)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8a41ef6c9614f06835642da44c686b346596b03d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"847e3b55_838f09a7","updated":"2022-11-15 17:22:57.000000000","message":"-1 is for the open question regrading scope_type","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"5cf36a46f5e3f2341603de8d24e2ac3eca22924d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"1f5b4ead_6657de7a","updated":"2022-11-15 17:57:29.000000000","message":"given we are defering the review of the endpoint to the implementaiton and agreeing on admin-\u003eadmin-or-service by default unless we have a good reason to alter it i think there is not much more to add to this spec so +2\n\nthanks for calling out the scope_type change in the upgrade section","commit_id":"7d9771cfce2d072b22026f2d83815f045816ad06"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"5108dbab14a2cb01eb799f4adfc9fbdef3337f95","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"f68b325f_9e91b76f","updated":"2022-11-30 08:24:02.000000000","message":"looks good to me.","commit_id":"bacd2c039345dd12f22b0474b8a0f6a691a8ed98"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3d6b30226cf2b9d1a13c7f9f7a59ffd544db0e49","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"e4c148e8_236718fa","updated":"2022-11-30 11:58:36.000000000","message":"thanks gmann this is in line with what we previously discussed so looks good to me","commit_id":"bacd2c039345dd12f22b0474b8a0f6a691a8ed98"}],"doc/source/specs/2023.1/approved/policy-defaults-improvement.rst":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"172c3db545c52ac87a85bda8fe2e217ff72a505c","unresolved":true,"context_lines":[{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Policy Defaults Improvement"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"This spec is to improve the placement APIs policy as the directions"},{"line_number":12,"context_line":"decided in `RBAC community-wide goal"},{"line_number":13,"context_line":"\u003chttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"fa4304d0_79d5adcf","line":10,"range":{"start_line":10,"start_character":0,"end_line":10,"end_character":0},"updated":"2022-11-14 19:59:13.000000000","message":"just to note down here, I have not opened story for this as we decided to stop using SB for placement.","commit_id":"d2f10a02aab6028ca8648aff011c8490fc324fdd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"383837b096ca5e7da2d6fd8b7e3fd4a5ccd1b2f6","unresolved":true,"context_lines":[{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Policy Defaults Improvement"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"This spec is to improve the placement APIs policy as the directions"},{"line_number":12,"context_line":"decided in `RBAC community-wide goal"},{"line_number":13,"context_line":"\u003chttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e050ec08_c187f848","line":10,"range":{"start_line":10,"start_character":0,"end_line":10,"end_character":0},"in_reply_to":"30eddee0_37ee90a1","updated":"2022-11-23 09:55:49.000000000","message":"ya we do but we have not created the project in launchpad yet.\n\nim not in the nova-drivers team in launchpad so i dont think i can properly create it and add it to that teams for ownership but i think anyone in that group can and im pretty sure sylvain and perhaps you gibi are.","commit_id":"d2f10a02aab6028ca8648aff011c8490fc324fdd"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"25e0a21c0169f17c70a57d2073e4a79ea29d27ba","unresolved":false,"context_lines":[{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Policy Defaults Improvement"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"This spec is to improve the placement APIs policy as the directions"},{"line_number":12,"context_line":"decided in `RBAC community-wide goal"},{"line_number":13,"context_line":"\u003chttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"cd2cc3bf_e4e3f7f1","line":10,"range":{"start_line":10,"start_character":0,"end_line":10,"end_character":0},"in_reply_to":"5438c927_2254a7ef","updated":"2022-11-30 04:04:34.000000000","message":"Done","commit_id":"d2f10a02aab6028ca8648aff011c8490fc324fdd"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f023b52db4332cf6b913992f957413297ef9be7b","unresolved":true,"context_lines":[{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Policy Defaults Improvement"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"This spec is to improve the placement APIs policy as the directions"},{"line_number":12,"context_line":"decided in `RBAC community-wide