)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"57a25cb2fbcea5f26bd4c44f2b3765fa0d4afc75","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"365785b0_2149ddf8","updated":"2023-01-26 14:34:17.000000000","message":"Changing my vote to -1 to accomodate gibi\u0027s concerns.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c91ec256f182fa6d6b5fe1279723cd2f9d9499f7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"9102e13d_c8f0c5eb","updated":"2023-01-03 19:29:05.000000000","message":"I didn\u0027t review all the gabbit stuff, but I think the policy bits all look okay. This is perhaps one of the first times I\u0027m feeling like we\u0027re losing something by not having system:reader - just because I can imagine the goal of auditing all this stuff being important. But, given where we are, I think this is the right plan. An operator can define their own auditor role and give it access to the appropriate APIs if desired.\n\nI\u0027m pretty weaksauce on placement these days so I\u0027ll just +1 and leave room for the more familiar folks to ack this.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"81ff8a80_a57a2197","updated":"2023-01-26 14:03:25.000000000","message":"I was horribly wrong. For some reason I forgot, I didn\u0027t understand that we were wanting to no longer support system roles. LGTM then, I no longer have problems.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6a218254_7bdf041e","updated":"2023-01-26 13:34:35.000000000","message":"Maybe I misunderstood the roles, but IIUC a system reader has a deployment-wide knowledge of the resources but just can\u0027t play with them by creating, updating or deleting them.\n\nIf so, I don\u0027t understand why we do this behavioural change that will restrict those system roles. -1 here, but disclaimer, I could be wrong.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"cf4b104e_d6ff8074","updated":"2023-01-26 13:57:05.000000000","message":"there are enough test inconsistencies that I think it warrants a -1.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1b03995e_461c4aad","in_reply_to":"cf4b104e_d6ff8074","updated":"2023-01-26 17:31:52.000000000","message":"sorry for that, done","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"115fe4e1eb82e0ce5a72c41ef95c71ef552ddef6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"2295c343_031637a2","updated":"2023-02-08 17:02:11.000000000","message":"looks good","commit_id":"636d65e3ef3a3a8e97e32844dd335a24c80799b0"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"230f8ede7c8dfa0e0ef4172f93614560d5b17aac","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a42cd5ee_41746829","updated":"2023-01-26 22:02:56.000000000","message":"restoring +2 since gibi’s feeback has been adressed","commit_id":"636d65e3ef3a3a8e97e32844dd335a24c80799b0"}],"placement/policies/aggregate.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":24,"context_line":"rules \u003d ["},{"line_number":25,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":26,"context_line":"        LIST,"},{"line_number":27,"context_line":"        base.ADMIN_OR_SERVICE,"},{"line_number":28,"context_line":"        \"List resource provider aggregates.\","},{"line_number":29,"context_line":"        ["},{"line_number":30,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"302188a6_6a38a757","line":27,"updated":"2023-01-26 13:34:35.000000000","message":"looks right to me for the whole /aggregates API","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/allocation.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":27,"context_line":"rules \u003d ["},{"line_number":28,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":29,"context_line":"        name\u003dALLOC_MANAGE,"},{"line_number":30,"context_line":"        check_str\u003dbase.ADMIN_OR_SERVICE,"},{"line_number":31,"context_line":"        description\u003d\"Manage allocations.\","},{"line_number":32,"context_line":"        operations\u003d["},{"line_number":33,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"be80d9fe_aed6a591","line":30,"updated":"2023-01-26 13:34:35.000000000","message":"ditto for /allocations","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/allocation_candidate.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":21,"context_line":"rules \u003d ["},{"line_number":22,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":23,"context_line":"        name\u003dLIST,"},{"line_number":24,"context_line":"        check_str\u003dbase.ADMIN_OR_SERVICE,"},{"line_number":25,"context_line":"        description\u003d\"List allocation candidates.\","},{"line_number":26,"context_line":"        operations\u003d["},{"line_number":27,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"1ebb4bbf_2e5dd6ba","line":24,"updated":"2023-01-26 13:34:35.000000000","message":"ditto here, both admins and nova can use it.","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/base.