)]}'
{"placement/policies/base.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cd73fe0d7fe6e875c94b9b14210f013c7bf35013","unresolved":true,"context_lines":[{"line_number":37,"context_line":"        \"role:admin\","},{"line_number":38,"context_line":"        description\u003d\"Default rule for most placement APIs.\","},{"line_number":39,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":40,"context_line":"    # FIXME(lbragstad): Remove these RuleDefaults and replace them once we\u0027re"},{"line_number":41,"context_line":"    # able to consume a version of oslo.policy with"},{"line_number":42,"context_line":"    # https://review.opendev.org/c/openstack/oslo.policy/+/766536"},{"line_number":43,"context_line":"    policy.RuleDefault("},{"line_number":44,"context_line":"        \"system_admin\","},{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":2,"id":"b269011f_c3c2b496","line":42,"range":{"start_line":40,"start_character":0,"end_line":42,"end_character":65},"updated":"2020-12-10 21:21:16.000000000","message":"Given this patch, I assume this is now clearly the way to go now rather than [1].\n\n[1] https://review.opendev.org/c/openstack/placement/+/760235/2/placement/policies/base.py#16","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cce4291ed73e786a4489a6095ce5a0c66402b6bd","unresolved":false,"context_lines":[{"line_number":37,"context_line":"        \"role:admin\","},{"line_number":38,"context_line":"        description\u003d\"Default rule for most placement APIs.\","},{"line_number":39,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":40,"context_line":"    # FIXME(lbragstad): Remove these RuleDefaults and replace them once we\u0027re"},{"line_number":41,"context_line":"    # able to consume a version of oslo.policy with"},{"line_number":42,"context_line":"    # https://review.opendev.org/c/openstack/oslo.policy/+/766536"},{"line_number":43,"context_line":"    policy.RuleDefault("},{"line_number":44,"context_line":"        \"system_admin\","},{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":2,"id":"d7cc7f8f_e119a04a","line":42,"range":{"start_line":40,"start_character":0,"end_line":42,"end_character":65},"in_reply_to":"ab16c80a_043646e5","updated":"2021-01-08 11:54:55.000000000","message":"Ack","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"be480cde45c50ff0c2c29cedd073061f91b3fb7e","unresolved":true,"context_lines":[{"line_number":37,"context_line":"        \"role:admin\","},{"line_number":38,"context_line":"        description\u003d\"Default rule for most placement APIs.\","},{"line_number":39,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":40,"context_line":"    # FIXME(lbragstad): Remove these RuleDefaults and replace them once we\u0027re"},{"line_number":41,"context_line":"    # able to consume a version of oslo.policy with"},{"line_number":42,"context_line":"    # https://review.opendev.org/c/openstack/oslo.policy/+/766536"},{"line_number":43,"context_line":"    policy.RuleDefault("},{"line_number":44,"context_line":"        \"system_admin\","},{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":2,"id":"ab16c80a_043646e5","line":42,"range":{"start_line":40,"start_character":0,"end_line":42,"end_character":65},"in_reply_to":"b269011f_c3c2b496","updated":"2020-12-11 20:01:57.000000000","message":"This is still under discussion. Ghanshyam and I were discussing the idea yesterday in the policy pop-up meeting after we took a closer look at the comment you made on the aggregates secure RBAC patch.\n\nOne thing I\u0027m still not 100% sure of, is the nesting of scope_types attributes in policy rules, which is what we\u0027re doing here and in the patch I proposed to oslo.policy for common persona rules.\n\nI\u0027m still working through how I feel about the approach, and I think Ghanshyam is too based on his comments in the oslo.policy patch.\n\nI wanted to document my line of thinking with this approach, hence the comment. I can back out this specific change if necessary and go back to the approach you linked [1]. Maybe we can think through this a bit more next week and come up with a consistent path forward?","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"7151bfafa34b7f06bd199d6dbd76678ed1e4770e","unresolved":true,"context_lines":[{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","},{"line_number":46,"context_line":"        description\u003d\"A policy rule designed to protect administrative \""},{"line_number":47,"context_line":"                    \"operations at the system-level.\","},{"line_number":48,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":49,"context_line":"    policy.RuleDefault("},{"line_number":50,"context_line":"        \"system_reader\","},{"line_number":51,"context_line":"        \"role:reader and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":12,"id":"f8c95ad5_1122f8bf","line":48,"updated":"2021-01-11 19:00:56.000000000","message":"We need to figure out if we still want to take this approach.\n\nTechnically, scope_types should be set by the policies consuming this rule, not this rule directly.","commit_id":"041ae14bb87509e5f452052b360a4d8306ac4be5"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"dd82241185d334e75cae955fdc01488e5c09d369","unresolved":true,"context_lines":[{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","},{"line_number":46,"context_line":"        description\u003d\"A policy rule designed to protect administrative \""},{"line_number":47,"context_line":"                    \"operations at the system-level.\","},{"line_number":48,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":49,"context_line":"    policy.RuleDefault("},{"line_number":50,"context_line":"        \"system_reader\","},{"line_number":51,"context_line":"        \"role:reader and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":12,"id":"719e8754_315cda67","line":48,"in_reply_to":"f8c95ad5_1122f8bf","updated":"2021-01-21 18:51:56.000000000","message":"We discussed this in the policy pop up meeting today. I think we need to work through some more testing cases before we propose common personas as DocumentedRuleDefault or RuleDefaults.\n\nGmann and I both leaned towards using basic check strings until we have enough testing in place to ensure nest scope types work as expected.\n\nSo long as placement folks are ok with:\n\n  SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027\n  SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027\n\nin place of lines 16 and 17 above, I can remove this.","commit_id":"041ae14bb87509e5f452052b360a4d8306ac4be5"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"956f36b10fec53ed52f3b4cd4835286f55e39ce9","unresolved":true,"context_lines":[{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","},{"line_number":46,"context_line":"        description\u003d\"A policy rule designed to protect administrative \""},{"line_number":47,"context_line":"                    \"operations at the system-level.\","},{"line_number":48,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":49,"context_line":"    policy.RuleDefault("},{"line_number":50,"context_line":"        \"system_reader\","},{"line_number":51,"context_line":"        \"role:reader and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":14,"id":"424d1137_b7d01f22","line":48,"updated":"2021-01-21 15:32:13.000000000","message":"Have we a verdict on [1] or does the FIXME capture this?\n\n[1] https://review.opendev.org/c/openstack/placement/+/760240/12/placement/policies/base.py#48","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"38e38fbab098989d44d890f3365989acc38e0817","unresolved":false,"context_lines":[{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","},{"line_number":46,"context_line":"        description\u003d\"A policy rule designed to protect administrative \""},{"line_number":47,"context_line":"                    \"operations at the system-level.\","},{"line_number":48,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":49,"context_line":"    policy.RuleDefault("},{"line_number":50,"context_line":"        \"system_reader\","},{"line_number":51,"context_line":"        \"role:reader and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":14,"id":"2ac705d9_0616a98c","line":48,"in_reply_to":"2194068c_1c722d2f","updated":"2021-01-22 10:19:01.000000000","message":"Ack","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ae5237c431d164bf77d5ddfa441728745582e3c4","unresolved":true,"context_lines":[{"line_number":45,"context_line":"        \"role:admin and system_scope:all\","},{"line_number":46,"context_line":"        description\u003d\"A policy rule designed to protect administrative \""},{"line_number":47,"context_line":"                    \"operations at the system-level.