)]}'
{"oslo_policy/personas.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9e77bf73d8dc53820f10c2bb289bd90477196eb5","unresolved":true,"context_lines":[{"line_number":29,"context_line":"SYSTEM_ADMIN \u003d policy.RuleDefault("},{"line_number":30,"context_line":"    name\u003d\u0027system_admin\u0027,"},{"line_number":31,"context_line":"    check_str\u003d\u0027role:admin and system_scope:all\u0027"},{"line_number":32,"context_line":"    description\u003d\u0027A policy rule designed to protect system-level \u0027"},{"line_number":33,"context_line":"                \u0027administrative operations.\u0027,"},{"line_number":34,"context_line":"    scope_types\u003d[\u0027system\u0027]"},{"line_number":35,"context_line":")"},{"line_number":36,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"4c286b77_54032c65","line":33,"range":{"start_line":32,"start_character":16,"end_line":33,"end_character":45},"updated":"2020-12-10 20:41:49.000000000","message":"this is a total style nit, but how about:\n\n  ...\n  description\u003d(\n      \u0027A policy rule ...\u0027\n  ),\n  ...\n\njust to avoid the massive hanging indent","commit_id":"55f4e6aec15ea8e45e86d83d60cfefabd7eef9c0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cd1b7662517c5d58341c479bd44b5417c3b289d5","unresolved":true,"context_lines":[{"line_number":31,"context_line":"    check_str\u003d\u0027role:admin and system_scope:all\u0027"},{"line_number":32,"context_line":"    description\u003d\u0027A policy rule designed to protect system-level \u0027"},{"line_number":33,"context_line":"                \u0027administrative operations.\u0027,"},{"line_number":34,"context_line":"    scope_types\u003d[\u0027system\u0027]"},{"line_number":35,"context_line":")"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"SYSTEM_MEMBER \u003d policy.RuleDefault("},{"line_number":38,"context_line":"    name\u003d\u0027system_member\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"25edd229_ccf82b3d","line":35,"range":{"start_line":34,"start_character":0,"end_line":35,"end_character":1},"updated":"2020-12-10 22:01:48.000000000","message":"having scope_type can be challenging sometime. Even with default to PROJECT_ADMIN, some API might want to open up the system scope also for the case when operator want to override these rule to allow system users.\n\nOne example is from nova use case, where we kept the scope_type to [\u0027system\u0027, \u0027project\u0027] for live migration API and they are default to SYSTEM_ADMIN - https://github.com/openstack/nova/blob/3a6c1cbc3a07814b3fecfdc23f28da9294779bcc/nova/policies/migrate_server.py#L35\n\nSo that operator can override the rule to allow some project users to perform live migration operation on their server.","commit_id":"55f4e6aec15ea8e45e86d83d60cfefabd7eef9c0"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"bfd4a3eff4b734b9e20325fa86a3ff8939796976","unresolved":true,"context_lines":[{"line_number":31,"context_line":"    check_str\u003d\u0027role:admin and system_scope:all\u0027"},{"line_number":32,"context_line":"    description\u003d\u0027A policy rule designed to protect system-level \u0027"},{"line_number":33,"context_line":"                \u0027administrative operations.\u0027,"},{"line_number":34,"context_line":"    scope_types\u003d[\u0027system\u0027]"},{"line_number":35,"context_line":")"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"SYSTEM_MEMBER \u003d policy.RuleDefault("},{"line_number":38,"context_line":"    name\u003d\u0027system_member\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"ea93ada8_69591b7b","line":35,"range":{"start_line":34,"start_character":0,"end_line":35,"end_character":1},"in_reply_to":"25edd229_ccf82b3d","updated":"2020-12-10 22:37:51.000000000","message":"Yeah - I\u0027m convinced this should be handled in the rule that references these rules... (if that makes sense?)","commit_id":"55f4e6aec15ea8e45e86d83d60cfefabd7eef9c0"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"8d1ca0d1ef72c507ae0ac0391fed47902870443a","unresolved":true,"context_lines":[{"line_number":31,"context_line":"    check_str\u003d\u0027role:admin and system_scope:all\u0027"},{"line_number":32,"context_line":"    description\u003d\u0027A policy rule designed to protect system-level \u0027"},{"line_number":33,"context_line":"                \u0027administrative operations.