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c91ec256f182fa6d6b5fe1279723cd2f9d9499f7","unresolved":true,"context_lines":[{"line_number":35,"context_line":"ADMIN_OR_SERVICE \u003d \u0027rule:admin_or_service_api\u0027"},{"line_number":36,"context_line":"SERVICE \u003d \u0027rule:service_api\u0027"},{"line_number":37,"context_line":"ADMIN_OR_PROJECT_READER_OR_SERVICE \u003d ("},{"line_number":38,"context_line":"    \u0027rule:admin_or_project_reader_or_service_api\u0027)"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"rules \u003d ["},{"line_number":41,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":2,"id":"31aca76e_bfe8d67f","line":38,"updated":"2023-01-03 19:29:05.000000000","message":"Okay, I see we have one API that does respect project boundaries, thus member/reader for that makes sense (re: conversation on IRC).","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"58588317943f5501479dc4d0e1a2dfc967b5d86b","unresolved":true,"context_lines":[{"line_number":35,"context_line":"ADMIN_OR_SERVICE \u003d \u0027rule:admin_or_service_api\u0027"},{"line_number":36,"context_line":"SERVICE \u003d \u0027rule:service_api\u0027"},{"line_number":37,"context_line":"ADMIN_OR_PROJECT_READER_OR_SERVICE \u003d ("},{"line_number":38,"context_line":"    \u0027rule:admin_or_project_reader_or_service_api\u0027)"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"rules \u003d ["},{"line_number":41,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":2,"id":"d6246928_e0db295c","line":38,"in_reply_to":"31aca76e_bfe8d67f","updated":"2023-01-25 02:34:14.000000000","message":"thats the usage api yes.\nright now that is only usabel it you expose placement which is not always done but eventurally horizon should use it instead of the simple_tenant_usage api.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b14c93f1b21248a4158771bdb828bfae24a27537","unresolved":false,"context_lines":[{"line_number":35,"context_line":"ADMIN_OR_SERVICE \u003d \u0027rule:admin_or_service_api\u0027"},{"line_number":36,"context_line":"SERVICE \u003d \u0027rule:service_api\u0027"},{"line_number":37,"context_line":"ADMIN_OR_PROJECT_READER_OR_SERVICE \u003d ("},{"line_number":38,"context_line":"    \u0027rule:admin_or_project_reader_or_service_api\u0027)"},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"rules \u003d ["},{"line_number":41,"context_line":"    policy.RuleDefault("}],"source_content_type":"text/x-python","patch_set":2,"id":"035ba3a7_168aa306","line":38,"in_reply_to":"d6246928_e0db295c","updated":"2023-01-25 05:17:36.000000000","message":"yeah. this is used in usage api.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":47,"context_line":"    policy.RuleDefault("},{"line_number":48,"context_line":"        \"service_api\","},{"line_number":49,"context_line":"        \"role:service\","},{"line_number":50,"context_line":"        description\u003d\"Default rule for service-to-service placement APIs.\","},{"line_number":51,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":52,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY,"},{"line_number":53,"context_line":"    ),"}],"source_content_type":"text/x-python","patch_set":2,"id":"5b8f7d86_1e69f79f","line":50,"updated":"2023-01-26 13:34:35.000000000","message":"LGTM.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":53,"context_line":"    ),"},{"line_number":54,"context_line":"    policy.RuleDefault("},{"line_number":55,"context_line":"        \"admin_or_service_api\","},{"line_number":56,"context_line":"        \"role:admin or role:service\","},{"line_number":57,"context_line":"        description\u003d\"Default rule for most placement APIs.\","},{"line_number":58,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":59,"context_line":"        deprecated_rule\u003dDEPRECATED_ADMIN_POLICY,"}],"source_content_type":"text/x-python","patch_set":2,"id":"dabfa87d_b0cc340e","line":56,"updated":"2023-01-26 13:34:35.000000000","message":"+1","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/inventory.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":27,"context_line":"rules \u003d ["},{"line_number":28,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":29,"context_line":"        name\u003dLIST,"},{"line_number":30,"context_line":"        check_str\u003dbase.ADMIN_OR_SERVICE,"},{"line_number":31,"context_line":"        description\u003d\"List resource provider inventories.\","},{"line_number":32,"context_line":"        operations\u003d["},{"line_number":33,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"169612ac_43de717f","line":30,"updated":"2023-01-26 13:34:35.000000000","message":"legit for /inventories","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/reshaper.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"58588317943f5501479dc4d0e1a2dfc967b5d86b","unresolved":true,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        RESHAPE,"},{"line_number":25,"context_line":"        base.SERVICE,"},{"line_number":26,"context_line":"        \"Reshape Inventory and Allocations.\","},{"line_number":27,"context_line":"        ["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"50b6d79f_93f8a78c","line":25,"updated":"2023-01-25 02:34:14.000000000","message":"ah yes reshape is a good example of a service only api.\ni had not tought of this at first glance but like nova’s external event api, a human should never manually do a reshape \n+1","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b14c93f1b21248a4158771bdb828bfae24a27537","unresolved":false,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        RESHAPE,"},{"line_number":25,"context_line":"        base.SERVICE,"},{"line_number":26,"context_line":"        \"Reshape Inventory and Allocations.\","},{"line_number":27,"context_line":"        ["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"9ab9f960_e15603de","line":25,"in_reply_to":"50b6d79f_93f8a78c","updated":"2023-01-25 05:17:36.000000000","message":"agree","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        RESHAPE,"},{"line_number":25,"context_line":"        base.SERVICE,"},{"line_number":26,"context_line":"        \"Reshape Inventory and Allocations.\","},{"line_number":27,"context_line":"        ["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"6876e943_d7fba3ea","line":25,"in_reply_to":"9ab9f960_e15603de","updated":"2023-01-26 13:34:35.000000000","message":"++ this is service-only (even only nova)","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/resource_class.