\","},{"line_number":48,"context_line":"        scope_types\u003d[\u0027system\u0027]),"},{"line_number":49,"context_line":"    policy.RuleDefault("},{"line_number":50,"context_line":"        \"system_reader\","},{"line_number":51,"context_line":"        \"role:reader and system_scope:all\","}],"source_content_type":"text/x-python","patch_set":14,"id":"2194068c_1c722d2f","line":48,"in_reply_to":"424d1137_b7d01f22","updated":"2021-01-22 01:04:32.000000000","message":"I responded on the comment in PS12, but I\u0027ll remove these for now until we fully understand how we want to handle this in oslo.policy.\n\nThere are concerns about nested scope types that we haven\u0027t fully thought through, yet.","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"41aa347f508c5da4108472cf0797eaf7e8f7e7df","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"e94dcc8f_0261ab60","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"updated":"2021-01-26 20:07:15.000000000","message":"after seeing this[1] I think we do not need SYSTEM_ADMIN in placement as policy are system scoped and old RULE_ADMIN_API  work fine.\n\n[1] \nhttps://review.opendev.org/c/openstack/placement/+/760235/10/placement/policies/aggregate.py#52","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"07cd181af867d953f80d272a08cadd8fb4bf67c0","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"97b94084_c0bcdc02","line":20,"range":{"start_line":20,"start_character":15,"end_line":20,"end_character":48},"updated":"2021-01-26 19:49:54.000000000","message":"how about defining these as rule so that operator can change them via policy file itself in case they want to hack it then it will be easy way for them. In that way they can just override the base rule instead of each policy rule. \n\nLike below:\n\n# hacking the system admin with my customized role\n\"system_admin_api\": \"role:my-customized-role\"\n\n\nBut this can be done in follow up patch.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"b3782295631d2f4bc59b3dd4720be23cda8268f7","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"fa1deb11_57e25b03","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"098ef205_657ce0ea","updated":"2021-01-27 03:00:48.000000000","message":"FWIW - I refactored the series initially to use SYSTEM_ADMIN instead of RULE_ADMIN_API after Stephen pointed it out early in the review cycle.\n\nhttps://review.opendev.org/c/openstack/placement/+/760235/2/placement/policies/base.py","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2413b0c75a91c1f208808d531a2b8bec79012892","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"cb315a84_09cb91a3","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"0bb678d3_cbebc485","updated":"2021-01-27 16:11:25.000000000","message":"main goal of \u0027system_scope:all\u0027 special string was to differentiate the project rol from system role. for example \u0027role:reader and system_scope:all\u0027 if enforce_scope is False then project reader should not access it so \u0027system_scope:all\u0027 does the work to restrict project role. \n\nand for \u0027role:admin and system_scope:all\u0027 in nova, we did some API open for both scope (so that operator can override rule for project) but default to system admin only so \u0027system_scope:all\u0027 does the trick for that\nexample- https://github.com/openstack/nova/blob/3a6c1cbc3a07814b3fecfdc23f28da9294779bcc/nova/policies/migrate_server.py#L27-L35\n\nIn placement policy we already have scope_type as system for all of the admin API so we do not need to add such protection. But not having the SYSTEM_ADMIN can make difference when and how we decide to remove the old rule. if that happen before we enable system scope by default then it can keep allow legacy admin to access (4th case in my previous comment) which we do not want. So let\u0027s not depends on synchronization of old default and enforce scope and go with the current way.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"669102f155b4ef8c7b968156b996fd11cfc19964","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"9ba90cc6_708cde1f","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"35a629d7_aa4f25eb","updated":"2021-01-26 23:32:59.000000000","message":"im not sure i agree.\n\ni was acutlly expecting SYSTEM_ADMIN to be defined in oslo policy.\nwe want this and the other RBAC roles to operate teh same across all projects.\ni like haveing a centralised definition of what these means and i also dont really think its a good idea to allow these defintion to change between cloud or cloud versions.\n\nif i want to be able to inpect the poslice form the api at some point in the future in a discoverable way sucha s via keystone/midelware it would be nice if these defautl rules had a single meaning no mater the api.\nfailing that having it defined in one location here i think is cleaner.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c173e2b07ffb81c2d93f1f4fe23ceaebed05864f","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"098ef205_657ce0ea","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"8e2be74a_969010e6","updated":"2021-01-27 00:20:05.000000000","message":"But if we want to change it for consistency across project then i am ok and then we can change in https://review.opendev.org/c/openstack/placement/+/760235/10/placement/policies/aggregate.py#52","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"41aa347f508c5da4108472cf0797eaf7e8f7e7df","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"428f110b_61d30bf8","line":20,"range":{"start_line":20,"start_character":15,"end_line":20,"end_character":48},"in_reply_to":"97b94084_c0bcdc02","updated":"2021-01-26 20:07:15.000000000","message":"ah just read the NOTE from lbragstad about it ^^. +1","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"9683792f469c003293ee10dc580d2180e4fa39bc","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"8e2be74a_969010e6","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"9ba90cc6_708cde1f","updated":"2021-01-26 23:58:30.000000000","message":"I agree to move those in common place, that is separate discussion. But my point here is that in placement we do not need to change RULE_ADMIN_API -\u003e SYSTEM_ADMIN (adding special string \u0027system_scope:all\u0027 to admin) because old check_str and scope_type is already a system admin. Or you can say this is already done in placement since starting (or when scope_type was added). By changing RULE_ADMIN_API -\u003e SYSTEM_ADMIN with RULE_ADMIN_API in deprecated rule we are not changing anything except:\n\nWe have 4 scenario here:\n\n1. if enforce_scope\u003dTrue \u0026\u0026 enforce_new_default\u003dFalse: No change. only system admin was able to access it previously also.\n2. if enforce_scope\u003dFalse \u0026\u0026 enforce_new_default\u003dFalse: project admin was able to access it previously and with this change also they can access as we are adding RULE_ADMIN_API as deprecated rule \n3. if enforce_scope\u003dTrue \u0026\u0026 enforce_new_default\u003dTrue: no change.\n4. if enforce_scope\u003dFalse \u0026\u0026 enforce_new_default\u003dTrue: This is change where we will remove the old rule but not forcing the scope. In this, project_admin will be 403 which used to be 200. And I am not sure if this use case we want to support I mean we should enforce_scope enable by default before or at same time we remove the old rules.\n\nIf we are changing the current RULE_ADMIN_API  to reader role then yes we need to change SYSTEM_READER (adding special string \u0027system_scope:all\u0027 to reader role) so that project reader cannot access it if enforce_scope is false.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ef3f278548b3096bec5533552f92a174f27dfa34","unresolved":false,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"b4a0f8da_6749a28a","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"b66d144f_88844ba2","updated":"2021-01-27 17:05:46.000000000","message":"well no  scope_type or rahter   scope_types\u003d[\u0027system\u0027, \u0027project\u0027] is different from \nsystem_scopes.\n\nso scope types will still be need to know if you have a domian/project/sytem scoped token\n\nortoganal ot that you will partions of the system into compute/idenity.... with system_cope all being the most open.\n\nortoganal to that again we have the role e.g. reader/admin\n\nso there are 3 differnt parts\n\nthe person has a role and scope_type\n\ni think the system_scope is not part of the persona its a pare of the endpoint policy.