)]}'
{"placement/auth.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ba4d7ef7367a595c7b1661fd99537eb6e2acbfe7","unresolved":false,"context_lines":[{"line_number":46,"context_line":"        token \u003d req.headers[\u0027X-Auth-Token\u0027]"},{"line_number":47,"context_line":"        user_id, _sep, project_id \u003d token.partition(\u0027:\u0027)"},{"line_number":48,"context_line":"        project_id \u003d project_id or user_id"},{"line_number":49,"context_line":"        if user_id \u003d\u003d \u0027admin\u0027:"},{"line_number":50,"context_line":"            roles \u003d [\u0027admin\u0027]"},{"line_number":51,"context_line":"        else:"},{"line_number":52,"context_line":"            roles \u003d []"}],"source_content_type":"text/x-python","patch_set":2,"id":"1f621f24_a8c89aa5","side":"PARENT","line":49,"updated":"2020-11-12 22:36:14.000000000","message":"This bit was necessary so that we could set the roles for the context from the request headers. Ultimately, simulating what keystonemiddleware would populate in the request headers.","commit_id":"f0442937d9b91a1e0dc182a82520bab0b3cba7a1"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"493d0c03cb60cb1aee90e8dacd9c2c8e67029109","unresolved":false,"context_lines":[{"line_number":46,"context_line":"        token \u003d req.headers[\u0027X-Auth-Token\u0027]"},{"line_number":47,"context_line":"        user_id, _sep, project_id \u003d token.partition(\u0027:\u0027)"},{"line_number":48,"context_line":"        project_id \u003d project_id or user_id"},{"line_number":49,"context_line":"        if \u0027HTTP_X_ROLES\u0027 in req.environ.keys():"},{"line_number":50,"context_line":"            roles \u003d req.headers[\u0027X_ROLES\u0027].split(\u0027,\u0027)"},{"line_number":51,"context_line":"        elif user_id \u003d\u003d \u0027admin\u0027:"},{"line_number":52,"context_line":"            roles \u003d [\u0027admin\u0027]"}],"source_content_type":"text/x-python","patch_set":2,"id":"fffc6b78_9d61363d","line":49,"updated":"2020-11-20 11:40:23.000000000","message":"Is this ever going to be used in the real-world or is it purely for gabbi-based testing? Could we get a comment explaining its purpose (basically what you\u0027ve written on the base revision with the context I\u0027m asking for here)?","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"85739bc93dec9350e762de8ece8ba2fc9846261f","unresolved":false,"context_lines":[{"line_number":46,"context_line":"        token \u003d req.headers[\u0027X-Auth-Token\u0027]"},{"line_number":47,"context_line":"        user_id, _sep, project_id \u003d token.partition(\u0027:\u0027)"},{"line_number":48,"context_line":"        project_id \u003d project_id or user_id"},{"line_number":49,"context_line":"        if \u0027HTTP_X_ROLES\u0027 in req.environ.keys():"},{"line_number":50,"context_line":"            roles \u003d req.headers[\u0027X_ROLES\u0027].split(\u0027,\u0027)"},{"line_number":51,"context_line":"        elif user_id \u003d\u003d \u0027admin\u0027:"},{"line_number":52,"context_line":"            roles \u003d [\u0027admin\u0027]"}],"source_content_type":"text/x-python","patch_set":2,"id":"8c98d64d_0053973a","line":49,"in_reply_to":"fffc6b78_9d61363d","updated":"2020-12-10 15:19:49.000000000","message":"Done","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"}],"placement/policies/aggregate.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"bd40604394c350e8666bab7f8028f3e604e45c51","unresolved":false,"context_lines":[{"line_number":49,"context_line":"    ),"},{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        UPDATE,"},{"line_number":52,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":53,"context_line":"        \"Update resource provider aggregates.\","},{"line_number":54,"context_line":"        ["},{"line_number":55,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":1,"id":"1f621f24_a6aa4b82","line":52,"range":{"start_line":52,"start_character":13,"end_line":52,"end_character":27},"updated":"2020-10-28 21:17:10.000000000","message":"I\u0027m wondering if we should also be updating this to say:\n\n  role:admin and system_scope:all\n\nInstead of just:\n\n  role:admin\n\nTechnically - line 60 adds scope checking in the event the API is called with a non-system-scoped token, but that\u0027s only true if enforce_scope\u003dTrue in placement.conf, which deployers probably can\u0027t flip until all services in their deployment are on the same page with policy.