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":26,"context_line":"rules \u003d ["},{"line_number":27,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":28,"context_line":"        name\u003dLIST,"},{"line_number":29,"context_line":"        check_str\u003dbase.ADMIN_OR_SERVICE,"},{"line_number":30,"context_line":"        description\u003d\"List resource classes.\","},{"line_number":31,"context_line":"        operations\u003d["},{"line_number":32,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"ba74b746_b2847ccf","line":29,"updated":"2023-01-26 13:34:35.000000000","message":"lgtm","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/resource_provider.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":26,"context_line":"rules \u003d ["},{"line_number":27,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":28,"context_line":"        name\u003dLIST,"},{"line_number":29,"context_line":"        check_str\u003dbase.ADMIN_OR_SERVICE,"},{"line_number":30,"context_line":"        description\u003d\"List resource providers.\","},{"line_number":31,"context_line":"        operations\u003d["},{"line_number":32,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"b8acd6fb_9b9bb8bd","line":29,"updated":"2023-01-26 13:34:35.000000000","message":"lgtm","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/trait.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":30,"context_line":"rules \u003d ["},{"line_number":31,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":32,"context_line":"        name\u003dTRAITS_LIST,"},{"line_number":33,"context_line":"        check_str\u003dbase.ADMIN_OR_SERVICE,"},{"line_number":34,"context_line":"        description\u003d\"List traits.\","},{"line_number":35,"context_line":"        operations\u003d["},{"line_number":36,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"94a1e9fe_5ca78d39","line":33,"updated":"2023-01-26 13:34:35.000000000","message":"yup, lgtm only admins can create traits.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"58588317943f5501479dc4d0e1a2dfc967b5d86b","unresolved":true,"context_lines":[{"line_number":38,"context_line":"                \u0027path\u0027: \u0027/traits\u0027"},{"line_number":39,"context_line":"            }"},{"line_number":40,"context_line":"        ],"},{"line_number":41,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":42,"context_line":"    ),"},{"line_number":43,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":44,"context_line":"        name\u003dTRAITS_SHOW,"}],"source_content_type":"text/x-python","patch_set":2,"id":"0b790871_ff751f1e","line":41,"updated":"2023-01-25 02:34:14.000000000","message":"so this makes sense based on what the old policy was.\nhowever i would question if this should be project_member\n\nthe logic being that tenants can create images with with traits requests so it may make sense to expose it to normal users.\n\nresouce classes on the other hand can only be used by an adming so they dont need to be user listable.\n\nwhat do others think?\n\nim ok with keeping admin_or_service but should normal users be able to list avaibale traits?","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"aa10ea432778f85aa3bc69cdb9105dffeeb44a74","unresolved":true,"context_lines":[{"line_number":38,"context_line":"                \u0027path\u0027: \u0027/traits\u0027"},{"line_number":39,"context_line":"            }"},{"line_number":40,"context_line":"        ],"},{"line_number":41,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":42,"context_line":"    ),"},{"line_number":43,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":44,"context_line":"        name\u003dTRAITS_SHOW,"}],"source_content_type":"text/x-python","patch_set":2,"id":"a6ba4470_8b4805de","line":41,"in_reply_to":"0b790871_ff751f1e","updated":"2023-01-25 02:46:34.000000000","message":"i ment actully just the reader role not even project member.\n\nbasically should anyone be able to list aviable traits to know what they can put in the image.\n\non the ohter hand i know some admins would not want to expose tratis so leaving it as is is also proably correct.\n\nthe fact you cant know what traits are avaialable to you as an end user to use in an image is just a little odd","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"51530204ce4b1e59c357d552f07b81acb4f9715e","unresolved":true,"context_lines":[{"line_number":38,"context_line":"                \u0027path\u0027: \u0027/traits\u0027"},{"line_number":39,"context_line":"            }"},{"line_number":40,"context_line":"        ],"},{"line_number":41,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":42,"context_line":"    ),"},{"line_number":43,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":44,"context_line":"        name\u003dTRAITS_SHOW,"}],"source_content_type":"text/x-python","patch_set":2,"id":"75055a86_0e2683c8","line":41,"in_reply_to":"130c9950_dc47fd1e","updated":"2023-01-26 00:31:26.000000000","message":"ok lets leave it as is.\n\npart of me wants to say traits listing should be aviabel  to any logged in user\non the other hand that really only applie for standard traits.\nim not sure that oeprators want CUSTOM_ traits exposed so let keep it as is for now.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3961b7d46a52cc299263ee8c6f1346dfb0e90520","unresolved":false,"context_lines":[{"line_number":38,"context_line":"                \u0027path\u0027: \u0027/traits\u0027"},{"line_number":39,"context_line":"            }"},{"line_number":40,"context_line":"        ],"},{"line_number":41,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":42,"context_line":"    ),"},{"line_number":43,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":44,"context_line":"        name\u003dTRAITS_SHOW,"}],"source_content_type":"text/x-python","patch_set":2,"id":"ced3ec0a_41740bec","line":41,"in_reply_to":"75055a86_0e2683c8","updated":"2023-01-26 03:37:50.000000000","message":"ack.