)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9545,"name":"Andriy Kurilin","email":"andr.kurilin@gmail.com","username":"akurilin"},"change_message_id":"abdc0a089cdb9ebf90e088b2ec5ae3fa8d8b8d2f","unresolved":true,"context_lines":[{"line_number":9,"context_line":"The following devstack change I3361d33885b2e3af7cad0141f9b799b2723ee8a1"},{"line_number":10,"context_line":"may be a root cause for failing functional job. This commit should"},{"line_number":11,"context_line":"verify this."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"Change-Id: Ica272a5ce5d20dcb52e8a636849af2d71e15afb2"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"87d4bfe9_9be73360","line":12,"updated":"2023-11-21 21:10:50.000000000","message":"more details about failure here - https://review.opendev.org/c/openstack/python-novaclient/+/899950/comments/3a6f1d98_35d0a6e7","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"be8bc84205c54b0dddd0f3b2d5bd1f5e9987eaba","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ed6cc775_a2ff55eb","updated":"2023-11-22 06:47:36.000000000","message":"+1 to unblocking the gate short-term with this","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"},{"author":{"_account_id":9545,"name":"Andriy Kurilin","email":"andr.kurilin@gmail.com","username":"akurilin"},"change_message_id":"7c4ed746e08abafee3ba7b64478253089b627bdf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"65c68518_c195745e","updated":"2023-11-22 15:50:49.000000000","message":"I extended neutron logs with an exact policy error - https://review.opendev.org/c/openstack/neutron/+/901674 + https://review.opendev.org/c/openstack/python-novaclient/+/901677\n\nThe result:\n`rule:get_auto_allocated_topology is disallowed by policy` \n\nIDK what disallowed means in context of policies... need help from someone of neutron team","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"99ca02c47ba145868cb8112058a4126e8bf44c54","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"bc3b28d3_0d150fbd","updated":"2023-11-21 22:26:15.000000000","message":"Thanks for working on a fix for the job failure! I think we might be able to make our testing work with scope enforcement, details inline.","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"5493b117dbeb80c74a580348e39f549027c2c4c0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"97188e33_0aa578e3","updated":"2023-11-23 03:00:33.000000000","message":"This is strange why neutron new policy is failing. old policy also admin_or_owner and new one admin_or_reader the only difference in both role is \u0027reader\u0027 role which should be implied by the \u0027member\u0027 (owner) role. both old and new do check the project_id.\n\nI suspect is tenant_id vs project_id, old rule check tenant_id[1] and new one project_id. is there any case where project_id is not populated correctly in token or tenant_id in old token was incorrect?\n\nanyways agree to unblock the gate and I will debug this.\n\n[1] https://github.com/openstack/neutron/blob/2be4343756863f252c8289e2ca3e7afe71f566c4/neutron/conf/policies/base.py#L89","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8556335eb48eaa2189ccbfbebacb4cf2f0fb271d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"2b36e885_9b15302a","in_reply_to":"65c68518_c195745e","updated":"2023-11-23 01:02:49.000000000","message":"Thanks for doing that Andriy. I found the exception message comes from PolicyNotAuthorized:\n\nhttps://github.com/openstack/oslo.policy/blob/a1e76258180002b288e64532676ba2bc2d1ec800/oslo_policy/policy.py#L308\n\nand I don\u0027t understand how it fails at the oslo.policy level when the policy rules for the old vs new defaults are essentially the same (???). Needs more investigation for sure.\n\nI agree disabling the scope enforcement in the meantime makes sense.","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"}],"novaclient/tests/functional/base.py":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"99ca02c47ba145868cb8112058a4126e8bf44c54","unresolved":true,"context_lines":[{"line_number":575,"context_line":"                if \"member\" in role.name.lower():"},{"line_number":576,"context_line":"                    self.keystone.roles.grant(role.id, user\u003dself.user_id,"},{"line_number":577,"context_line":"                                              project\u003dself.project_id)"},{"line_number":578,"context_line":"                    break"},{"line_number":579,"context_line":"        else:"},{"line_number":580,"context_line":"            project \u003d self.keystone.tenants.create(project_name)"},{"line_number":581,"context_line":"            self.project_id \u003d project.id"}],"source_content_type":"text/x-python","patch_set":1,"id":"7c331463_8b4e1e43","line":578,"updated":"2023-11-21 22:26:15.000000000","message":"I looked for the source of the issue and if I\u0027ve understood it right, when scope is enforced, the policy check string for the auto-allocated-topology API allows ADMIN_OR_PROJECT_READER [1] which is `(rule:admin_only) or (role:reader and project_id:%(project_id)s)` [2]. In the test, the server is created by a non-admin [3] and without scope enforced the policy check was RULE_ADMIN_OR_OWNER (`role:admin or project_id:%(project_id)s`) which would pass for a non-admin user who is in the same project.