\n\nCurrently, this works because only admin (project admin specifically) can call this API, which is the equivalent to what we\u0027re calling system adminstrators. While enforce_scope is set to False, we might need to consider adding protection with `system_scope:all` in the actual check string so that we don\u0027t accidentally open up system administrator APIs to project administrators.","commit_id":"fe8cc8f554976eb9674e227051180d835b82db5d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"493d0c03cb60cb1aee90e8dacd9c2c8e67029109","unresolved":false,"context_lines":[{"line_number":49,"context_line":"    ),"},{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        UPDATE,"},{"line_number":52,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":53,"context_line":"        \"Update resource provider aggregates.\","},{"line_number":54,"context_line":"        ["},{"line_number":55,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"fffc6b78_1dcb8653","line":52,"range":{"start_line":52,"start_character":13,"end_line":52,"end_character":27},"updated":"2020-11-20 11:40:23.000000000","message":"Here","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"85739bc93dec9350e762de8ece8ba2fc9846261f","unresolved":false,"context_lines":[{"line_number":49,"context_line":"    ),"},{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        UPDATE,"},{"line_number":52,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":53,"context_line":"        \"Update resource provider aggregates.\","},{"line_number":54,"context_line":"        ["},{"line_number":55,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"96c902e4_e864b52e","line":52,"range":{"start_line":52,"start_character":13,"end_line":52,"end_character":27},"in_reply_to":"fffc6b78_1dcb8653","updated":"2020-12-10 15:19:49.000000000","message":"Not sure why I didn\u0027t catch this in the first go.\n\nFixed.","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"efe2d4c7debd06bc83323013db2e4a8236533edf","unresolved":true,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"deprecated_list_aggregates \u003d policy.DeprecatedRule("},{"line_number":30,"context_line":"    name\u003dLIST,"},{"line_number":31,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":32,"context_line":")"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":4,"id":"1e17a731_68efeb98","line":31,"updated":"2021-01-21 16:53:42.000000000","message":"Newb question, but why don\u0027t you have to specify the scope types for the deprecated rule? Does it inherit them from its replacement? Crucially, would this allow a project-scoped (rather than system-scoped) admin to use this APIs even if \u0027[oslo_policy] enforce_new_defaults \u003d False\u0027 and \u0027[oslo_policy] enforce_scope \u003d False\u0027 were set? Maybe it doesn\u0027t matter here because there\u0027s no project information passed through when checking the policy, but I\u0027m curious.","commit_id":"ada2449361caf5013c01c8e695136ed62c26c182"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"751c73594fcf3a2ee76a1de5a6c29716345be6d9","unresolved":true,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"deprecated_list_aggregates \u003d policy.DeprecatedRule("},{"line_number":30,"context_line":"    name\u003dLIST,"},{"line_number":31,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":32,"context_line":")"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":4,"id":"37617044_54c4523e","line":31,"in_reply_to":"1e17a731_68efeb98","updated":"2021-01-21 16:58:55.000000000","message":"A lot of the admin API rule checks only really checked for the existence of the admin role somewhere in the token roles. Those checks existed prior to the scope work we did in keystone and the various libraries.