goal"},{"line_number":13,"context_line":"\u003chttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"5438c927_2254a7ef","line":10,"range":{"start_line":10,"start_character":0,"end_line":10,"end_character":0},"in_reply_to":"e050ec08_c187f848","updated":"2022-11-25 02:10:14.000000000","message":"nova-driver members will not be able to create a new project, its openstack admin can do and assign it under nova-driver team to maintain it further. We need to ask either of the below members to do that. \n\nhttps://launchpad.net/~openstack-admins/+members#active","commit_id":"d2f10a02aab6028ca8648aff011c8490fc324fdd"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"7f0d9fb292f8bc0666d8196d43eab3855d25ba7d","unresolved":true,"context_lines":[{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"Policy Defaults Improvement"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"This spec is to improve the placement APIs policy as the directions"},{"line_number":12,"context_line":"decided in `RBAC community-wide goal"},{"line_number":13,"context_line":"\u003chttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html\u003e`_"}],"source_content_type":"text/x-rst","patch_set":1,"id":"30eddee0_37ee90a1","line":10,"range":{"start_line":10,"start_character":0,"end_line":10,"end_character":0},"in_reply_to":"fa4304d0_79d5adcf","updated":"2022-11-23 08:38:47.000000000","message":"but then I guess we need to start using launchpad blueprints instead. Sylvain, what do you think?","commit_id":"d2f10a02aab6028ca8648aff011c8490fc324fdd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8a41ef6c9614f06835642da44c686b346596b03d","unresolved":true,"context_lines":[{"line_number":99,"context_line":"The API policies defaults roles have been modified which might effect"},{"line_number":100,"context_line":"the deployment if it use the default policy defined. If deployment"},{"line_number":101,"context_line":"overrides these policies then, they need to start considering the"},{"line_number":102,"context_line":"new default policy rules."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Implementation"},{"line_number":105,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"84d52ea1_7b28ace0","line":102,"updated":"2022-11-15 17:22:57.000000000","message":"since we will be maintaining backwards compatiablity for admin i think there shoudl be no upgrade impact if we do that correctly but yes if they use custom policy and we start recommending \"do not give nova the admin role\" they should ensure that there custom policy allows the service role if they want to benifit form that.","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"309c39f158f4d69a7084b4653e2ace3df2f9d280","unresolved":false,"context_lines":[{"line_number":99,"context_line":"The API policies defaults roles have been modified which might effect"},{"line_number":100,"context_line":"the deployment if it use the default policy defined. If deployment"},{"line_number":101,"context_line":"overrides these policies then, they need to start considering the"},{"line_number":102,"context_line":"new default policy rules."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Implementation"},{"line_number":105,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"fd1ca75c_91e600db","line":102,"in_reply_to":"457095f0_bccb8fb3","updated":"2022-11-15 17:51:52.000000000","message":"Done","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f7c56d435be35965b66e8ec68cf3098330ad06a5","unresolved":true,"context_lines":[{"line_number":99,"context_line":"The API policies defaults roles have been modified which might effect"},{"line_number":100,"context_line":"the deployment if it use the default policy defined. If deployment"},{"line_number":101,"context_line":"overrides these policies then, they need to start considering the"},{"line_number":102,"context_line":"new default policy rules."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"Implementation"},{"line_number":105,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"457095f0_bccb8fb3","line":102,"in_reply_to":"84d52ea1_7b28ace0","updated":"2022-11-15 17:40:27.000000000","message":"There might be few cases we will make service role only but let me update that explicitly and add scope_type also","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8a41ef6c9614f06835642da44c686b346596b03d","unresolved":true,"context_lines":[{"line_number":119,"context_line":"Work Items"},{"line_number":120,"context_line":"----------"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* Scope all policy to project"},{"line_number":123,"context_line":"* Add project reader role in policy "},{"line_number":124,"context_line":"* Modify policy rule unit tests"},{"line_number":125,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"19e66595_6c9e87eb","line":122,"updated":"2022-11-15 17:22:57.000000000","message":"ok so that is proably more important to call out in the upgrade section.