)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"f8f8586cc759255a6e44beeed116d21466653fce","unresolved":true,"context_lines":[{"line_number":9,"context_line":"This patch makes Nova send service tokens to other OpenStack services"},{"line_number":10,"context_line":"and tells Cinder to expect and validate them."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"The nova user that is used for the token creation has the role \u0027admin\u0027,"},{"line_number":13,"context_line":"so we define it as a valid service role in the cinder configuration."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"This is necessary because in the recent CVE fix it has become mandatory"},{"line_number":16,"context_line":"for Nova to send service tokens to Cinder to be able to detach volumes."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"51b52c90_c57070a4","line":13,"range":{"start_line":12,"start_character":0,"end_line":13,"end_character":68},"updated":"2023-05-19 14:08:17.000000000","message":"Probably we can add the service role instead of allowing the admin role to use service token ?","commit_id":"3c37da6e3db28ea2ac0830f245fe885dfc00ebb2"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"70706dbb9fd24e702b8d503ef380967994c9a4a9","unresolved":false,"context_lines":[{"line_number":9,"context_line":"This patch makes Nova send service tokens to other OpenStack services"},{"line_number":10,"context_line":"and tells Cinder to expect and validate them."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"The nova user that is used for the token creation has the role \u0027admin\u0027,"},{"line_number":13,"context_line":"so we define it as a valid service role in the cinder configuration."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"This is necessary because in the recent CVE fix it has become mandatory"},{"line_number":16,"context_line":"for Nova to send service tokens to Cinder to be able to detach volumes."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"21a5b3ea_e09bdcbe","line":13,"range":{"start_line":12,"start_character":0,"end_line":13,"end_character":68},"in_reply_to":"51b52c90_c57070a4","updated":"2023-05-19 14:10:21.000000000","message":"Done","commit_id":"3c37da6e3db28ea2ac0830f245fe885dfc00ebb2"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":16312,"name":"Alfredo Moralejo","email":"amoralej@redhat.com","username":"amoralej"},"change_message_id":"cac45740407b206649b0d4ddfa61c22c788d57d5","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"c56cd76b_9f050102","updated":"2023-05-19 11:14:06.000000000","message":"Tested with the latest (unpromoted) cinder commits:\n\nhttps://review.rdoproject.org/r/c/testproject/+/48680\n\nNote this is blocking promotion for RDO repos.","commit_id":"3c37da6e3db28ea2ac0830f245fe885dfc00ebb2"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"a6dbddac3e05295991e1aed2cc9ddfd5eeffab0e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a0319110_924c9703","updated":"2023-05-19 15:16:23.000000000","message":"Verified again by testproject. I believe the current version is better.","commit_id":"b78f3fc90012d4efb8d20c368db0517ba4834160"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"511524c569a590e8fb0e696a910e85ad0281da93","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"4ffb5af1_11afd376","updated":"2023-05-19 15:10:46.000000000","message":"side note: I\u0027m wondering if this change also affects cinder backend of glance. AFAIK glance does not support using service token for its interaction with cinder api but requires attachment_create/delete call.","commit_id":"b78f3fc90012d4efb8d20c368db0517ba4834160"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"f14c5e2ce8e803893ac34328ba2e7ded851434c5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f7c58b9b_91cc2eb4","in_reply_to":"4ffb5af1_11afd376","updated":"2023-05-19 15:15:13.000000000","message":"Probably it\u0027s ok because the logic allows attachment delete if the attachment doesn\u0027t have an instance_uuid value","commit_id":"b78f3fc90012d4efb8d20c368db0517ba4834160"}],"manifests/cinder.pp":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"f8f8586cc759255a6e44beeed116d21466653fce","unresolved":true,"context_lines":[{"line_number":104,"context_line":"    www_authenticate_uri         \u003d\u003e $::openstack_integration::config::keystone_auth_uri,"},{"line_number":105,"context_line":"    memcached_servers            \u003d\u003e $::openstack_integration::config::memcached_servers,"},{"line_number":106,"context_line":"    service_token_roles_required \u003d\u003e true,"},{"line_number":107,"context_line":"    service_token_roles          \u003d\u003e [\u0027admin\u0027],"},{"line_number":108,"context_line":"  }"},{"line_number":109,"context_line":"  class { \u0027cinder::api\u0027:"},{"line_number":110,"context_line":"    default_volume_type \u003d\u003e \u0027BACKEND_1\u0027,"}],"source_content_type":"text/x-puppet","patch_set":2,"id":"91fdb3f0_3c3a6fa3","line":107,"range":{"start_line":107,"start_character":4,"end_line":107,"end_character":23},"updated":"2023-05-19 14:08:17.000000000","message":"Probably we can add the service role to nova user instead of","commit_id":"3c37da6e3db28ea2ac0830f245fe885dfc00ebb2"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"5d6442aa387b5f94ac0e226d80f0782fbb041163","unresolved":false,"context_lines":[{"line_number":104,"context_line":"    www_authenticate_uri         \u003d\u003e $::openstack_integration::config::keystone_auth_uri,"},{"line_number":105,"context_line":"    memcached_servers            \u003d\u003e $::openstack_integration::config::memcached_servers,"},{"line_number":106,"context_line":"    service_token_roles_required \u003d\u003e true,"},{"line_number":107,"context_line":"    service_token_roles          \u003d\u003e [\u0027admin\u0027],"},{"line_number":108,"context_line":"  }"},{"line_number":109,"context_line":"  class { \u0027cinder::api\u0027:"},{"line_number":110,"context_line":"    default_volume_type \u003d\u003e \u0027BACKEND_1\u0027,"}],"source_content_type":"text/x-puppet","patch_set":2,"id":"d6c55b80_7624282b","line":107,"range":{"start_line":107,"start_character":4,"end_line":107,"end_character":23},"in_reply_to":"91fdb3f0_3c3a6fa3","updated":"2023-05-19 14:10:14.000000000","message":"allowing the admin role to use the service token.","commit_id":"3c37da6e3db28ea2ac0830f245fe885dfc00ebb2"}]}