\n\nScope types weren\u0027t include in the deprecated rule since they weren\u0027t really applicable to the original check strings across OpenStack. However, I can see how that would potentially be useful moving forward.","commit_id":"ada2449361caf5013c01c8e695136ed62c26c182"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"2c25b3cf009f18a87f27f67c813e8a82f2393a7b","unresolved":false,"context_lines":[{"line_number":28,"context_line":""},{"line_number":29,"context_line":"deprecated_list_aggregates \u003d policy.DeprecatedRule("},{"line_number":30,"context_line":"    name\u003dLIST,"},{"line_number":31,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":32,"context_line":")"},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":4,"id":"b6158691_31961e50","line":31,"in_reply_to":"37617044_54c4523e","updated":"2021-01-21 17:14:29.000000000","message":"Okay, that makes sense. Thanks for the context","commit_id":"ada2449361caf5013c01c8e695136ed62c26c182"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"18949b2c0919ca1e3b481e8f17bb699029232ecc","unresolved":true,"context_lines":[{"line_number":49,"context_line":"    ),"},{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        UPDATE,"},{"line_number":52,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":53,"context_line":"        \"Update resource provider aggregates.\","},{"line_number":54,"context_line":"        ["},{"line_number":55,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":10,"id":"f04a948a_2b054bd8","line":52,"range":{"start_line":52,"start_character":0,"end_line":52,"end_character":28},"updated":"2021-01-26 20:09:42.000000000","message":"+1, I think we do not need SYSTEM_ADMIN at all in placement as RULE_ADMIN_API work fine.","commit_id":"363d21afa57a5586e96d55b458abfb1181b0317b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"48a41b3a7a3b08f2522565052ecdaf8b8718645f","unresolved":false,"context_lines":[{"line_number":49,"context_line":"    ),"},{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        UPDATE,"},{"line_number":52,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":53,"context_line":"        \"Update resource provider aggregates.\","},{"line_number":54,"context_line":"        ["},{"line_number":55,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":10,"id":"6aa32635_2742308d","line":52,"range":{"start_line":52,"start_character":0,"end_line":52,"end_character":28},"in_reply_to":"76127ecb_8214f4ec","updated":"2021-01-27 17:09:43.000000000","message":"Done","commit_id":"363d21afa57a5586e96d55b458abfb1181b0317b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"451ec7c06e014b4842fdb0235b9e10953f2780ca","unresolved":true,"context_lines":[{"line_number":49,"context_line":"    ),"},{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        UPDATE,"},{"line_number":52,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":53,"context_line":"        \"Update resource provider aggregates.\","},{"line_number":54,"context_line":"        ["},{"line_number":55,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":10,"id":"76127ecb_8214f4ec","line":52,"range":{"start_line":52,"start_character":0,"end_line":52,"end_character":28},"in_reply_to":"c3876a49_c3d104a6","updated":"2021-01-27 16:13:19.000000000","message":"I am good on https://review.opendev.org/c/openstack/placement/+/760240/21/placement/policies/base.py#20\n\nso let\u0027s add the same here","commit_id":"363d21afa57a5586e96d55b458abfb1181b0317b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"78b6e68cdea619f1ac1e3066925573be4db13033","unresolved":true,"context_lines":[{"line_number":49,"context_line":"    ),"},{"line_number":50,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":51,"context_line":"        UPDATE,"},{"line_number":52,"context_line":"        base.RULE_ADMIN_API,"},{"line_number":53,"context_line":"        \"Update resource provider aggregates.\","},{"line_number":54,"context_line":"        ["},{"line_number":55,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":10,"id":"c3876a49_c3d104a6","line":52,"range":{"start_line":52,"start_character":0,"end_line":52,"end_character":28},"in_reply_to":"f04a948a_2b054bd8","updated":"2021-01-26 23:50:01.000000000","message":"it may although i would prefer if we use the same constant in all projects.\nalso i am not really a fan of this api in general\n\nif feel like we shoudl ahve a way to also capture \n\nscope_types\u003d[\u0027system\u0027]\n\nin the SYSTEM_ADMIN or SYSTEM_READER definition.\nwe basically have alot of duplciation here that i don\u0027t think we shoudl need\nif we were to desigin rule defieniton form scratch.