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ce532b2979706b8d6b033ef10c9e6100e84cf534","unresolved":false,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"b66d144f_88844ba2","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"cb315a84_09cb91a3","updated":"2021-01-27 16:58:17.000000000","message":"Okay, so eventually we might get to a world where scopes are always enforced in which case \u0027scope_type\u0027 would be redundant. Good to know. I\u0027m also happy to go with this as-is for the reasons you outlined plus my previous consistency concerns","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"172ba6c46fe884a3532ec84cbe60f49036484c81","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"891d29b9_c3aa2e5b","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"cb315a84_09cb91a3","updated":"2021-01-27 16:43:17.000000000","message":"Stephen, \n\nUsing `system_scope:all` is a special designation for a system-scoped token that maps to the entire deployment system (e.g., \u0027all\u0027 is special in this sense). In the future, keystone might expose the service catalog as authorization targets, allowing us to do something like this:\n\n  $ openstack role add --user stephenfin --user-domain Default --system compute admin  # these assignments aren\u0027t supported today\n  $ openstack role add --user stephenfin --user-domain Default --system all reader # these assignments are supported today\n  $ openstack role add --user gmann --user-domain Default --system identity admin  # these assignments aren\u0027t supported today\n\n\nWhich gives us much more flexibility for breaking up access to all system-level APIs. If, or when, that happens, we could update policy checks to include:\n\n  (role:reader and system_scope:placement)\n\nWhich would allow you to manage things in placement, but Ghanshyam wouldn\u0027t be able to access anything in placement since his system tokens are specific to the keystone service. Conversely, you could list all resources in keystone, but you wouldn\u0027t be able to create new domains, groups, projects, users, etc...\n\nPutting roles in a hierarchy and breaking the system into smaller authorization targets follows a NIST RBAC model that allows OpenStack to implement separation of duty requirements.\n\nThis is a long-winded answer, but you\u0027re absolutely on the right track looking at system_scope:placement.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"fed6588f62df47a86abe1c3e6f36065fbc2ea209","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"35a629d7_aa4f25eb","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"e94dcc8f_0261ab60","updated":"2021-01-26 20:14:49.000000000","message":"and that way we can avoid the rule deprecation for admin policy. basically placement need to add read-only rules only.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"15009d49563ec132f99f2637546feabc9bf5a4ba","unresolved":true,"context_lines":[{"line_number":17,"context_line":"# RuleDefaults or DocumentedRuleDefaults, but we need to thoroughly vet the"},{"line_number":18,"context_line":"# approach in oslo.policy and consume a new version. Until we have that done,"},{"line_number":19,"context_line":"# let\u0027s continue using generic check strings."},{"line_number":20,"context_line":"SYSTEM_ADMIN \u003d \u0027role:admin and system_scope:all\u0027"},{"line_number":21,"context_line":"SYSTEM_READER \u003d \u0027role:reader and system_scope:all\u0027"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"0bb678d3_cbebc485","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":48},"in_reply_to":"fa1deb11_57e25b03","updated":"2021-01-27 13:59:55.000000000","message":"Hmm, this wasn\u0027t something I gave too much thought to, to be honest. I was just copying what was done in nova, rightly or wrongly. As far as I understand it, the \u0027system_scope:all\u0027 token (token?) means that this admin\u0027s scope applies to all systems, as opposed to a specific one (I assume a system means e.g. compute or nova, since it\u0027s not a project or domain). Does that means we could have rules in the future that say e.g. \u0027system_scope:compute\u0027?\n\nRegardless of the above, I think requesting the \u0027all\u0027 scope does mean that (a) things are consistent between various services and (b) we can centralize these rules in the future, as suggested in the NOTE above, since they\u0027re the same across all projects. I assume there was a reason to include the \u0027system_scope:all\u0027 token in nova.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"}],"placement/policies/resource_provider.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cd73fe0d7fe6e875c94b9b14210f013c7bf35013","unresolved":true,"context_lines":[{"line_number":63,"context_line":"        ],"},{"line_number":64,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":65,"context_line":"        deprecated_rule\u003ddeprecated_list_resource_providers,"},{"line_number":66,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":67,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY),"},{"line_number":68,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":69,"context_line":"        name\u003dCREATE,"},{"line_number":70,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"}],"source_content_type":"text/x-python","patch_set":2,"id":"58d44484_43d50b5d","line":67,"range":{"start_line":66,"start_character":0,"end_line":67,"end_character":56},"updated":"2020-12-10 21:21:16.000000000","message":"As an unrelated aside, I\u0027m not sure why these parameters were implemented here initially as opposed to as parameters of the \u0027DeprecatedRule\u0027 object. In oslo.config land, \u0027deprecated_group\u0027 is independent of \u0027deprecated_reason\u0027/\u0027deprecated_since\u0027, with the former being used to indicate that the current opt was previously in another group, while the latter are used to actually deprecated the opt (plus any aliases left in the other group). That\u0027s not what we seem to be doing here.\n\nLater: Oh, wait, I don\u0027t think this was ever intended to work this way. From the docs [1]:\n\n  :param deprecated_reason: indicates why this policy is planned for removal\n                            in a future release. Silently ignored if\n                            deprecated_for_removal is False.\n  :param deprecated_since: indicates which release this policy was deprecated\n                           in. Accepts any string, though valid version\n                           strings are encouraged. Silently ignored if\n                           deprecated_for_removal is False.\n\nHowever, later on I see docs that use it like we\u0027ve done here [2] and I think this is what we did in nova too. Clearly there\u0027s a gap here and \u0027DeprecatedRule\u0027 should have its own \u0027deprecated_reason\u0027 and \u0027deprecated_since\u0027 options.\n\nI guess we can do this for now, but it\u0027d be good to add a note explaining why this is happening. As this is implemented, it really looks like the new options are deprecated as well as the alias /o\\\n\n[1] https://github.com/openstack/oslo.policy/blob/0a228dea2ee96ec3eabed3361ca22502d0bbd4a1/oslo_policy/policy.py#L1145-L1151\n[2] https://github.com/openstack/oslo.policy/blob/0a228dea2ee96ec3eabed3361ca22502d0bbd4a1/oslo_policy/policy.py#L1413-L1415","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7fb5fc8e205f130f55868d8df3cf9a0066c6e3a2","unresolved":true,"context_lines":[{"line_number":63,"context_line":"        ],"},{"line_number":64,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":65,"context_line":"        deprecated_rule\u003ddeprecated_list_resource_providers,"},{"line_number":66,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":67,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY),"},{"line_number":68,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":69,"context_line":"        name\u003dCREATE,"},{"line_number":70,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"}],"source_content_type":"text/x-python","patch_set":2,"id":"d4fad4ec_82fdfe39","line":67,"range":{"start_line":66,"start_character":0,"end_line":67,"end_character":56},"in_reply_to":"3932d2c3_9eaf85f0","updated":"2020-12-10 22:13:11.000000000","message":"https://review.opendev.org/c/openstack/oslo.policy/+/766628","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"0b3f3df1229372ac444be9eb73cc74adac65c06b","unresolved":true,"context_lines":[{"line_number":63,"context_line":"        ],"},{"line_number":64,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":65,"context_line":"        deprecated_rule\u003ddeprecated_list_resource_providers,"},{"line_number":66,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":67,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY),"},{"line_number":68,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":69,"context_line":"        name\u003dCREATE,"},{"line_number":70,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"}],"source_content_type":"text/x-python","patch_set":2,"id":"3932d2c3_9eaf85f0","line":67,"range":{"start_line":66,"start_character":0,"end_line":67,"end_character":56},"in_reply_to":"58d44484_43d50b5d","updated":"2020-12-10 