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b14c93f1b21248a4158771bdb828bfae24a27537","unresolved":true,"context_lines":[{"line_number":38,"context_line":"                \u0027path\u0027: \u0027/traits\u0027"},{"line_number":39,"context_line":"            }"},{"line_number":40,"context_line":"        ],"},{"line_number":41,"context_line":"        scope_types\u003d[\u0027project\u0027],"},{"line_number":42,"context_line":"    ),"},{"line_number":43,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":44,"context_line":"        name\u003dTRAITS_SHOW,"}],"source_content_type":"text/x-python","patch_set":2,"id":"130c9950_dc47fd1e","line":41,"in_reply_to":"a6ba4470_8b4805de","updated":"2023-01-25 05:17:36.000000000","message":"we do not store project_id in traits right? I mean they are not managed per project - https://github.com/openstack/placement/blob/ff8bee1fbc8151a399b096d8e4929ec923a9b02e/placement/db/sqlalchemy/models.py#L157\n\nso if we allow member or reader then any user with member/reader role in any project can list them.\n\nif any deployment want end user to list/show traits then they can always override the policy.","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/policies/usage.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":22,"context_line":"rules \u003d ["},{"line_number":23,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":24,"context_line":"        name\u003dPROVIDER_USAGES,"},{"line_number":25,"context_line":"        check_str\u003dbase.ADMIN_OR_SERVICE,"},{"line_number":26,"context_line":"        description\u003d\"List resource provider usages.\","},{"line_number":27,"context_line":"        operations\u003d["},{"line_number":28,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"f06d41f5_5b435d9e","line":25,"updated":"2023-01-26 13:34:35.000000000","message":"I see the difference, this is only for /rp/uuid/usages.\nLGTM so.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"c91ec256f182fa6d6b5fe1279723cd2f9d9499f7","unresolved":true,"context_lines":[{"line_number":35,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":36,"context_line":"        name\u003dTOTAL_USAGES,"},{"line_number":37,"context_line":"        # NOTE(gmann): Admin in any project (legacy admin) can get usage of"},{"line_number":38,"context_line":"        # other project. But project member or reader role cannot get usage"},{"line_number":39,"context_line":"        # of other project."},{"line_number":40,"context_line":"        check_str\u003dbase.ADMIN_OR_PROJECT_READER_OR_SERVICE,"},{"line_number":41,"context_line":"        description\u003d\"List total resource usages for a given project.\","},{"line_number":42,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"fb2c4976_b900d5f2","line":39,"range":{"start_line":38,"start_character":25,"end_line":39,"end_character":27},"updated":"2023-01-03 19:29:05.000000000","message":"Don\u0027t change this unless you have to respin, but I think it would be clearer to say \"Project member or reader roles can see usage of their own project only.\"","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":35,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":36,"context_line":"        name\u003dTOTAL_USAGES,"},{"line_number":37,"context_line":"        # NOTE(gmann): Admin in any project (legacy admin) can get usage of"},{"line_number":38,"context_line":"        # other project. But project member or reader role cannot get usage"},{"line_number":39,"context_line":"        # of other project."},{"line_number":40,"context_line":"        check_str\u003dbase.ADMIN_OR_PROJECT_READER_OR_SERVICE,"},{"line_number":41,"context_line":"        description\u003d\"List total resource usages for a given project.\","},{"line_number":42,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"5fc828db_d26cf57a","line":39,"range":{"start_line":38,"start_character":25,"end_line":39,"end_character":27},"in_reply_to":"01a699e0_1facc4ad","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":35,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":36,"context_line":"        name\u003dTOTAL_USAGES,"},{"line_number":37,"context_line":"        # NOTE(gmann): Admin in any project (legacy admin) can get usage of"},{"line_number":38,"context_line":"        # other project. But project member or reader role cannot get usage"},{"line_number":39,"context_line":"        # of other project."},{"line_number":40,"context_line":"        check_str\u003dbase.ADMIN_OR_PROJECT_READER_OR_SERVICE,"},{"line_number":41,"context_line":"        description\u003d\"List total resource usages for a given project.\","},{"line_number":42,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"01a699e0_1facc4ad","line":39,"range":{"start_line":38,"start_character":25,"end_line":39,"end_character":27},"in_reply_to":"daf7d473_f499d6b4","updated":"2023-01-26 13:34:35.000000000","message":"do it then in a follow-up please.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"7a95435f55447c49263930bc0c5ded619d0484c6","unresolved":true,"context_lines":[{"line_number":35,"context_line":"    policy.DocumentedRuleDefault("},{"line_number":36,"context_line":"        name\u003dTOTAL_USAGES,"},{"line_number":37,"context_line":"        # NOTE(gmann): Admin in any project (legacy admin) can get usage of"},{"line_number":38,"context_line":"        # other project. But project member or reader role cannot get usage"},{"line_number":39,"context_line":"        # of other project."