\n\nim not sure what they best way to retofit it woudl be beyond deprecating DocumentedRuleDefault and replacing it with something else\n\n\nmaybe we coudl define SYSTEM_ADMIN as \n\nSYSTEM_ADMIN \u003d {\n    \u0027check_str\u0027:\u0027role:admin and system_scope:all\u0027,\n    \u0027scope_types\u0027: [\u0027system\u0027]\n\n}\n\nthen invoke policy.DocumentedRuleDefault\n\nlike this\n\npolicy.DocumentedRuleDefault(\n    UPDATE,\n    \"Update resource provider aggregates.\",\n    [\n        {\n            \u0027method\u0027: \u0027PUT\u0027,\n            \u0027path\u0027: BASE_PATH\n        }\n    ], **SYSTEM_ADMIN)\n\nthe problem is i dont think that will work because check_str is a positional arg.\n\nhttps://github.com/openstack/oslo.policy/blob/0a228dea2ee96ec3eabed3361ca22502d0bbd4a1/oslo_policy/policy.py#L1253-L1256\n\npersonally i think we should provide a policy.DocumentedRuleDefaultV2 class in oslo policy and define stardard version fo all the personas there too as dictionarys but im not going to push for that in this change.\n\ni do think it would be a much better api long term of we codified personas as object or dictionaries.\n\nso i think this should be using SYSTEM_ADMIN here","commit_id":"363d21afa57a5586e96d55b458abfb1181b0317b"}],"placement/policies/base.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"493d0c03cb60cb1aee90e8dacd9c2c8e67029109","unresolved":false,"context_lines":[{"line_number":13,"context_line":"from oslo_policy import policy"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":16,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    # \"placement\" is the default rule (action) used for all routes that do"}],"source_content_type":"text/x-python","patch_set":2,"id":"fffc6b78_1d270615","line":16,"updated":"2020-11-20 11:40:23.000000000","message":"Forgive my ignorance, but why do we define this like we do, as opposed to something like below, e.g.:\n\n  SYSTEM_READER \u003d \u0027rule:system_reader\u0027\n\n  rules \u003d [\n      ...\n      policy.RuleDefault(\n          \"system_reader\",\n          \"role:reader\",\n          scope_types\u003d[\"system\"]),\n  ]\n\nConversely, why are we not replacing references to RULE_ADMIN_API in the previous file with a SYSTEM_ADMIN, e.g.:\n\n  SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027\n\nThis could make zero sense, but I can\u0027t find solid docs explaining this stuff aside from [1].\n\n[1] https://www.oreilly.com/library/view/identity-authentication-and/9781491941249/ch01.html","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9ca31ac90958e3ed52a68e417e9f32e42e561e07","unresolved":false,"context_lines":[{"line_number":13,"context_line":"from oslo_policy import policy"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":16,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    # \"placement\" is the default rule (action) used for all routes that do"}],"source_content_type":"text/x-python","patch_set":2,"id":"e00f9b9c_67e819b1","line":16,"in_reply_to":"0b5c0f29_37883ecf","updated":"2020-12-10 21:22:46.000000000","message":"\u003e \u003e This could make zero sense, but I can\u0027t find solid docs explaining this stuff aside from [1].\n\u003e \u003e \n\u003e \u003e [1] https://www.oreilly.com/library/view/identity-authentication-and/9781491941249/ch01.html\n\u003e \n\u003e \n\u003e Wow, I\u0027ve never even seen that reference before.\n\u003e \n\u003e We do have documentation in keystone tailored for people working on other services and it goes into extensive detail about all the various scopes and usecases for each [0]. We also have a section of the keystone operator guide that describes the various personas [1].\n\u003e \n\u003e Is that what you\u0027re looking for?