21:27:59.000000000","message":"More confusion. Seems the code does expect \u0027deprecated_reason\u0027 and \u0027deprecated_since\u0027 if \u0027deprecated_rule\u0027 is provided [1]. This is a mess 😊\n\n[1] https://github.com/openstack/oslo.policy/blob/0a228dea2ee96ec3eabed3361ca22502d0bbd4a1/oslo_policy/policy.py#L1190-L1196","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"f03a044fcbded28f131ba1f9c1b6b86b29591698","unresolved":true,"context_lines":[{"line_number":63,"context_line":"        ],"},{"line_number":64,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":65,"context_line":"        deprecated_rule\u003ddeprecated_list_resource_providers,"},{"line_number":66,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":67,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY),"},{"line_number":68,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":69,"context_line":"        name\u003dCREATE,"},{"line_number":70,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"}],"source_content_type":"text/x-python","patch_set":2,"id":"f3169183_25a7069c","line":67,"range":{"start_line":66,"start_character":0,"end_line":67,"end_character":56},"in_reply_to":"d4fad4ec_82fdfe39","updated":"2020-12-10 23:02:50.000000000","message":"To clarify, we required deprecated_reason and deprecated_since for deprecated rules to make it so developers supplied operators or policy writers with something.","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cce4291ed73e786a4489a6095ce5a0c66402b6bd","unresolved":false,"context_lines":[{"line_number":63,"context_line":"        ],"},{"line_number":64,"context_line":"        scope_types\u003d[\u0027system\u0027],"},{"line_number":65,"context_line":"        deprecated_rule\u003ddeprecated_list_resource_providers,"},{"line_number":66,"context_line":"        deprecated_reason\u003dDEPRECATED_REASON,"},{"line_number":67,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY),"},{"line_number":68,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":69,"context_line":"        name\u003dCREATE,"},{"line_number":70,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"}],"source_content_type":"text/x-python","patch_set":2,"id":"6bfb1c7a_e9a947ab","line":67,"range":{"start_line":66,"start_character":0,"end_line":67,"end_character":56},"in_reply_to":"f3169183_25a7069c","updated":"2021-01-08 11:54:55.000000000","message":"Yup, understood. I\u0027m just thinking that this was the wrong place to require it, and we should instead have configured it in the \u0027DeprecatedRule\u0027 linked to by \u0027deprecated_rule\u0027","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7c18184a80e6d3529186e6ac551758e53430a42d","unresolved":true,"context_lines":[{"line_number":24,"context_line":"UPDATE \u003d PREFIX % \u0027update\u0027"},{"line_number":25,"context_line":"DELETE \u003d PREFIX % \u0027delete\u0027"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":28,"context_line":"The resource provider API now supports a read-only role by default."},{"line_number":29,"context_line":"\"\"\""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"deprecated_list_resource_providers \u003d policy.DeprecatedRule("},{"line_number":32,"context_line":"    name\u003dLIST,"},{"line_number":33,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":34,"context_line":")"},{"line_number":35,"context_line":"deprecated_show_resource_provider \u003d policy.DeprecatedRule("},{"line_number":36,"context_line":"    name\u003dSHOW,"},{"line_number":37,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":38,"context_line":")"},{"line_number":39,"context_line":"deprecated_create_resource_provider \u003d policy.DeprecatedRule("},{"line_number":40,"context_line":"    name\u003dCREATE,"},{"line_number":41,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":42,"context_line":")"},{"line_number":43,"context_line":"deprecated_update_resource_provider \u003d policy.DeprecatedRule("},{"line_number":44,"context_line":"    name\u003dUPDATE,"},{"line_number":45,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":46,"context_line":")"},{"line_number":47,"context_line":"deprecated_delete_resource_provider \u003d policy.DeprecatedRule("},{"line_number":48,"context_line":"    name\u003dDELETE,"},{"line_number":49,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":50,"context_line":")"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"fe0f7be0_b6b088f6","line":50,"range":{"start_line":27,"start_character":0,"end_line":50,"end_character":1},"updated":"2021-01-27 16:54:48.000000000","message":"we can define these and all other policy deprecation in base system_admin_api and system_reader_api rule (we can define these) like done in nova\n\n- https://github.com/openstack/nova/blob/b34a1ca645c61cd1dbbb53c9b0aa1f56915d9007/nova/policies/base.py#L106","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"82721ac1ff7b6ea320ea4cbc87c4f7cfbdf7c364","unresolved":true,"context_lines":[{"line_number":24,"context_line":"UPDATE \u003d PREFIX % \u0027update\u0027"},{"line_number":25,"context_line":"DELETE \u003d PREFIX % \u0027delete\u0027"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":28,"context_line":"The resource provider API now supports a read-only role by default."},{"line_number":29,"context_line":"\"\"\""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"deprecated_list_resource_providers \u003d policy.DeprecatedRule("},{"line_number":32,"context_line":"    name\u003dLIST,"},{"line_number":33,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":34,"context_line":")"},{"line_number":35,"context_line":"deprecated_show_resource_provider \u003d policy.DeprecatedRule("},{"line_number":36,"context_line":"    name\u003dSHOW,"},{"line_number":37,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":38,"context_line":")"},{"line_number":39,"context_line":"deprecated_create_resource_provider \u003d policy.DeprecatedRule("},{"line_number":40,"context_line":"    name\u003dCREATE,"},{"line_number":41,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":42,"context_line":")"},{"line_number":43,"context_line":"deprecated_update_resource_provider \u003d policy.DeprecatedRule("},{"line_number":44,"context_line":"    name\u003dUPDATE,"},{"line_number":45,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":46,"context_line":")"},{"line_number":47,"context_line":"deprecated_delete_resource_provider \u003d policy.DeprecatedRule("},{"line_number":48,"context_line":"    name\u003dDELETE,"},{"line_number":49,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":50,"context_line":")"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"9c37b892_17979812","line":50,"range":{"start_line":27,"start_character":0,"end_line":50,"end_character":1},"in_reply_to":"5e45e04d_5fd46345","updated":"2021-01-27 16:59:08.000000000","message":"nice, perfect.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a58502474320d3864a9acc2198b519a460a60dc","unresolved":true,"context_lines":[{"line_number":24,"context_line":"UPDATE \u003d PREFIX % \u0027update\u0027"},{"line_number":25,"context_line":"DELETE \u003d PREFIX % \u0027delete\u0027"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":28,"context_line":"The resource provider API now supports a read-only role by default."},{"line_number":29,"context_line":"\"\"\""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"deprecated_list_resource_providers \u003d policy.DeprecatedRule("},{"line_number":32,"context_line":"    name\u003dLIST,"},{"line_number":33,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":34,"context_line":")"},{"line_number":35,"context_line":"deprecated_show_resource_provider \u003d policy.DeprecatedRule("},{"line_number":36,"context_line":"    name\u003dSHOW,"},{"line_number":37,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":38,"context_line":")"},{"line_number":39,"context_line":"deprecated_create_resource_provider \u003d policy.DeprecatedRule("},{"line_number":40,"context_line":"    name\u003dCREATE,"},{"line_number":41,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":42,"context_line":")"},{"line_number":43,"context_line":"deprecated_update_resource_provider \u003d policy.DeprecatedRule("},{"line_number":44,"context_line":"    name\u003dUPDATE,"},{"line_number":45,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":46,"context_line":")"},{"line_number":47,"context_line":"deprecated_delete_resource_provider \u003d policy.DeprecatedRule("},{"line_number":48,"context_line":"    name\u003dDELETE,"},{"line_number":49,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":50,"context_line":")"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"50d12c3a_eebf8e2e","line":50,"range":{"start_line":27,"start_character":0,"end_line":50,"end_character":1},"in_reply_to":"9c37b892_17979812","updated":"2021-01-28 14:48:05.000000000","message":"I was talking about this way https://review.opendev.org/c/openstack/placement/+/772784","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ce532b2979706b8d6b033ef10c9e6100e84cf534","unresolved":true,"context_lines":[{"line_number":24,"context_line":"UPDATE \u003d PREFIX % \u0027update\u0027"},{"line_number":25,"context_line":"DELETE \u003d PREFIX % \u0027delete\u0027"},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"DEPRECATED_REASON \u003d \"\"\""},{"line_number":28,"context_line":"The resource provider API now supports a read-only role by default."