)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"fa0eb14acfd2f64b83035cd45e1887bc453d311a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"46159a8d_e3864f67","updated":"2026-06-24 11:15:18.000000000","message":"-2 because of my issues with the approach, not the general idea of course 😄","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9f8cca3a2102abb246f073c379f5353eafe889e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"2fec451c_89e225fb","updated":"2026-06-24 10:33:36.000000000","message":"Couple of small comments. The -1 is for the confusing release note","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"985d55ac2669a5b81eab276871ca6a32acb7df8b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"afeb5bcc_dc962fd7","updated":"2026-06-24 10:41:04.000000000","message":"Having reviewed the placement and nova changes, I think we should change tack here slightly. Rather than removing the option here, we should instead keep it as deprecated but raise an exception if it\u0027s set to `False`. That would allow us to explicitly set the value to `True` in projects like placement, and allow users to ensure they will get consistent behavior *defined by the service itself* rather than behavior that depends on the version of a dependency they have installed.","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e97ceda5eaf677dd012c4688bcf094ddc9f50eba","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"7cb90292_a3ad9d93","in_reply_to":"0edd0f1a_b920c934","updated":"2026-06-24 17:39:23.000000000","message":"I proposed the service side changes by mentioning how newer version of oslo.policy will impact them and not the old one. Hope that works? https://review.opendev.org/c/openstack/placement/+/994790","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"74777884661062a8f750b16b64b9e3d1a74356c2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"7dcbe2ce_59f09057","in_reply_to":"46159a8d_e3864f67","updated":"2026-06-24 15:46:34.000000000","message":"-2 seems to me for rejecting the whole idea/process/deadline wise but if approach is not prefferable then it make sense to -1 as it will not merge if it is -1 😉","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6d811cb33f358baaf18c4682796725d9295029c6","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"845c73e5_34d66c55","in_reply_to":"7cb90292_a3ad9d93","updated":"2026-06-25 13:18:13.000000000","message":"Sorry, I was unclear. My suggestion was to fail if set to `false` *in the services*, not here. This is similar to the way that e.g. oslo.db technically supports PostgreSQL but services like Nova don\u0027t allow you to use this/don\u0027t test it. In my proposal, oslo.policy would continues to support this feature (for now!) but we would block it at the service level. Then, next cycle, we can drop the feature entirely from oslo.policy. IMO this would give a clearer error to admins (they would be forced to change their configuration if they had set this in e.g. `nova.conf`) and avoid issues where a user on Gazpacho accidentally pulled Hibiscus oslo.policy and got a change in behavior.","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6d811cb33f358baaf18c4682796725d9295029c6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"2c356cc7_0f9ad9f6","in_reply_to":"7dcbe2ce_59f09057","updated":"2026-06-25 13:18:13.000000000","message":"Yeah, good point 😀 I\u0027ve dropped this","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"84de153469cdc7d83062e8a49599cc1d00d41c6e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"97ddfb80_1019348c","in_reply_to":"845c73e5_34d66c55","updated":"2026-06-25 16:48:46.000000000","message":"let me clarify also why I failing service is not good idea here.\n\nscope enable and disable does not make a successful (2XX) case fail(4XX); instead, it just improves the error message and early fails. For example:\n\nenforce_scope\u003dTrue:\n-------------------\nIf user use system_reader to read the resources/system_admin|member try to create the server in Nova then it will fail somewhere in DB or so as there is no project_id associated with that token. error will be 404 or something else and unclear error message which is hard for user to figure out the problem.\n       \nenforce_scope\u003dFalse:\n--------------------\nIn this case, policy checks itself will throw an error 403 saying you are not using a project-scoped token, which is required by Nova.\n        \nSo, failing service for such cases where only the error message/code is improved is not good. That is why just removing this flag and always enabling the scope enforcement will help users to see if anyone is using a system token (which is a rare case that anyone uses a system token for Nova, etc.).","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"92b5287797729d3b1f1614d1b4ec1ec771908bb2","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"6acd4b49_f2b261f9","in_reply_to":"97ddfb80_1019348c","updated":"2026-06-25 16:58:37.000000000","message":"sorry, I wrote in wrong order. corrent one is\n\nenforce_scope\u003dFalse:\n--------------------\nIf user use system_reader to read the resources/system_admin|member try to create the server in Nova then it will fail somewhere in DB or so as there is no project_id associated with that token. error will be 404 or something else and unclear error message which is hard for user to figure out the problem.