},{"line_number":40,"context_line":"        check_str\u003dbase.ADMIN_OR_PROJECT_READER_OR_SERVICE,"},{"line_number":41,"context_line":"        description\u003d\"List total resource usages for a given project.\","},{"line_number":42,"context_line":"        operations\u003d["}],"source_content_type":"text/x-python","patch_set":2,"id":"daf7d473_f499d6b4","line":39,"range":{"start_line":38,"start_character":25,"end_line":39,"end_character":27},"in_reply_to":"fb2c4976_b900d5f2","updated":"2023-01-03 19:41:42.000000000","message":"ack.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":false,"context_lines":[{"line_number":37,"context_line":"        # NOTE(gmann): Admin in any project (legacy admin) can get usage of"},{"line_number":38,"context_line":"        # other project. But project member or reader role cannot get usage"},{"line_number":39,"context_line":"        # of other project."},{"line_number":40,"context_line":"        check_str\u003dbase.ADMIN_OR_PROJECT_READER_OR_SERVICE,"},{"line_number":41,"context_line":"        description\u003d\"List total resource usages for a given project.\","},{"line_number":42,"context_line":"        operations\u003d["},{"line_number":43,"context_line":"            {"}],"source_content_type":"text/x-python","patch_set":2,"id":"17bdb86a_025291d7","line":40,"updated":"2023-01-26 13:34:35.000000000","message":"yup, endusers can see the total usages","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/aggregate-legacy-rbac.yaml":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":true,"context_lines":[{"line_number":110,"context_line":"  response_json_paths:"},{"line_number":111,"context_line":"    $.aggregates.`len`: 2"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"- name: system reader can list aggregates"},{"line_number":114,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":115,"context_line":"  request_headers: *system_reader_headers"},{"line_number":116,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"2ecc3939_9d57107c","line":113,"updated":"2023-01-26 13:57:05.000000000","message":"The name of this test case is not aligned with the content. Based on this test case a system reader cannot list aggregates as placement returns 403.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":110,"context_line":"  response_json_paths:"},{"line_number":111,"context_line":"    $.aggregates.`len`: 2"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"- name: system reader can list aggregates"},{"line_number":114,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":115,"context_line":"  request_headers: *system_reader_headers"},{"line_number":116,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"04ce4c2e_191d8e13","line":113,"in_reply_to":"2ecc3939_9d57107c","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":113,"context_line":"- name: system reader can list aggregates"},{"line_number":114,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":115,"context_line":"  request_headers: *system_reader_headers"},{"line_number":116,"context_line":"  status: 403"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"- name: project admin can list aggregates"},{"line_number":119,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"1ec3f921_3aa8c92e","line":116,"updated":"2023-01-26 13:34:35.000000000","message":"sec, you confuses me. I thought a system reader role has admin rights on a project when looking at https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html#system-reader\n\n\nIn this specific case (in the spec example, this is Alice), the system reader should be able to list the aggregates, but not create or delete them, right ?","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":113,"context_line":"- name: system reader can list aggregates"},{"line_number":114,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":115,"context_line":"  request_headers: *system_reader_headers"},{"line_number":116,"context_line":"  status: 403"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"- name: project admin can list aggregates"},{"line_number":119,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"52dd6463_fea6667d","line":116,"in_reply_to":"1ec3f921_3aa8c92e","updated":"2023-01-26 14:03:25.000000000","message":"OK, I pinged folks on IRC and actually I was wrong. I don\u0027t know why, but I forgot we agreed in Berlin to no longer accept system roles, hence the HTTP403. So, sorry about this.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":113,"context_line":"- name: system reader can list aggregates"},{"line_number":114,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":115,"context_line":"  request_headers: *system_reader_headers"},{"line_number":116,"context_line":"  status: 403"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"- name: project admin can list aggregates"},{"line_number":119,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"91e1899f_420851f2","line":116,"in_reply_to":"52dd6463_fea6667d","updated":"2023-01-26 17:31:52.000000000","message":"yeah, as per the zed direction change in RBAC, we are dropping system scope from policy it means every policy will be project scopped.","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/aggregate-secure-rbac.yaml":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":159,"context_line":"- name: system admin cannot list aggregates"},{"line_number":160,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":161,"context_line":"  request_headers: *system_admin_headers"},{"line_number":162,"context_line":"  