},{"line_number":29,"context_line":"\"\"\""},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"deprecated_list_resource_providers \u003d policy.DeprecatedRule("},{"line_number":32,"context_line":"    name\u003dLIST,"},{"line_number":33,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":34,"context_line":")"},{"line_number":35,"context_line":"deprecated_show_resource_provider \u003d policy.DeprecatedRule("},{"line_number":36,"context_line":"    name\u003dSHOW,"},{"line_number":37,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":38,"context_line":")"},{"line_number":39,"context_line":"deprecated_create_resource_provider \u003d policy.DeprecatedRule("},{"line_number":40,"context_line":"    name\u003dCREATE,"},{"line_number":41,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":42,"context_line":")"},{"line_number":43,"context_line":"deprecated_update_resource_provider \u003d policy.DeprecatedRule("},{"line_number":44,"context_line":"    name\u003dUPDATE,"},{"line_number":45,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":46,"context_line":")"},{"line_number":47,"context_line":"deprecated_delete_resource_provider \u003d policy.DeprecatedRule("},{"line_number":48,"context_line":"    name\u003dDELETE,"},{"line_number":49,"context_line":"    check_str\u003dbase.RULE_ADMIN_API"},{"line_number":50,"context_line":")"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"rules \u003d ["}],"source_content_type":"text/x-python","patch_set":21,"id":"5e45e04d_5fd46345","line":50,"range":{"start_line":27,"start_character":0,"end_line":50,"end_character":1},"in_reply_to":"fe0f7be0_b6b088f6","updated":"2021-01-27 16:58:17.000000000","message":"I have that proposed at [1]. Are you saying we could use that and drop these?\n\n[1] https://review.opendev.org/c/openstack/placement/+/772334/4","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"669102f155b4ef8c7b968156b996fd11cfc19964","unresolved":true,"context_lines":[{"line_number":67,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY),"},{"line_number":68,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":69,"context_line":"        name\u003dCREATE,"},{"line_number":70,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":71,"context_line":"        description\u003d\"Create resource provider.\","},{"line_number":72,"context_line":"        operations\u003d["},{"line_number":73,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":21,"id":"a62ce1fd_1ca5a19b","line":70,"range":{"start_line":70,"start_character":23,"end_line":70,"end_character":35},"updated":"2021-01-26 23:32:59.000000000","message":"as an aside this might, be a possible candidate for SYSTEM_MEMBER\n\nsystem accounts like nova should be able to create RPs without needing full admin writes to placment\nbut normal users should not be able to interact with placment.\n\nsystem admin is good in the sense that it is the close proxy to the old global admin that we effectly ues before but it might be more then placment actully needs.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"669102f155b4ef8c7b968156b996fd11cfc19964","unresolved":true,"context_lines":[{"line_number":95,"context_line":"        deprecated_since\u003dversionutils.deprecated.WALLABY),"},{"line_number":96,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":97,"context_line":"        name\u003dUPDATE,"},{"line_number":98,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":99,"context_line":"        description\u003d\"Update resource provider.\","},{"line_number":100,"context_line":"        operations\u003d["},{"line_number":101,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":21,"id":"9d39b6b7_d0febd45","line":98,"updated":"2021-01-26 23:32:59.000000000","message":"same for this","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"669102f155b4ef8c7b968156b996fd11cfc19964","unresolved":true,"context_lines":[{"line_number":110,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":111,"context_line":"        name\u003dDELETE,"},{"line_number":112,"context_line":"        check_str\u003dbase.SYSTEM_ADMIN,"},{"line_number":113,"context_line":"        description\u003d\"Delete resource provider.\","},{"line_number":114,"context_line":"        operations\u003d["},{"line_number":115,"context_line":"            {"},{"line_number":116,"context_line":"                \u0027method\u0027: \u0027DELETE\u0027,"}],"source_content_type":"text/x-python","patch_set":21,"id":"a7e2afff_a2d794f8","line":113,"updated":"2021-01-26 23:32:59.000000000","message":"and this","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"}],"placement/policy.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cd73fe0d7fe6e875c94b9b14210f013c7bf35013","unresolved":true,"context_lines":[{"line_number":110,"context_line":"    :returns: non-False value (not necessarily \"True\") if authorized, and the"},{"line_number":111,"context_line":"        exact value False if not authorized and do_raise is False."},{"line_number":112,"context_line":"    \"\"\""},{"line_number":113,"context_line":"    credentials \u003d context.to_policy_values()"},{"line_number":114,"context_line":"    try:"},{"line_number":115,"context_line":"        # NOTE(mriedem): The \"action\" kwarg is for the PolicyNotAuthorized exc."},{"line_number":116,"context_line":"        return _ENFORCER.authorize("}],"source_content_type":"text/x-python","patch_set":2,"id":"ad8f785c_ea2e7797","line":113,"range":{"start_line":113,"start_character":4,"end_line":113,"end_character":44},"updated":"2020-12-10 21:21:16.000000000","message":"This is possible because of Ia74bf6c40b1e05a1c958f4325e00f68be28d91b9, right? That\u0027s reasonable if so, but could we split it into a separate patch to avoid polluting this one?\n\nAlso, this variable seems to only be used for logging now (line 128 below). Can we create this on-demand below?","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"be480cde45c50ff0c2c29cedd073061f91b3fb7e","unresolved":true,"context_lines":[{"line_number":110,"context_line":"    :returns: non-False value (not necessarily \"True\") if authorized, and the"},{"line_number":111,"context_line":"        exact value False if not authorized and do_raise is False."},{"line_number":112,"context_line":"    \"\"\""},{"line_number":113,"context_line":"    credentials \u003d context.to_policy_values()"},{"line_number":114,"context_line":"    try:"},{"line_number":115,"context_line":"        # NOTE(mriedem): The \"action\" kwarg is for the PolicyNotAuthorized exc."},{"line_number":116,"context_line":"        return _ENFORCER.authorize("}],"source_content_type":"text/x-python","patch_set":2,"id":"e7568f6f_1577df0f","line":113,"range":{"start_line":113,"start_character":4,"end_line":113,"end_character":44},"in_reply_to":"ad8f785c_ea2e7797","updated":"2020-12-11 20:01:57.000000000","message":"Yes - we wanted to lower the bar for people interacting with oslo.policy by having oslo.policy handle oslo.context objects directly. We\u0027ve noticed that people build credential objects/dictionary in different ways, which is fine, but it just opens us up for drift across implementations.\n\nSince most services use oslo.context and are familiar with it, because they\u0027re usually subclassing it in some way, shape, or form, we figured it would be easier to have people deal with that instead of mapping things from context into a dictionary for oslo.policy to consume.\n\nI can pull this out into it\u0027s own change.","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cce4291ed73e786a4489a6095ce5a0c66402b6bd","unresolved":false,"context_lines":[{"line_number":110,"context_line":"    :returns: non-False value (not necessarily \"True\") if authorized, and the"},{"line_number":111,"context_line":"        exact value False if not authorized and do_raise is False."},{"line_number":112,"context_line":"    \"\"\""},{"line_number":113,"context_line":"    credentials \u003d context.to_policy_values()"},{"line_number":114,"context_line":"    try:"},{"line_number":115,"context_line":"        # NOTE(mriedem): The \"action\" kwarg is for the PolicyNotAuthorized exc."