\n\nenforce_scope\u003dTrue:\n--------------------\nIn this case, policy checks itself will throw an error 403 saying you are not using a project-scoped token, which is required by Nova.\n\nSo, failing service for such cases where only the error message/code is improved is not good. That is why just removing this flag and always enabling the scope enforcement will help users to see if anyone is using a system token (which is a rare case that anyone uses a system token for Nova, etc.).\n\nalso, one exception is system_admin which can work as admin anywhere if scope enforcement is disabled.","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"74777884661062a8f750b16b64b9e3d1a74356c2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0edd0f1a_b920c934","in_reply_to":"afeb5bcc_dc962fd7","updated":"2026-06-24 15:46:34.000000000","message":"I am not sure what is the main gain of keeping the config option but fail if that is set to false. It means operator cannot change this config option to disable the scope enforcement so what is meaning of config flag? If we keep config option (even deprecated) but does not allow it to change then it is more confusing for users.\n\nFrom project perspective also, it does not make sense to me to explicitly set it to True and raise error if it is disabled.\n\nThis config option was added for temporary migration to scopped policy and never been intend of toggle it via flag.","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fc060e0333ef933bfa1a6641ef3c4334fc553be6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"10e256bb_fad76e39","updated":"2026-06-29 16:36:10.000000000","message":"keeping it WIP till July 3rd which is timeline communicated in ML but this is ready for review meanwhile.","commit_id":"df0a51daff93995a6efd79a065ad3af97b23dd60"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b22eab8305992a31022145fbd7d7940744f24475","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"cea16377_b097b66c","updated":"2026-06-30 02:15:16.000000000","message":"nova tox jobs is failing because of placement fix is not yet released https://review.opendev.org/c/openstack/placement/+/987568","commit_id":"df0a51daff93995a6efd79a065ad3af97b23dd60"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d38c15100bc1c32932bbe7d2b31b1869275306c6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"1c0b0057_85f85397","updated":"2026-06-30 17:44:58.000000000","message":"-W till deadline but this is ready for review","commit_id":"79fd95e1e049018f2b6a661cfb24cb73db6bcecb"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d88f11d30cb610bb166b8a01173319919f6b2554","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"867b4842_7d26d8f3","updated":"2026-07-02 17:31:24.000000000","message":"opening it for review or merger as tomorrow july 3rd is deadline. Merging it will not impact CI unless it is released and constraints in u-c. But will test new oslo.policy in jobs testing it from master which is a good advance heads up if any failure.","commit_id":"79fd95e1e049018f2b6a661cfb24cb73db6bcecb"}],"oslo_policy/policy.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9f8cca3a2102abb246f073c379f5353eafe889e","unresolved":true,"context_lines":[{"line_number":1124,"context_line":"        self,"},{"line_number":1125,"context_line":"        creds: MutableMapping[str, Any],"},{"line_number":1126,"context_line":"        rule: \u0027_checks.BaseCheck | RuleDefault\u0027,"},{"line_number":1127,"context_line":"        do_raise: bool \u003d False,"},{"line_number":1128,"context_line":"    ) -\u003e bool:"},{"line_number":1129,"context_line":"        if not rule.scope_types:"},{"line_number":1130,"context_line":"            return True"}],"source_content_type":"text/x-python","patch_set":1,"id":"1feceef2_d7318b7c","line":1127,"updated":"2026-06-24 10:33:36.000000000","message":"This is misleading: the two callers here explicitly provide this argument. Can we remove the default instead and make it a kwarg-only argument (since that\u0027s how they call it)?\n\n\n\n```suggestion\n        *,\n        do_raise: bool,\n```","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"17c817cc45f04daffca240ff8bd3de2c2c433be1","unresolved":false,"context_lines":[{"line_number":1124,"context_line":"        self,"},{"line_number":1125,"context_line":"        creds: MutableMapping[str, Any],"},{"line_number":1126,"context_line":"        rule: \u0027_checks.BaseCheck | RuleDefault\u0027,"},{"line_number":1127,"context_line":"        do_raise: bool \u003d False,"},{"line_number":1128,"context_line":"    ) -\u003e bool:"},{"line_number":1129,"context_line":"        if not rule.scope_types:"},{"line_number":1130,"context_line":"            return True"}],"source_content_type":"text/x-python","patch_set":1,"id":"e105b911_248684fd","line":1127,"in_reply_to":"1feceef2_d7318b7c","updated":"2026-06-29 16:35:35.000000000","message":"Done","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9f8cca3a2102abb246f073c379f5353eafe889e","unresolved":true,"context_lines":[{"line_number":1144,"context_line":"        if rule.scope_types and token_scope not in rule.scope_types:"},{"line_number":1145,"context_line":"            if do_raise:"},{"line_number":1146,"context_line":"                