)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c31586c1bc2760f9bc84b085d9807787c5d3d08f","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"enforce(): Check scope against actual rule rather than just the default rule"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This allows us to override scope requrements in policy.yaml; previously"},{"line_number":10,"context_line":"it checked the default scope requirements regardless of custom policy."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"This code is a bit convoluted and probably needs a refactor; as it is"},{"line_number":13,"context_line":"we get a proper scope exception if breaking scope in a default rule"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"333a39c7_450cbaa2","line":10,"range":{"start_line":9,"start_character":0,"end_line":10,"end_character":70},"updated":"2023-05-22 18:06:09.000000000","message":"Actually, this is by design and the scope was never intended to be overridable. scope are hard-coded in code and we should not make them customizable via config. The main idea behind the scope of API policy is to provide the secure RBAC so that different scope users are not allowed to perform other user operations.\n\nIf any policy require to be allowed to access by system as well as project scope then it should be changed in code. We have many policy like that where we do allow project as well system scope user to allow access as per their check string.\n\nAbout Bug 2017056, I added comment and change in Keystone side will fix the issue.","commit_id":"5afa3265e6a7156b55844c9ab9487ce11ff2580f"}]}