},{"line_number":116,"context_line":"        return _ENFORCER.authorize("}],"source_content_type":"text/x-python","patch_set":2,"id":"7eaa27ca_80d887f7","line":113,"range":{"start_line":113,"start_character":4,"end_line":113,"end_character":44},"in_reply_to":"e7568f6f_1577df0f","updated":"2021-01-08 11:54:55.000000000","message":"Ack","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"}],"placement/tests/functional/fixtures/gabbits.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cd73fe0d7fe6e875c94b9b14210f013c7bf35013","unresolved":true,"context_lines":[{"line_number":760,"context_line":"        self.conf_fixture.config(group\u003d\u0027oslo_policy\u0027, enforce_scope\u003dTrue)"},{"line_number":761,"context_line":"        self.conf_fixture.config(group\u003d\u0027oslo_policy\u0027, enforce_new_defaults\u003dTrue)"},{"line_number":762,"context_line":""},{"line_number":763,"context_line":"    def stop_fixture(self):"},{"line_number":764,"context_line":"        super(SecureRBACPolicyFixture, self).stop_fixture()"}],"source_content_type":"text/x-python","patch_set":2,"id":"f12d95eb_6b1631de","line":764,"range":{"start_line":763,"start_character":0,"end_line":764,"end_character":59},"updated":"2020-12-10 21:21:16.000000000","message":"Seeing as you\u0027re just calling the superclass\u0027 implementation, this isn\u0027t really necessary, right? Ditto for above, but that\u0027s not on you","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"cb824a6d7e0b8f98abf9fa5b5104fcc325dd157a","unresolved":false,"context_lines":[{"line_number":760,"context_line":"        self.conf_fixture.config(group\u003d\u0027oslo_policy\u0027, enforce_scope\u003dTrue)"},{"line_number":761,"context_line":"        self.conf_fixture.config(group\u003d\u0027oslo_policy\u0027, enforce_new_defaults\u003dTrue)"},{"line_number":762,"context_line":""},{"line_number":763,"context_line":"    def stop_fixture(self):"},{"line_number":764,"context_line":"        super(SecureRBACPolicyFixture, self).stop_fixture()"}],"source_content_type":"text/x-python","patch_set":2,"id":"8a19d544_e145aefa","line":764,"range":{"start_line":763,"start_character":0,"end_line":764,"end_character":59},"in_reply_to":"d6d3d5d8_8cf5f639","updated":"2021-01-08 11:56:03.000000000","message":"Ack","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"be480cde45c50ff0c2c29cedd073061f91b3fb7e","unresolved":true,"context_lines":[{"line_number":760,"context_line":"        self.conf_fixture.config(group\u003d\u0027oslo_policy\u0027, enforce_scope\u003dTrue)"},{"line_number":761,"context_line":"        self.conf_fixture.config(group\u003d\u0027oslo_policy\u0027, enforce_new_defaults\u003dTrue)"},{"line_number":762,"context_line":""},{"line_number":763,"context_line":"    def stop_fixture(self):"},{"line_number":764,"context_line":"        super(SecureRBACPolicyFixture, self).stop_fixture()"}],"source_content_type":"text/x-python","patch_set":2,"id":"d6d3d5d8_8cf5f639","line":764,"range":{"start_line":763,"start_character":0,"end_line":764,"end_character":59},"in_reply_to":"f12d95eb_6b1631de","updated":"2020-12-11 20:01:57.000000000","message":"You\u0027re right. I kept this to maintain convention with OpenPolicyFixture. I\u0027ll remove for clarity.","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"956f36b10fec53ed52f3b4cd4835286f55e39ce9","unresolved":true,"context_lines":[{"line_number":754,"context_line":"    \"\"\"An APIFixture that enforce secure default policies and scope.\"\"\""},{"line_number":755,"context_line":""},{"line_number":756,"context_line":"    def start_fixture(self):"},{"line_number":757,"context_line":"        super(SecureRBACPolicyFixture, self).start_fixture()"},{"line_number":758,"context_line":"        # NOTE(lbragstad): Configure oslo.policy so that we enforce scope"},{"line_number":759,"context_line":"        # checking and opt into the new default policies."},{"line_number":760,"context_line":"        self.conf_fixture.config("}],"source_content_type":"text/x-python","patch_set":14,"id":"5a23b8f7_0a778493","line":757,"range":{"start_line":757,"start_character":14,"end_line":757,"end_character":43},"updated":"2021-01-21 15:32:13.000000000","message":"nit: don\u0027t need this (py3)","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ae5237c431d164bf77d5ddfa441728745582e3c4","unresolved":false,"context_lines":[{"line_number":754,"context_line":"    \"\"\"An APIFixture that enforce secure default policies and scope.\"\"\""},{"line_number":755,"context_line":""},{"line_number":756,"context_line":"    def start_fixture(self):"},{"line_number":757,"context_line":"        super(SecureRBACPolicyFixture, self).start_fixture()"},{"line_number":758,"context_line":"        # NOTE(lbragstad): Configure oslo.policy so that we enforce scope"},{"line_number":759,"context_line":"        # checking and opt into the new default policies."},{"line_number":760,"context_line":"        self.conf_fixture.config("}],"source_content_type":"text/x-python","patch_set":14,"id":"b6d7c471_df98ef0d","line":757,"range":{"start_line":757,"start_character":14,"end_line":757,"end_character":43},"in_reply_to":"5a23b8f7_0a778493","updated":"2021-01-22 01:04:32.000000000","message":"Done","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f0090b2ef665ffe0c3ea80ac01d891537efcbf13","unresolved":true,"context_lines":[{"line_number":757,"context_line":"        super(SecureRBACPolicyFixture, self).start_fixture()"},{"line_number":758,"context_line":"        # NOTE(lbragstad): Configure oslo.policy so that we enforce scope"},{"line_number":759,"context_line":"        # checking and opt into the new default policies."},{"line_number":760,"context_line":"        self.conf_fixture.config("},{"line_number":761,"context_line":"            group\u003d\u0027oslo_policy\u0027, enforce_scope\u003dTrue)"},{"line_number":762,"context_line":"        self.conf_fixture.config("},{"line_number":763,"context_line":"            group\u003d\u0027oslo_policy\u0027, enforce_new_defaults\u003dTrue)"}],"source_content_type":"text/x-python","patch_set":14,"id":"52046079_7d0109e6","line":763,"range":{"start_line":760,"start_character":0,"end_line":763,"end_character":59},"updated":"2021-01-22 00:02:28.000000000","message":"Let\u0027s check the default behavior also if that still work. We can add one more fixture with enforce_scope\u003dFalse \u0026\u0026 enforce_new_defaults\u003dFalse (nothing but the default behavior). Which can check if old rule and token still work fine.","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"38e38fbab098989d44d890f3365989acc38e0817","unresolved":false,"context_lines":[{"line_number":757,"context_line":"        super(SecureRBACPolicyFixture, self).start_fixture()"},{"line_number":758,"context_line":"        # NOTE(lbragstad): Configure oslo.policy so that we enforce scope"},{"line_number":759,"context_line":"        # checking and opt into the new default policies."},{"line_number":760,"context_line":"        self.conf_fixture.config("},{"line_number":761,"context_line":"            group\u003d\u0027oslo_policy\u0027, enforce_scope\u003dTrue)"},{"line_number":762,"context_line":"        self.conf_fixture.config("},{"line_number":763,"context_line":"            group\u003d\u0027oslo_policy\u0027, enforce_new_defaults\u003dTrue)"}],"source_content_type":"text/x-python","patch_set":14,"id":"fe88080a_ce6013d7","line":763,"range":{"start_line":760,"start_character":0,"end_line":763,"end_character":59},"in_reply_to":"2d00562d_a7e79fae","updated":"2021-01-22 10:19:01.000000000","message":"So I thought the same thing, and in fact started drafting it locally to see how it worked (only to end up getting sidetracked and fixing [1]). However, there are already some of these tests already in place. For example, there\u0027s a \"non admin forbidden\" test in \u0027placement/tests/functional/gabbits/resource-provider.yaml\u0027. There\u0027s no harm in this, particularly now that Lance has already done the work, but with the benefit of hindsight it wasn\u0027t entirely necessary /o\\\n\n[1] https://review.opendev.org/c/openstack/placement/+/771852","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ae5237c431d164bf77d5ddfa441728745582e3c4","unresolved":false,"context_lines":[{"line_number":757,"context_line":"        super(SecureRBACPolicyFixture, self).start_fixture()"},{"line_number":758,"context_line":"        # NOTE(lbragstad): Configure oslo.policy so that we enforce scope"},{"line_number":759,"context_line":"        # checking and opt into the new default policies."