\n\u003e \n\u003e [0] https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes\n\u003e [1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html\n\nThat\u0027s exactly what I was looking for. Thanks!","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c42733ae634ef79893dd5af229b1b24c5f8206ed","unresolved":false,"context_lines":[{"line_number":13,"context_line":"from oslo_policy import policy"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":16,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    # \"placement\" is the default rule (action) used for all routes that do"}],"source_content_type":"text/x-python","patch_set":2,"id":"9e8dd71d_ccfb38d2","line":16,"in_reply_to":"e00f9b9c_67e819b1","updated":"2020-12-10 21:41:13.000000000","message":"+1 on making these as rule in common place and use","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"85739bc93dec9350e762de8ece8ba2fc9846261f","unresolved":false,"context_lines":[{"line_number":13,"context_line":"from oslo_policy import policy"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"RULE_ADMIN_API \u003d \u0027rule:admin_api\u0027"},{"line_number":16,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"rules \u003d ["},{"line_number":19,"context_line":"    # \"placement\" is the default rule (action) used for all routes that do"}],"source_content_type":"text/x-python","patch_set":2,"id":"0b5c0f29_37883ecf","line":16,"in_reply_to":"fffc6b78_1d270615","updated":"2020-12-10 15:19:49.000000000","message":"\u003e Forgive my ignorance, but why do we define this like we do, as opposed to something like below, e.g.:\n\u003e \n\u003e   SYSTEM_READER \u003d \u0027rule:system_reader\u0027\n\u003e \n\u003e   rules \u003d [\n\u003e       ...\n\u003e       policy.RuleDefault(\n\u003e           \"system_reader\",\n\u003e           \"role:reader\",\n\u003e           scope_types\u003d[\"system\"]),\n\u003e   ]\n\u003e \n\nThat\u0027s a good question. We can take that approach. One downside is that it provides another layer of indirection for people looking for what `rule:system_reader` means. Conversely, I think `rule:system_reader` is very clearly named and descriptive. Also, registering it as a RuleDefault will render it in documentation.\n\nI\u0027m open to either approach.\n\nI\u0027ll propose it in the next patch set and let reviewers comment on their preferred style.\n\n\n\u003e Conversely, why are we not replacing references to RULE_ADMIN_API in the previous file with a SYSTEM_ADMIN, e.g.:\n\u003e \n\u003e   SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027\n\u003e \n\nYep - that\u0027s my fault. I missed this in the original patch.\n\n\u003e This could make zero sense, but I can\u0027t find solid docs explaining this stuff aside from [1].\n\u003e \n\u003e [1] https://www.oreilly.com/library/view/identity-authentication-and/9781491941249/ch01.html\n\n\nWow, I\u0027ve never even seen that reference before.\n\nWe do have documentation in keystone tailored for people working on other services and it goes into extensive detail about all the various scopes and usecases for each [0]. We also have a section of the keystone operator guide that describes the various personas [1].\n\nIs that what you\u0027re looking for?\n\n[0] https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes\n[1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"}],"placement/tests/functional/gabbits/aggregate-legacy-rbac.yaml":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"33893d628d117c818f7d6c0bacbf76d2930cf5c7","unresolved":true,"context_lines":[{"line_number":42,"context_line":"      - *agg_1"},{"line_number":43,"context_line":"      - *agg_2"},{"line_number":44,"context_line":"  status: 200"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"- name: project member cannot update aggregates"},{"line_number":47,"context_line":"  PUT: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":48,"context_line":"  request_headers: *project_member_headers"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"756ac97a_c4052b2b","line":45,"updated":"2021-01-22 10:21:40.000000000","message":"No test for project member","commit_id":"64a3b22793ff594ff802153b991a6d31269d73fb"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"bcba87e415ffc20141c792509a7321d61f9c4ea3","unresolved":true,"context_lines":[{"line_number":42,"context_line":"      - *agg_1"},{"line_number":43,"context_line":"      - *agg_2"},{"line_number":44,"context_line":"  status: 200"},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"- name: project member cannot update aggregates"},{"line_number":47,"context_line":"  PUT: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":48,"context_line":"  request_headers: *project_member_headers"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3435852c_ba48b0da","line":45,"in_reply_to":"756ac97a_c4052b2b","updated":"2021-01-22 13:59:27.000000000","message":"Are you saying we need a project member test?","commit_id":"64a3b22793ff594ff802153b991a6d31269d73fb"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"33893d628d117c818f7d6c0bacbf76d2930cf5c7","unresolved":true,"context_lines":[{"line_number":58,"context_line":"  request_headers: *project_admin_headers"},{"line_number":59,"context_line":"  response_json_paths:"},{"line_number":60,"context_line":"    $.aggregates.