raise InvalidScope(rule, rule.scope_types, token_scope)"},{"line_number":1147,"context_line":"            else:"},{"line_number":1148,"context_line":"                result \u003d False"},{"line_number":1149,"context_line":"        return result"},{"line_number":1150,"context_line":""},{"line_number":1151,"context_line":"    def _map_context_attributes_into_creds("}],"source_content_type":"text/x-python","patch_set":1,"id":"a68f3908_26a19b5b","line":1148,"range":{"start_line":1147,"start_character":0,"end_line":1148,"end_character":30},"updated":"2026-06-24 10:33:36.000000000","message":"nit:\n\n```suggestion\n            result \u003d False\n```","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"17c817cc45f04daffca240ff8bd3de2c2c433be1","unresolved":false,"context_lines":[{"line_number":1144,"context_line":"        if rule.scope_types and token_scope not in rule.scope_types:"},{"line_number":1145,"context_line":"            if do_raise:"},{"line_number":1146,"context_line":"                raise InvalidScope(rule, rule.scope_types, token_scope)"},{"line_number":1147,"context_line":"            else:"},{"line_number":1148,"context_line":"                result \u003d False"},{"line_number":1149,"context_line":"        return result"},{"line_number":1150,"context_line":""},{"line_number":1151,"context_line":"    def _map_context_attributes_into_creds("}],"source_content_type":"text/x-python","patch_set":1,"id":"3c296e7f_e5c42fa1","line":1148,"range":{"start_line":1147,"start_character":0,"end_line":1148,"end_character":30},"in_reply_to":"a68f3908_26a19b5b","updated":"2026-06-29 16:35:35.000000000","message":"Done","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"}],"releasenotes/notes/remove-enforce-scope-flag-1c3e886a31fc9b66.yaml":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9f8cca3a2102abb246f073c379f5353eafe889e","unresolved":true,"context_lines":[{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Configuring scope enforcement is no longer supported. If policy rules"},{"line_number":5,"context_line":"    have the scope_types defined then scope enforcement will be done always."},{"line_number":6,"context_line":"    The config option ``enforce_scope`` was added temporarily to facilitate a"},{"line_number":7,"context_line":"    smooth transition to the new RBAC and was deprecated for the removal."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"0465abae_5a36ed1a","line":5,"updated":"2026-06-24 10:33:36.000000000","message":"```suggestion\n    have the ``scope_types`` defined then scope enforcement will always occur.\n```","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"17c817cc45f04daffca240ff8bd3de2c2c433be1","unresolved":false,"context_lines":[{"line_number":2,"context_line":"upgrade:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Configuring scope enforcement is no longer supported. If policy rules"},{"line_number":5,"context_line":"    have the scope_types defined then scope enforcement will be done always."},{"line_number":6,"context_line":"    The config option ``enforce_scope`` was added temporarily to facilitate a"},{"line_number":7,"context_line":"    smooth transition to the new RBAC and was deprecated for the removal."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"55203d7f_88d44706","line":5,"in_reply_to":"0465abae_5a36ed1a","updated":"2026-06-29 16:35:35.000000000","message":"Done","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"e9f8cca3a2102abb246f073c379f5353eafe889e","unresolved":true,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Configuring scope enforcement is no longer supported. If policy rules"},{"line_number":5,"context_line":"    have the scope_types defined then scope enforcement will be done always."},{"line_number":6,"context_line":"    The config option ``enforce_scope`` was added temporarily to facilitate a"},{"line_number":7,"context_line":"    smooth transition to the new RBAC and was deprecated for the removal."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"9140630a_59b9c25e","line":7,"range":{"start_line":6,"start_character":4,"end_line":7,"end_character":73},"updated":"2026-06-24 10:33:36.000000000","message":"This was already deprecated for removal: it\u0027s now removed. Should this read e.g.\n\n\n\n```suggestion\n    The config option ``enforce_scope``, which was added temporarily to\n    facilitate a smooth transition to the new RBAC model, has now been\n    removed.\n```","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"17c817cc45f04daffca240ff8bd3de2c2c433be1","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Configuring scope enforcement is no longer supported. If policy rules"},{"line_number":5,"context_line":"    have the scope_types defined then scope enforcement will be done always."},{"line_number":6,"context_line":"    The config option ``enforce_scope`` was added temporarily to facilitate a"},{"line_number":7,"context_line":"    smooth transition to the new RBAC and was deprecated for the removal."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"f703e932_0d38896a","line":7,"range":{"start_line":6,"start_character":4,"end_line":7,"end_character":73},"in_reply_to":"9140630a_59b9c25e","updated":"2026-06-29 16:35:35.000000000","message":"Done","commit_id":"482ca8859bc00d6157372e3e8b4d3438d1d55028"}]}