},{"line_number":760,"context_line":"        self.conf_fixture.config("},{"line_number":761,"context_line":"            group\u003d\u0027oslo_policy\u0027, enforce_scope\u003dTrue)"},{"line_number":762,"context_line":"        self.conf_fixture.config("},{"line_number":763,"context_line":"            group\u003d\u0027oslo_policy\u0027, enforce_new_defaults\u003dTrue)"}],"source_content_type":"text/x-python","patch_set":14,"id":"2d00562d_a7e79fae","line":763,"range":{"start_line":760,"start_character":0,"end_line":763,"end_character":59},"in_reply_to":"52046079_7d0109e6","updated":"2021-01-22 01:04:32.000000000","message":"Done","commit_id":"8e4137ecc6fe973387bbf082792c7230cba808b0"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"3d8d308ad3295b9ea1cf2fa0d26e852bbc31ddbe","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":19,"id":"9af43906_9ba1f799","line":777,"updated":"2021-01-25 12:44:22.000000000","message":"As seen at [1], this isn\u0027t working as expected. We\u0027ve already initialized the policy engine at this point so we\u0027d need to either reload that with the new configuration or, as done at [1], do this in \u0027APIFixture.setUp\u0027 before we even initialise the policy engine.\n\n[1] https://review.opendev.org/c/openstack/placement/+/772335","commit_id":"0995fbc389c378f7572bc4cf670d6d6f73e65f13"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"07cd181af867d953f80d272a08cadd8fb4bf67c0","unresolved":true,"context_lines":[{"line_number":75,"context_line":"        self.conf_fixture.setUp()"},{"line_number":76,"context_line":"        conf.register_opts(self.conf_fixture.conf)"},{"line_number":77,"context_line":"        self.conf_fixture.config(group\u003d\u0027api\u0027, auth_strategy\u003d\u0027noauth2\u0027)"},{"line_number":78,"context_line":"        self.conf_fixture.config("},{"line_number":79,"context_line":"            group\u003d\u0027oslo_policy\u0027,"},{"line_number":80,"context_line":"            enforce_scope\u003dself._secure_rbac,"},{"line_number":81,"context_line":"            enforce_new_defaults\u003dself._secure_rbac,"},{"line_number":82,"context_line":"        )"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"        self.placement_db_fixture \u003d fixtures.Database("},{"line_number":85,"context_line":"            self.conf_fixture, set_config\u003dTrue)"}],"source_content_type":"text/x-python","patch_set":21,"id":"95aa420b_030eae86","line":82,"range":{"start_line":78,"start_character":0,"end_line":82,"end_character":9},"updated":"2021-01-26 19:49:54.000000000","message":"Thanks Stephen for cracking this puzzle. enforce_scope config is all good here as it is used during enforce() method by then changing this config value after policy init work fine But enforce_new_defaults is used during load_rule itself so we need to set it before policy init happen. \n\nThis is first project using enforce_new_defaults flag. Nova tested (which were added before this flag was introduced)   these scenario with manually overriding the rule with new check_str only.\n\n- https://github.com/openstack/nova/blob/73413553011ef5c8d0e73ee6de9a57c3ccb996b4/nova/tests/unit/policies/base.py#L105","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"15009d49563ec132f99f2637546feabc9bf5a4ba","unresolved":false,"context_lines":[{"line_number":75,"context_line":"        self.conf_fixture.setUp()"},{"line_number":76,"context_line":"        conf.register_opts(self.conf_fixture.conf)"},{"line_number":77,"context_line":"        self.conf_fixture.config(group\u003d\u0027api\u0027, auth_strategy\u003d\u0027noauth2\u0027)"},{"line_number":78,"context_line":"        self.conf_fixture.config("},{"line_number":79,"context_line":"            group\u003d\u0027oslo_policy\u0027,"},{"line_number":80,"context_line":"            enforce_scope\u003dself._secure_rbac,"},{"line_number":81,"context_line":"            enforce_new_defaults\u003dself._secure_rbac,"},{"line_number":82,"context_line":"        )"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"        self.placement_db_fixture \u003d fixtures.Database("},{"line_number":85,"context_line":"            self.conf_fixture, set_config\u003dTrue)"}],"source_content_type":"text/x-python","patch_set":21,"id":"d135d11b_00d4396d","line":82,"range":{"start_line":78,"start_character":0,"end_line":82,"end_character":9},"in_reply_to":"95aa420b_030eae86","updated":"2021-01-27 13:59:55.000000000","message":"Ack","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7b862f3529a19a749602744584b3b681d67fecf7","unresolved":true,"context_lines":[{"line_number":764,"context_line":"    _secure_rbac \u003d True"},{"line_number":765,"context_line":""},{"line_number":766,"context_line":""},{"line_number":767,"context_line":"# TODO(stephenfin): This isn\u0027t necessary - just use APIFixture"},{"line_number":768,"context_line":"class LegacyRBACPolicyFixture(APIFixture):"},{"line_number":769,"context_line":"    \"\"\"An APIFixture that enforce deprecated policies.\"\"\""},{"line_number":770,"context_line":""}],"source_content_type":"text/x-python","patch_set":21,"id":"e7b169eb_5b7d4997","line":767,"updated":"2021-01-26 12:57:15.000000000","message":"Should probably drop this TODO. This actually makes sense, if only to make things explicit","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"be615735f35d6285e88a101f03c72402dbf1ee46","unresolved":false,"context_lines":[{"line_number":764,"context_line":"    _secure_rbac \u003d True"},{"line_number":765,"context_line":""},{"line_number":766,"context_line":""},{"line_number":767,"context_line":"# TODO(stephenfin): This isn\u0027t necessary - just use APIFixture"},{"line_number":768,"context_line":"class LegacyRBACPolicyFixture(APIFixture):"},{"line_number":769,"context_line":"    \"\"\"An APIFixture that enforce deprecated policies.\"\"\""},{"line_number":770,"context_line":""}],"source_content_type":"text/x-python","patch_set":21,"id":"95056799_0acfdf68","line":767,"in_reply_to":"e7b169eb_5b7d4997","updated":"2021-01-26 14:50:16.000000000","message":"Done in https://review.opendev.org/c/openstack/placement/+/772535/1","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"07cd181af867d953f80d272a08cadd8fb4bf67c0","unresolved":true,"context_lines":[{"line_number":768,"context_line":"class LegacyRBACPolicyFixture(APIFixture):"},{"line_number":769,"context_line":"    \"\"\"An APIFixture that enforce deprecated policies.\"\"\""},{"line_number":770,"context_line":""},{"line_number":771,"context_line":"    _secure_rbac \u003d False"}],"source_content_type":"text/x-python","patch_set":21,"id":"7b1c7a0c_b4d98003","line":771,"range":{"start_line":771,"start_character":0,"end_line":771,"end_character":24},"updated":"2021-01-26 19:49:54.000000000","message":"thanks. +1.\n\nand with that it cover our all valid (or how policy is supposed to be used) scenarios. I do not think we need to test mixed scenario (enforce_scope\u003dTrue \u0026\u0026 enforce_new_defaults\u003dFalse) as we want to switch both flag together at some point. enabling scope and keep supporting old token does not make much sense and may not work with old tokens itself.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"15009d49563ec132f99f2637546feabc9bf5a4ba","unresolved":false,"context_lines":[{"line_number":768,"context_line":"class LegacyRBACPolicyFixture(APIFixture):"},{"line_number":769,"context_line":"    \"\"\"An APIFixture that enforce deprecated policies.\"\"\""},{"line_number":770,"context_line":""},{"line_number":771,"context_line":"    _secure_rbac \u003d False"}],"source_content_type":"text/x-python","patch_set":21,"id":"6bcf58e0_f79fc333","line":771,"range":{"start_line":771,"start_character":0,"end_line":771,"end_character":24},"in_reply_to":"7b1c7a0c_b4d98003","updated":"2021-01-27 13:59:55.000000000","message":"Ack","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"}],"placement/tests/functional/gabbits/resource-provider-legacy-rbac.yaml":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"5a184305a82c4d7a1e8d199713363beedfa5e03d","unresolved":true,"context_lines":[{"line_number":17,"context_line":"    accept: application/json"},{"line_number":18,"context_line":"    content-type: application/json"},{"line_number":19,"context_line":"    openstack-api-version: placement latest"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"tests:"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"- name: project admin can list resource providers"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"e0a3e192_14b15d8e","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":0},"updated":"2021-01-22 18:25:58.000000000","message":"can we add other persona also to check. project-reader, system-admin/reader. we can check all tokens. for example to make sure if system-reader not able to get resource providers.","commit_id":"2a27724ffdf7c524ad92ae4deb932e619250480b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"926a384ed009d831b5733c50690b6bc392d230f1","unresolved":false,"context_lines":[{"line_number":17,"context_line":"    accept: application/json"},{"line_number":18,"context_line":"    content-type: application/json"},{"line_number":19,"context_line":"    