`len`: 2"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"- name: project member cannot list aggregates"},{"line_number":63,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":64,"context_line":"  request_headers: *project_member_headers"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"83c1ab57_57ab6f83","line":61,"updated":"2021-01-22 10:21:40.000000000","message":"no test for project reader","commit_id":"64a3b22793ff594ff802153b991a6d31269d73fb"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"bcba87e415ffc20141c792509a7321d61f9c4ea3","unresolved":true,"context_lines":[{"line_number":58,"context_line":"  request_headers: *project_admin_headers"},{"line_number":59,"context_line":"  response_json_paths:"},{"line_number":60,"context_line":"    $.aggregates.`len`: 2"},{"line_number":61,"context_line":""},{"line_number":62,"context_line":"- name: project member cannot list aggregates"},{"line_number":63,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":64,"context_line":"  request_headers: *project_member_headers"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3c3f4cd7_6cfbff48","line":61,"in_reply_to":"83c1ab57_57ab6f83","updated":"2021-01-22 13:59:27.000000000","message":"These are the legacy RBAC tests, no? We test the project-reader persona in the secure RBAC tests since it\u0027s a new persona we\u0027re introducing with these changes.\n\nThese tests, the legacy tests in general, are meant to test the old policy check string. Of those, we really only had two personas. One was project admin to denote all administrative operations. The other was project member representing anyone else in the deployment.","commit_id":"64a3b22793ff594ff802153b991a6d31269d73fb"}],"placement/tests/functional/gabbits/aggregate-secure-rbac.yaml":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"efe2d4c7debd06bc83323013db2e4a8236533edf","unresolved":true,"context_lines":[{"line_number":50,"context_line":"  request_headers: *system_admin_headers"},{"line_number":51,"context_line":"  verbose: True"},{"line_number":52,"context_line":"  data:"},{"line_number":53,"context_line":"      name: $ENVIRON[\u0027RP_NAME\u0027]"},{"line_number":54,"context_line":"      uuid: $ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":55,"context_line":"  status: 200"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"3f219be3_468430dd","line":53,"range":{"start_line":53,"start_character":4,"end_line":53,"end_character":6},"updated":"2021-01-21 16:53:42.000000000","message":"nit: you\u0027ve switched from 2 to 4 space indentation","commit_id":"ada2449361caf5013c01c8e695136ed62c26c182"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"751c73594fcf3a2ee76a1de5a6c29716345be6d9","unresolved":false,"context_lines":[{"line_number":50,"context_line":"  request_headers: *system_admin_headers"},{"line_number":51,"context_line":"  verbose: True"},{"line_number":52,"context_line":"  data:"},{"line_number":53,"context_line":"      name: $ENVIRON[\u0027RP_NAME\u0027]"},{"line_number":54,"context_line":"      uuid: $ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":55,"context_line":"  status: 200"},{"line_number":56,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":4,"id":"68ac938a_5b6aa5d9","line":53,"range":{"start_line":53,"start_character":4,"end_line":53,"end_character":6},"in_reply_to":"3f219be3_468430dd","updated":"2021-01-21 16:58:55.000000000","message":"Done","commit_id":"ada2449361caf5013c01c8e695136ed62c26c182"}],"placement/tests/functional/gabbits/aggregate-system-admin-policy.yaml":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"493d0c03cb60cb1aee90e8dacd9c2c8e67029109","unresolved":false,"context_lines":[{"line_number":4,"context_line":"  - APIFixture"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"defaults:"},{"line_number":7,"context_line":"    