\u0027,"},{"line_number":34,"context_line":"    scope_types\u003d[\u0027system\u0027]"},{"line_number":35,"context_line":")"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"SYSTEM_MEMBER \u003d policy.RuleDefault("},{"line_number":38,"context_line":"    name\u003d\u0027system_member\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"0b5c71ce_07f58c39","line":35,"range":{"start_line":34,"start_character":0,"end_line":35,"end_character":1},"in_reply_to":"ea93ada8_69591b7b","updated":"2021-09-27 16:42:59.000000000","message":"The default should be restrictive:  an API that is SYSTEM_ADMIN should not be (default) allowed by PROJECT_ADMIN semantics.  An operator that wants to open any api to a wider audience should make that rule explicit.  So if you change migrate_server to SYSTEM_ADMIN, that should also change the scope type.","commit_id":"55f4e6aec15ea8e45e86d83d60cfefabd7eef9c0"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9e77bf73d8dc53820f10c2bb289bd90477196eb5","unresolved":true,"context_lines":[{"line_number":78,"context_line":""},{"line_number":79,"context_line":"SYSTEM_ADMIN_OR_PROJECT_MEMBER \u003d policy.RuleDefault("},{"line_number":80,"context_line":"    name\u003d\u0027system_admin_or_project_member\u0027,"},{"line_number":81,"context_line":"    check_str\u003d\u0027(role:admin and system_scope:all) or \u0027"},{"line_number":82,"context_line":"              \u0027(role:member and project_id:%(project_id)s)\u0027"},{"line_number":83,"context_line":"    description\u003d\u0027A composite policy rule designed for \u0027"},{"line_number":84,"context_line":"                \u0027system administrators and project users with \u0027"},{"line_number":85,"context_line":"                \u0027authoization on the correct project.\u0027,"}],"source_content_type":"text/x-python","patch_set":1,"id":"1e233d8c_7456e3cf","line":82,"range":{"start_line":81,"start_character":0,"end_line":82,"end_character":59},"updated":"2020-12-10 20:41:49.000000000","message":"nit: wonder would it help to just put this on one line and #noqa it?","commit_id":"55f4e6aec15ea8e45e86d83d60cfefabd7eef9c0"},{"author":{"_account_id":28522,"name":"Hervé Beraud","email":"herveberaud.pro@gmail.com","username":"hberaud"},"change_message_id":"df0142ce068da71720a4bffdc5907f8eb6f73586","unresolved":true,"context_lines":[{"line_number":82,"context_line":"              \u0027(role:member and project_id:%(project_id)s)\u0027"},{"line_number":83,"context_line":"    description\u003d\u0027A composite policy rule designed for \u0027"},{"line_number":84,"context_line":"                \u0027system administrators and project users with \u0027"},{"line_number":85,"context_line":"                \u0027authoization on the correct project.\u0027,"},{"line_number":86,"context_line":"    scope_types\u003d[\u0027project\u0027, \u0027system\u0027]"},{"line_number":87,"context_line":")"},{"line_number":88,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"5ac82cc7_615201fd","line":85,"range":{"start_line":85,"start_character":17,"end_line":85,"end_character":29},"updated":"2020-12-10 19:49:33.000000000","message":"typo","commit_id":"55f4e6aec15ea8e45e86d83d60cfefabd7eef9c0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cd1b7662517c5d58341c479bd44b5417c3b289d5","unresolved":true,"context_lines":[{"line_number":94,"context_line":"                \u0027read-only APIs and resources for system readers \u0027"},{"line_number":95,"context_line":"                \u0027and project readers.\u0027,"},{"line_number":96,"context_line":"    scope_types\u003d[\u0027project\u0027, \u0027system\u0027]"},{"line_number":97,"context_line":")"}],"source_content_type":"text/x-python","patch_set":1,"id":"f7e5305d_bf673482","line":97,"range":{"start_line":97,"start_character":0,"end_line":97,"end_character":1},"updated":"2020-12-10 22:01:48.000000000","message":"One open thing here is if these can be used as it is on project side or not. In nova, we define the common base rul and added the deprecated legacy rules common rule like admin_api which helped us to deprecate only common rules not every specific rule.\n\nI think for nova case, policies are very large so doing it in common rules was much needed but for other services policy it will be good to do deprecation at specific rule level?\n\n- https://github.com/openstack/nova/blob/3a6c1cbc3a07814b3fecfdc23f28da9294779bcc/nova/policies/base.py#L106","commit_id":"55f4e6aec15ea8e45e86d83d60cfefabd7eef9c0"}]}