openstack-api-version: placement latest"},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"tests:"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"- name: project admin can list resource providers"}],"source_content_type":"text/x-yaml","patch_set":15,"id":"239eb356_007b34de","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":0},"in_reply_to":"e0a3e192_14b15d8e","updated":"2021-01-22 21:01:35.000000000","message":"Done","commit_id":"2a27724ffdf7c524ad92ae4deb932e619250480b"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"38e38fbab098989d44d890f3365989acc38e0817","unresolved":false,"context_lines":[{"line_number":39,"context_line":"      uuid: $ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":40,"context_line":"  status: 200"},{"line_number":41,"context_line":"  response_json_paths:"},{"line_number":42,"context_line":"      $.uuid: $ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"- name: project member cannot create resource providers"},{"line_number":45,"context_line":"  POST: /resource_providers"}],"source_content_type":"text/x-yaml","patch_set":16,"id":"6b7bfe6f_4c0fa0a5","line":42,"updated":"2021-01-22 10:19:01.000000000","message":"This serves to prove what you said at [1]. Even though we have \"scope_types\u003d[\u0027system\u0027]\" on the legacy rules, any admin-type user could use this API. Validated locally by reverting the changes to \u0027placement/policies/resource_provider.py\u0027 and running these tests locally.\n\n[1] https://review.opendev.org/c/openstack/placement/+/760235/4/placement/policies/aggregate.py#31","commit_id":"0ae4785ee2c37477417cb39630fc19e8e89da902"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"669102f155b4ef8c7b968156b996fd11cfc19964","unresolved":true,"context_lines":[{"line_number":6,"context_line":"  - \u0026project_id $ENVIRON[\u0027PROJECT_ID\u0027]"},{"line_number":7,"context_line":"  - \u0026system_admin_headers"},{"line_number":8,"context_line":"    x-auth-token: user"},{"line_number":9,"context_line":"    x-roles: admin,member,reader"},{"line_number":10,"context_line":"    accept: application/json"},{"line_number":11,"context_line":"    content-type: application/json"},{"line_number":12,"context_line":"    openstack-api-version: placement latest"}],"source_content_type":"text/x-yaml","patch_set":21,"id":"08ba36fb_831171e3","line":9,"range":{"start_line":9,"start_character":13,"end_line":9,"end_character":32},"updated":"2021-01-26 23:32:59.000000000","message":"are these not ment to cascade so admin implies member implies reader\nso this should just be admin right?","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"259f1309f4531345eb06a1c98d76a0d1d53409ab","unresolved":true,"context_lines":[{"line_number":6,"context_line":"  - \u0026project_id $ENVIRON[\u0027PROJECT_ID\u0027]"},{"line_number":7,"context_line":"  - \u0026system_admin_headers"},{"line_number":8,"context_line":"    x-auth-token: user"},{"line_number":9,"context_line":"    x-roles: admin,member,reader"},{"line_number":10,"context_line":"    accept: application/json"},{"line_number":11,"context_line":"    content-type: application/json"},{"line_number":12,"context_line":"    openstack-api-version: placement latest"}],"source_content_type":"text/x-yaml","patch_set":21,"id":"42829235_14deb307","line":9,"range":{"start_line":9,"start_character":13,"end_line":9,"end_character":32},"in_reply_to":"08ba36fb_831171e3","updated":"2021-01-27 17:02:28.000000000","message":"No - just the opposite. The roles have a hierarchical relationship.\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"02bf3e5d51405d775d3a6a0da37453b4fd72d760","unresolved":true,"context_lines":[{"line_number":6,"context_line":"  - \u0026project_id $ENVIRON[\u0027PROJECT_ID\u0027]"},{"line_number":7,"context_line":"  - \u0026system_admin_headers"},{"line_number":8,"context_line":"    x-auth-token: user"},{"line_number":9,"context_line":"    x-roles: admin,member,reader"},{"line_number":10,"context_line":"    accept: application/json"},{"line_number":11,"context_line":"    content-type: application/json"},{"line_number":12,"context_line":"    openstack-api-version: placement latest"}],"source_content_type":"text/x-yaml","patch_set":21,"id":"57615004_e6bf20b8","line":9,"range":{"start_line":9,"start_character":13,"end_line":9,"end_character":32},"in_reply_to":"42829235_14deb307","updated":"2021-01-27 17:19:46.000000000","message":"right that is what i ment by cascading\nif the user has just the admin role they should not need the member or reader role\n\nif your \n\nthat doc says you can express teh policy as\n\n\"identity:list_foo\": \"role:reader\"\n\ninstaed of \n\n\"identity:list_foo\": \"role:admin or role:member or role:reader\"\n\n\nso if we need to list anying more then admin here then that impleis its not working correctly.\n\na user with system admin shoudl jsut have \"role:admin\" with scope_type system\n\n\nif we have to give a user multiple roles in order to do what they can do with role:admin today i think that is a major design flaw \n\nim reading the x-roles line as listing the roles that shoudl be added to this user \n\ne.g. x-roles: admin,member,reader translates to \nopenstack role add --user system_admin --user-domain Default --system all admin\nopenstack role add --user system_admin --user-domain Default --system all member\nopenstack role add --user system_admin --user-domain Default --system all reader\n\nbut we should only need the first line\nopenstack role add --user system_admin --user-domain Default --system all admin\n\nwe shoudl not need member or reader but should be able to access any api the require member or reader\nsince the admin role shoudl imply memeber and member should imply reader.\n\nif that is not how that work then this is surely a major upgrade issue.","commit_id":"616b4ac7ec0a9cb631bd4f6a40b9d1e3e1db8268"}],"placement/tests/functional/gabbits/resource-provider-system-policy.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d982dd6e7846c67660a52483489b86071ec6a68c","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"f6ea46ad_38e47c58","updated":"2020-12-10 20:20:27.000000000","message":"I\u0027ve read the gabbi documentation and it suggests keeping test files as small as possible [0].\n\nShould this be broken into a smaller files?\n\n[0] https://gabbi.readthedocs.io/en/latest/faq.html?highlight\u003dvars#how-many-tests-should-be-put-in-one-yaml-file","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"ec20ccd0295418d3a4c30c475ef440b8b1ea1eb3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"7aae2106_444761f1","in_reply_to":"93736acb_0b1ac3a2","updated":"2020-12-11 19:49:21.000000000","message":"Ack","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":11564,"name":"Chris Dent","email":"cdent@anticdent.org","username":"chdent"},"change_message_id":"fad95d495c4d4843a2f4f5b61cc34163e0a1a8d9","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"93736acb_0b1ac3a2","in_reply_to":"f6ea46ad_38e47c58","updated":"2020-12-10 21:24:33.000000000","message":"The original idea was that each file should represent the arc of a series of requests to complete an action. In part simply because \"small is good\", but also because the tests run as a sequence and are not parallelized when they are all in the same file.\n\nSo, if there isn\u0027t a sequence here it might make sense to separate them out.\n\nHowever, in placement we generally ended up with yaml files per-topic, not per-arc and this one is by no means excessive so I\u0027d say it\u0027s fine to keep as is.","commit_id":"51632e602c1de3481adfbdcc49c178b7c4bb0b60"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"6012db03ab04a3b2cb42abbcf8191111d08b11ac","unresolved":true,"context_lines":[{"line_number":1,"context_line":"fixtures:"},{"line_number":2,"context_line":"  - SecureRBACPolicyFixture"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"vars:"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"e3985f20_0bee2904","line":1,"updated":"2020-12-14 16:34:18.000000000","message":"nit: The file name used here isn\u0027t specific to system-scope tests. It could be generalized further to something like `resource-provider-secure-rbac-policy.yaml`?","commit_id":"330a5802e34f92fd3b9d6cd8c1c444dbc95f1ef7"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"956f36b10fec53ed52f3b4cd4835286f55e39ce9","unresolved":false,"context_lines":[{"line_number":1,"context_line":"fixtures:"},{"line_number":2,"context_line":"  - SecureRBACPolicyFixture"},{"line_number":3,"context_line":""},{"line_number":4,"context_line":"vars:"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"36202aec_5f2ed545","line":1,"in_reply_to":"e3985f20_0bee2904","updated":"2021-01-21 15:32:13.000000000","message":"(for my own notes) This was done","commit_id":"330a5802e34f92fd3b9d6cd8c1c444dbc95f1ef7"}]}