request_headers:"},{"line_number":8,"context_line":"        x-auth-token: user"},{"line_number":9,"context_line":"        x-roles: admin,member,reader"},{"line_number":10,"context_line":"        accept: application/json"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"fffc6b78_7d7d72e6","line":7,"range":{"start_line":7,"start_character":2,"end_line":7,"end_character":4},"updated":"2020-11-20 11:40:23.000000000","message":"nit","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"493d0c03cb60cb1aee90e8dacd9c2c8e67029109","unresolved":false,"context_lines":[{"line_number":13,"context_line":"        openstack-system-scope: all"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"vars:"},{"line_number":16,"context_line":"    - \u0026agg_1 f918801a-5e54-4bee-9095-09a9d0c786b8"},{"line_number":17,"context_line":"    - \u0026agg_2 a893eb5c-e2a0-4251-ab26-f71d3b0cfc0b"},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"tests:"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"fffc6b78_dd829ec8","line":16,"range":{"start_line":16,"start_character":2,"end_line":16,"end_character":4},"updated":"2020-11-20 11:40:23.000000000","message":"nit","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"493d0c03cb60cb1aee90e8dacd9c2c8e67029109","unresolved":false,"context_lines":[{"line_number":22,"context_line":"  POST: /resource_providers"},{"line_number":23,"context_line":"  verbose: True"},{"line_number":24,"context_line":"  data:"},{"line_number":25,"context_line":"      name: $ENVIRON[\u0027RP_NAME\u0027]"},{"line_number":26,"context_line":"      uuid: $ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":27,"context_line":"  status: 200"},{"line_number":28,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"fffc6b78_1d6c2635","line":25,"range":{"start_line":25,"start_character":4,"end_line":25,"end_character":6},"updated":"2020-11-20 11:40:23.000000000","message":"nit","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ba4d7ef7367a595c7b1661fd99537eb6e2acbfe7","unresolved":false,"context_lines":[{"line_number":38,"context_line":"- name: get those aggregates"},{"line_number":39,"context_line":"  GET: $LAST_URL"},{"line_number":40,"context_line":"  response_json_paths:"},{"line_number":41,"context_line":"      $.aggregates.`len`: 2"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f621f24_283aca97","line":41,"updated":"2020-11-12 22:36:14.000000000","message":"These tests are very similar to the existing tests for aggregates, but I was using them as a working example to get the NoAuthMiddleware working (see line 9).\n\nIf we decide this type of testing is appropriate for protection tests, we can fill in the rest.","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":11564,"name":"Chris Dent","email":"cdent@anticdent.org","username":"chdent"},"change_message_id":"815e4e6521a8344bf9416fa3ab7780df9e64c4df","unresolved":false,"context_lines":[{"line_number":38,"context_line":"- name: get those aggregates"},{"line_number":39,"context_line":"  GET: $LAST_URL"},{"line_number":40,"context_line":"  response_json_paths:"},{"line_number":41,"context_line":"      $.aggregates.`len`: 2"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f621f24_6c916df1","line":41,"in_reply_to":"1f621f24_283aca97","updated":"2020-11-13 15:27:40.000000000","message":"Should be fine, but presumably you need a negative test that demonstrates the roles not being present gets the expected failure?","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b3293080c92c23af9e8fafaee66885a7b86e796d","unresolved":false,"context_lines":[{"line_number":38,"context_line":"- name: get those aggregates"},{"line_number":39,"context_line":"  GET: $LAST_URL"},{"line_number":40,"context_line":"  response_json_paths:"},{"line_number":41,"context_line":"      $.aggregates.`len`: 2"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1f621f24_9842300e","line":41,"in_reply_to":"1f621f24_6c916df1","updated":"2020-11-16 14:49:02.000000000","message":"Yes - I think more postive and negative testing is required.\n\nI focused on getting tests working with gabbi by simulating keystonemiddleware, at least in the first iteration. Now that I know it\u0027s possible, I can go through and add more tests.","commit_id":"c44239b88a3345e8942821f37fecdf09e4a17b3c"}]}