,"id":"33896686_69c19180","line":254,"updated":"2021-02-10 18:00:29.000000000","message":"Technically - this information could be generalized outside of the yaml-specific documentation here.\n\nIt seems relevant to the documentation we publish in the API reference [0].\n\n[0] https://opendev.org/openstack/oslo.policy/src/branch/master/oslo_policy/policy.py#L30","commit_id":"50b7600887d1cd95dbe71786639f2d5bafa33639"}]}