\n\nWith scope enforced, we need the non-admin user to also have the `reader` role for their project, which I think is appropriate for any project member anyway.\n\nSo I\u0027m wondering if we add code here to grant the `reader` role to the created non-admin user, if the test will pass with scope enforcement staying enabled. (IMHO it would be ideal to align with the new default in devstack and test with scope enforced.)\n\n[1] https://github.com/openstack/neutron/blob/cbca72195ae5976d6f8b10bbbd58bde3542956bf/neutron/conf/policies/auto_allocated_topology.py#L29\n[2] https://github.com/openstack/neutron/blob/cbca72195ae5976d6f8b10bbbd58bde3542956bf/neutron/conf/policies/base.py#L43\n[3] https://github.com/openstack/python-novaclient/blob/dc2cb6cdd5062d398e187351e835fb51177e3cdf/novaclient/tests/functional/v2/test_instance_action.py#L133","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"},{"author":{"_account_id":9545,"name":"Andriy Kurilin","email":"andr.kurilin@gmail.com","username":"akurilin"},"change_message_id":"7c4ed746e08abafee3ba7b64478253089b627bdf","unresolved":true,"context_lines":[{"line_number":575,"context_line":"                if \"member\" in role.name.lower():"},{"line_number":576,"context_line":"                    self.keystone.roles.grant(role.id, user\u003dself.user_id,"},{"line_number":577,"context_line":"                                              project\u003dself.project_id)"},{"line_number":578,"context_line":"                    break"},{"line_number":579,"context_line":"        else:"},{"line_number":580,"context_line":"            project \u003d self.keystone.tenants.create(project_name)"},{"line_number":581,"context_line":"            self.project_id \u003d project.id"}],"source_content_type":"text/x-python","patch_set":1,"id":"c15a1eb1_fafa9926","line":578,"in_reply_to":"6a106c11_4a4a3c0f","updated":"2023-11-22 15:50:49.000000000","message":"\u003e In my understanding, the member role should imply the reader role, so it should not be necessary to set it explicitly. \n\nagree. the \"inheritance\" of the roles does not work only in case of application tokens. Assigning reader role should be redundant","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"0009f5966dd820737d0adec040e55a686cfb56f7","unresolved":true,"context_lines":[{"line_number":575,"context_line":"                if \"member\" in role.name.lower():"},{"line_number":576,"context_line":"                    self.keystone.roles.grant(role.id, user\u003dself.user_id,"},{"line_number":577,"context_line":"                                              project\u003dself.project_id)"},{"line_number":578,"context_line":"                    break"},{"line_number":579,"context_line":"        else:"},{"line_number":580,"context_line":"            project \u003d self.keystone.tenants.create(project_name)"},{"line_number":581,"context_line":"            self.project_id \u003d project.id"}],"source_content_type":"text/x-python","patch_set":1,"id":"6a106c11_4a4a3c0f","line":578,"in_reply_to":"7c331463_8b4e1e43","updated":"2023-11-22 06:45:57.000000000","message":"In my understanding, the member role should imply the reader role, so it should not be necessary to set it explicitly. It seems that the error is hidden deeper, possibly a bug in neutron\u0027s scope implementation.","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8556335eb48eaa2189ccbfbebacb4cf2f0fb271d","unresolved":true,"context_lines":[{"line_number":575,"context_line":"                if \"member\" in role.name.lower():"},{"line_number":576,"context_line":"                    self.keystone.roles.grant(role.id, user\u003dself.user_id,"},{"line_number":577,"context_line":"                                              project\u003dself.project_id)"},{"line_number":578,"context_line":"                    break"},{"line_number":579,"context_line":"        else:"},{"line_number":580,"context_line":"            project \u003d self.keystone.tenants.create(project_name)"},{"line_number":581,"context_line":"            self.project_id \u003d project.id"}],"source_content_type":"text/x-python","patch_set":1,"id":"f4134146_62bfaa01","line":578,"in_reply_to":"c15a1eb1_fafa9926","updated":"2023-11-23 01:02:49.000000000","message":"Thanks both for pointing out the implied reader role -- you are right. I saw this doc shows it explicitly:\n\nhttps://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions","commit_id":"ed2a507b60bff511d26ec504db8a9992f94d80ab"}]}