\n\nin the unlikely event they have deployed with scope enfrocement then the move form system scope to project scope could break things.\n\nright now the only thing that is not system scope is \n\nhttps://github.com/openstack/placement/blob/master/placement/policies/usage.py#L35-L47\n\nwhich is sytem or project scope.\n\nso do we want to make them all \n\nscope_types\u003d[\u0027system\u0027, \u0027project\u0027],\nscope_types\u003d[\u0027project\u0027],\n\nor leave the curent mix where almsot everythign is\nscope_types\u003d[\u0027system\u0027] excpet the project usage endpoint.\n\ni assume scope_types\u003d[\u0027project\u0027], and just document the upgrade impact for enforce scope true","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f7c56d435be35965b66e8ec68cf3098330ad06a5","unresolved":true,"context_lines":[{"line_number":119,"context_line":"Work Items"},{"line_number":120,"context_line":"----------"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* Scope all policy to project"},{"line_number":123,"context_line":"* Add project reader role in policy "},{"line_number":124,"context_line":"* Modify policy rule unit tests"},{"line_number":125,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"c2895879_6d1f74ee","line":122,"in_reply_to":"19e66595_6c9e87eb","updated":"2022-11-15 17:40:27.000000000","message":"yeah we will make scope_type of all the policy rules to project only. Sure will add it in upgrade impact.","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"5cf36a46f5e3f2341603de8d24e2ac3eca22924d","unresolved":false,"context_lines":[{"line_number":119,"context_line":"Work Items"},{"line_number":120,"context_line":"----------"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* Scope all policy to project"},{"line_number":123,"context_line":"* Add project reader role in policy "},{"line_number":124,"context_line":"* Modify policy rule unit tests"},{"line_number":125,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"990b27bb_f1b6701b","line":122,"in_reply_to":"9904c8f1_13a39139","updated":"2022-11-15 17:57:29.000000000","message":"Ack","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b0cab314797c1eeabd38e7f9f51fba1db15ec2f1","unresolved":true,"context_lines":[{"line_number":119,"context_line":"Work Items"},{"line_number":120,"context_line":"----------"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* Scope all policy to project"},{"line_number":123,"context_line":"* Add project reader role in policy "},{"line_number":124,"context_line":"* Modify policy rule unit tests"},{"line_number":125,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9904c8f1_13a39139","line":122,"in_reply_to":"c2895879_6d1f74ee","updated":"2022-11-15 17:50:54.000000000","message":"keeping scope_types\u003d[\u0027system\u0027, \u0027project\u0027], or only scope_types\u003d[\u0027system\u0027], will be difficult at least when service or admin using the system token because other services like nova they are interacting in their deployment does not support system token. If service need to interact with system token then they need to fetch it explicitly from keystone which is ok but for admin it will be using two separate token to interact with nova and placement.\n\nKeeping placement same way as any other service scope_types\u003d[\u0027project\u0027] is right way to default the policy.","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"8a41ef6c9614f06835642da44c686b346596b03d","unresolved":true,"context_lines":[{"line_number":120,"context_line":"----------"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* Scope all policy to project"},{"line_number":123,"context_line":"* Add project reader role in policy "},{"line_number":124,"context_line":"* Modify policy rule unit tests"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":2,"id":"0f942b4d_4fb6e23d","line":123,"updated":"2022-11-15 17:22:57.000000000","message":"nit: space","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f7c56d435be35965b66e8ec68cf3098330ad06a5","unresolved":false,"context_lines":[{"line_number":120,"context_line":"----------"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* Scope all policy to project"},{"line_number":123,"context_line":"* Add project reader role in policy "},{"line_number":124,"context_line":"* Modify policy rule unit tests"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"Dependencies"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e34a75ac_3ee9979b","line":123,"in_reply_to":"0f942b4d_4fb6e23d","updated":"2022-11-15 17:40:27.000000000","message":"Done","commit_id":"98f361d8639400e710c42fefc8fc2ae5aa901b36"}]}