status: 403"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"- name: system reader cannot list aggregates"},{"line_number":165,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"b20978a0_87802908","line":162,"updated":"2023-01-26 13:34:35.000000000","message":"same concern","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":159,"context_line":"- name: system admin cannot list aggregates"},{"line_number":160,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":161,"context_line":"  request_headers: *system_admin_headers"},{"line_number":162,"context_line":"  status: 403"},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"- name: system reader cannot list aggregates"},{"line_number":165,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"4178f983_b03461fc","line":162,"in_reply_to":"b20978a0_87802908","updated":"2023-01-26 14:03:25.000000000","message":"no longer a problem","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":164,"context_line":"- name: system reader cannot list aggregates"},{"line_number":165,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":166,"context_line":"  request_headers: *system_reader_headers"},{"line_number":167,"context_line":"  status: 403"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"- name: admin can list aggregates"},{"line_number":170,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"f97378b6_9ab44a21","line":167,"updated":"2023-01-26 13:34:35.000000000","message":"same concern here with the same system reader.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":164,"context_line":"- name: system reader cannot list aggregates"},{"line_number":165,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"},{"line_number":166,"context_line":"  request_headers: *system_reader_headers"},{"line_number":167,"context_line":"  status: 403"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"- name: admin can list aggregates"},{"line_number":170,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]/aggregates"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"ca691588_1bfacfb5","line":167,"in_reply_to":"f97378b6_9ab44a21","updated":"2023-01-26 14:03:25.000000000","message":"no longer a problem","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/allocation-candidates-legacy-rbac.yaml":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":47,"context_line":"  request_headers: *system_admin_headers"},{"line_number":48,"context_line":"  status: 200"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"- name: system reader cannot get allocation candidates"},{"line_number":51,"context_line":"  GET: /allocation_candidates?resources\u003dVCPU:1,MEMORY_MB:1024,DISK_GB:100"},{"line_number":52,"context_line":"  request_headers: *system_reader_headers"},{"line_number":53,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"fc630e72_895f78c3","line":50,"updated":"2023-01-26 13:34:35.000000000","message":"why this behavourial change ?","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":47,"context_line":"  request_headers: *system_admin_headers"},{"line_number":48,"context_line":"  status: 200"},{"line_number":49,"context_line":""},{"line_number":50,"context_line":"- name: system reader cannot get allocation candidates"},{"line_number":51,"context_line":"  GET: /allocation_candidates?resources\u003dVCPU:1,MEMORY_MB:1024,DISK_GB:100"},{"line_number":52,"context_line":"  request_headers: *system_reader_headers"},{"line_number":53,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"b1776919_bae940a0","line":50,"in_reply_to":"fc630e72_895f78c3","updated":"2023-01-26 14:03:25.000000000","message":"no longer a problem","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/allocation-candidates-secure-rbac.yaml":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":68,"context_line":"  request_headers: *service_headers"},{"line_number":69,"context_line":"  status: 200"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"- name: system admin cannot get allocation candidates"},{"line_number":72,"context_line":"  GET: /allocation_candidates?resources\u003dVCPU:1,MEMORY_MB:1024,DISK_GB:100"},{"line_number":73,"context_line":"  request_headers: *system_admin_headers"},{"line_number":74,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"3228a201_23404efe","line":71,"updated":"2023-01-26 13:34:35.000000000","message":"I\u0027m not OK with this, a system admin should get candidates","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":68,"context_line":"  request_headers: *service_headers"},{"line_number":69,"context_line":"  status: 200"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"- name: system admin cannot get allocation candidates"},{"line_number":72,"context_line":"  GET: /allocation_candidates?resources\u003dVCPU:1,MEMORY_MB:1024,DISK_GB:100"},{"line_number":73,"context_line":"  request_headers: *system_admin_headers"},{"line_number":74,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"971216f3_df8bc723","line":71,"in_reply_to":"3228a201_23404efe","updated":"2023-01-26 14:03:25.000000000","message":"no longer a problem, we no longer want to support system roles for a project.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":73,"context_line":"  request_headers: *system_admin_headers"},{"line_number":74,"context_line":"  status: 403"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"- name: system reader cannot get allocation candidates"},{"line_number":77,"context_line":"  GET: /allocation_candidates?resources\u003dVCPU:1,MEMORY_MB:1024,DISK_GB:100"},{"line_number":78,"context_line":"  request_headers: *system_reader_headers"},{"line_number":79,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"fce9d97b_f20e56d7","line":76,"updated":"2023-01-26 13:34:35.000000000","message":"... and here this is debatable : system readers in theory are able to get knowledge of the system, provided they don\u0027t create allocations.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":73,"context_line":"  request_headers: *system_admin_headers"},{"line_number":74,"context_line":"  status: 403"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"- name: system reader cannot get allocation candidates"},{"line_number":77,"context_line":"  GET: /allocation_candidates?resources\u003dVCPU:1,MEMORY_MB:1024,DISK_GB:100"},{"line_number":78,"context_line":"  request_headers: *system_reader_headers"},{"line_number":79,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"6e5e72f9_8d4765e0","line":76,"in_reply_to":"fce9d97b_f20e56d7","updated":"2023-01-26 14:03:25.000000000","message":"as well, no longer a problem.","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/allocations-legacy-rbac.yaml":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"c1ef070d346e896f2b26083ee1c6a09fef4eb752","unresolved":true,"context_lines":[{"line_number":160,"context_line":"- name: system reader can list allocation"},{"line_number":161,"context_line":"  GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9"},{"line_number":162,"context_line":"  request_headers: *system_reader_headers"},{"line_number":163,"context_line":"  status: 403"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"- name: project admin can list allocation"},{"line_number":166,"context_line":"  GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"4bb9d143_e577cef3","line":163,"updated":"2023-01-26 13:34:35.000000000","message":"ditto","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/inventory-legacy-rbac.yaml":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":true,"context_lines":[{"line_number":93,"context_line":"    $.resource_provider_generation: 0"},{"line_number":94,"context_line":"    $.inventories: {}"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"- name: system reader can list inventories"},{"line_number":97,"context_line":"  GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories"},{"line_number":98,"context_line":"  request_headers: *system_reader_headers"},{"line_number":99,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"8ac317fe_429e5e0f","line":96,"updated":"2023-01-26 13:57:05.000000000","message":"this name is not aligned with the test case itself","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":93,"context_line":"    $.resource_provider_generation: 0"},{"line_number":94,"context_line":"    $.inventories: {}"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"- name: system reader can list inventories"},{"line_number":97,"context_line":"  GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories"},{"line_number":98,"context_line":"  request_headers: *system_reader_headers"},{"line_number":99,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"f92a7bf0_2df062cd","line":96,"in_reply_to":"8ac317fe_429e5e0f","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":true,"context_lines":[{"line_number":193,"context_line":"  request_headers: *system_admin_headers"},{"line_number":194,"context_line":"  status: 200"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"- name: system reader can show inventory"},{"line_number":197,"context_line":"  GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB"},{"line_number":198,"context_line":"  request_headers: *system_reader_headers"},{"line_number":199,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"8c57a534_16039b99","line":196,"updated":"2023-01-26 13:57:05.000000000","message":"ditto","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":193,"context_line":"  request_headers: *system_admin_headers"},{"line_number":194,"context_line":"  status: 200"},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"- name: system reader can show inventory"},{"line_number":197,"context_line":"  GET: /resource_providers/85475179-de26-4f7a-8c11-b4dc10fe47f4/inventories/DISK_GB"},{"line_number":198,"context_line":"  request_headers: *system_reader_headers"},{"line_number":199,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"feb88718_7f31be45","line":196,"in_reply_to":"8c57a534_16039b99","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/resource-provider-legacy-rbac.yaml":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":true,"context_lines":[{"line_number":48,"context_line":"  response_json_paths:"},{"line_number":49,"context_line":"    $.resource_providers: []"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"- name: system reader can list resource providers"},{"line_number":52,"context_line":"  GET: /resource_providers"},{"line_number":53,"context_line":"  request_headers: *system_reader_headers"},{"line_number":54,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c0d305bc_73a2d649","line":51,"updated":"2023-01-26 13:57:05.000000000","message":"testcase name is not aligned with the content","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":48,"context_line":"  response_json_paths:"},{"line_number":49,"context_line":"    $.resource_providers: []"},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"- name: system reader can list resource providers"},{"line_number":52,"context_line":"  GET: /resource_providers"},{"line_number":53,"context_line":"  request_headers: *system_reader_headers"},{"line_number":54,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"c16a735f_9989a857","line":51,"in_reply_to":"c0d305bc_73a2d649","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":true,"context_lines":[{"line_number":123,"context_line":"  response_json_paths:"},{"line_number":124,"context_line":"    $.uuid: $ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"- name: system reader can show resource provider"},{"line_number":127,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":128,"context_line":"  request_headers: *system_reader_headers"},{"line_number":129,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"695bf466_571a7701","line":126,"updated":"2023-01-26 13:57:05.000000000","message":"ditto","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":123,"context_line":"  response_json_paths:"},{"line_number":124,"context_line":"    $.uuid: $ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"- name: system reader can show resource provider"},{"line_number":127,"context_line":"  GET: /resource_providers/$ENVIRON[\u0027RP_UUID\u0027]"},{"line_number":128,"context_line":"  request_headers: *system_reader_headers"},{"line_number":129,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"6dfbe626_c0212e1d","line":126,"in_reply_to":"695bf466_571a7701","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/resource-provider-secure-rbac.yaml":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":true,"context_lines":[{"line_number":75,"context_line":"  request_headers: *system_admin_headers"},{"line_number":76,"context_line":"  status: 403"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"- name: system reader can list resource providers"},{"line_number":79,"context_line":"  GET: /resource_providers"},{"line_number":80,"context_line":"  request_headers: *system_reader_headers"},{"line_number":81,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"92594d4e_52def57c","line":78,"updated":"2023-01-26 13:57:05.000000000","message":"name is not aligned with the content","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":75,"context_line":"  request_headers: *system_admin_headers"},{"line_number":76,"context_line":"  status: 403"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"- name: system reader can list resource providers"},{"line_number":79,"context_line":"  GET: /resource_providers"},{"line_number":80,"context_line":"  request_headers: *system_reader_headers"},{"line_number":81,"context_line":"  status: 403"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"e1035f07_2c0220d3","line":78,"in_reply_to":"92594d4e_52def57c","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"placement/tests/functional/gabbits/usage-secure-rbac.yaml":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"2d792181b41e81d9274f96fa217096a27091e826","unresolved":true,"context_lines":[{"line_number":163,"context_line":"  status: 403"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"# Admin in any project(legacy admin) will be able to get usage on other"},{"line_number":166,"context_line":"# ptojects."},{"line_number":167,"context_line":"- name: admin can get total usage for other project"},{"line_number":168,"context_line":"  GET: /usages?project_id\u003d$ENVIRON[\u0027PROJECT_ID\u0027]"},{"line_number":169,"context_line":"  request_headers: *alt_project_admin_headers"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"d5597dec_3bbb4ccd","line":166,"updated":"2023-01-26 13:57:05.000000000","message":"nit:projects","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"2f220c133fdb0a6ab580b8d75dcd9caf24a613c8","unresolved":false,"context_lines":[{"line_number":163,"context_line":"  status: 403"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"# Admin in any project(legacy admin) will be able to get usage on other"},{"line_number":166,"context_line":"# ptojects."},{"line_number":167,"context_line":"- name: admin can get total usage for other project"},{"line_number":168,"context_line":"  GET: /usages?project_id\u003d$ENVIRON[\u0027PROJECT_ID\u0027]"},{"line_number":169,"context_line":"  request_headers: *alt_project_admin_headers"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"100c97c5_acd12565","line":166,"in_reply_to":"d5597dec_3bbb4ccd","updated":"2023-01-26 17:31:52.000000000","message":"Done","commit_id":"10a367831761984e89c2e03222b30205a9475832"}],"releasenotes/notes/policy-defaults-refresh-d903d15cd51ac1a8.yaml":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The Placement policies have been modified to drop the system scope. Every"},{"line_number":5,"context_line":"    API policy is scoped to project. This means that system scoped users"},{"line_number":6,"context_line":"    will get 403 permission denied error."},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"    Currently, Placement supports the following default roles:"},{"line_number":9,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":2,"id":"e1fe1492_5ef0d9be","line":6,"updated":"2023-01-26 14:03:25.000000000","message":"yeah OK.","commit_id":"10a367831761984e89c2e03222b30205a9475832"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"e913f37ed5d488017f783fa8636575c196603d0d","unresolved":false,"context_lines":[{"line_number":21,"context_line":""},{"line_number":22,"context_line":"      [oslo_policy]"},{"line_number":23,"context_line":"      enforce_new_defaults\u003dTrue"},{"line_number":24,"context_line":"      enforce_scope\u003dTrue"},{"line_number":25,"context_line":"upgrade:"},{"line_number":26,"context_line":"  - |"},{"line_number":27,"context_line":"    All the placement policies have been dropped the system scope and they"}],"source_content_type":"text/x-yaml","patch_set":2,"id":"13624022_de4fedfe","line":24,"updated":"2023-01-26 14:03:25.000000000","message":"ack","commit_id":"10a367831761984e89c2e03222b30205a9475832"}]}