)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f00c07a329f5339ee092d88968140419065f3ec4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b6681308_3de70a1c","updated":"2025-08-19 08:04:37.000000000","message":"I have no further comments top of what @gmaan@ghanshyammann.com already noted.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"cb786bb5_25dd3b75","updated":"2025-08-19 20:42:03.000000000","message":"I\u0027m going to post this draft to the wiki, and update here if any of the markup changes.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9a84bafc209c30f2e3678d3dc99ae5da34f77757","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1cf3f3e7_952d9efb","updated":"2025-08-18 22:59:39.000000000","message":"Posted for review w/r/t impact statements. Still need to add specific patch links.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"776cf5ff6c22a5003d4164ad5d5298b7090cc10a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"2f70d262_93e0e26e","updated":"2025-08-19 03:51:51.000000000","message":"some suggestion inline, which include the gibi suggestions he mentioned in the bug","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"f6cf922d657fc053c73ff672eb6de7761037d83b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"d7307716_6205cae8","updated":"2025-08-19 21:02:42.000000000","message":"If desired, view the rendered copy here: https://wiki.openstack.org/wiki/OSSN/OSSN-0094\n\nThey are identical except I had to remove some line breaks in the mediawiki version so lists worked properly.","commit_id":"0586b2f12e4998f7d05ce396a87823fdc53b2438"}],"security-notes/OSSN-0094":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"776cf5ff6c22a5003d4164ad5d5298b7090cc10a","unresolved":true,"context_lines":[{"line_number":24,"context_line":"Required Access"},{"line_number":25,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":26,"context_line":"The swap volume, live migration and all Watcher APIs are admin only so with"},{"line_number":27,"context_line":"default policy its is only possible to create the inconsistent state"},{"line_number":28,"context_line":"described in this OSSN if you have system admin rights on the OpenStack"},{"line_number":29,"context_line":"deployment."},{"line_number":30,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":1,"id":"8c85f01f_f427aaea","line":27,"range":{"start_line":27,"start_character":15,"end_line":27,"end_character":21},"updated":"2025-08-19 03:51:51.000000000","message":"```suggestion\ndefault policy it is only possible to create the inconsistent state\n```","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"776cf5ff6c22a5003d4164ad5d5298b7090cc10a","unresolved":true,"context_lines":[{"line_number":25,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":26,"context_line":"The swap volume, live migration and all Watcher APIs are admin only so with"},{"line_number":27,"context_line":"default policy its is only possible to create the inconsistent state"},{"line_number":28,"context_line":"described in this OSSN if you have system admin rights on the OpenStack"},{"line_number":29,"context_line":"deployment."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Further Watcher Hardening"},{"line_number":32,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"47dd59e0_dd5c2697","line":29,"range":{"start_line":28,"start_character":26,"end_line":29,"end_character":11},"updated":"2025-08-19 03:51:51.000000000","message":"there is system admin for nova/watcher case (except keystone/ironic case). we can write it something like:\n\n\n```suggestion\ndescribed in this OSSN if you have admin rights on the OpenStack\ndeployment.  Or deployment has overridden the policy to allow more users to perform the these operations.\n```","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b1e35335b26a73185f67e31c00982c4a4578e94b","unresolved":true,"context_lines":[{"line_number":25,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":26,"context_line":"The swap volume, live migration and all Watcher APIs are admin only so with"},{"line_number":27,"context_line":"default policy its is only possible to create the inconsistent state"},{"line_number":28,"context_line":"described in this OSSN if you have system admin rights on the OpenStack"},{"line_number":29,"context_line":"deployment."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Further Watcher Hardening"},{"line_number":32,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"a7c87f04_119ca6c1","line":29,"range":{"start_line":28,"start_character":26,"end_line":29,"end_character":11},"in_reply_to":"47dd59e0_dd5c2697","updated":"2025-08-19 20:01:16.000000000","message":"i agree we shoudl avoid the term system admin because that is not a standard persona in openstack SRBAC terems.\n\nit can very easisly be confused with the admin role combined with system scope\nwhich is very differnt.\n\nthis actuly need a normal project scoped admin token to trigger.\n\ni.e. the default openstack global admin persona.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":true,"context_lines":[{"line_number":25,"context_line":"~~~~~~~~~~~~~~~"},{"line_number":26,"context_line":"The swap volume, live migration and all Watcher APIs are admin only so with"},{"line_number":27,"context_line":"default policy its is only possible to create the inconsistent state"},{"line_number":28,"context_line":"described in this OSSN if you have system admin rights on the OpenStack"},{"line_number":29,"context_line":"deployment."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"Further Watcher Hardening"},{"line_number":32,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"0bef824d_5b3c31ee","line":29,"range":{"start_line":28,"start_character":26,"end_line":29,"end_character":11},"in_reply_to":"a7c87f04_119ca6c1","updated":"2025-08-19 20:42:03.000000000","message":"I went with \"if you have admin rights on the relevant OpenStack project\".","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b1e35335b26a73185f67e31c00982c4a4578e94b","unresolved":true,"context_lines":[{"line_number":32,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":33,"context_line":"The Watcher service, when first created, often implemented its own means"},{"line_number":34,"context_line":"to perform operations. Many of those operations can now be done natively"},{"line_number":35,"context_line":"with via other OpenStack services. In the specific context of OSSN-0094,"},{"line_number":36,"context_line":"the ability to migrate Cinder volumes between storage backens is such an"},{"line_number":37,"context_line":"example."},{"line_number":38,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":1,"id":"1c216cf6_c3957bbb","line":35,"range":{"start_line":35,"start_character":0,"end_line":35,"end_character":8},"updated":"2025-08-19 20:01:16.000000000","message":"with or via is fine but not both","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":32,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":33,"context_line":"The Watcher service, when first created, often implemented its own means"},{"line_number":34,"context_line":"to perform operations. Many of those operations can now be done natively"},{"line_number":35,"context_line":"with via other OpenStack services. In the specific context of OSSN-0094,"},{"line_number":36,"context_line":"the ability to migrate Cinder volumes between storage backens is such an"},{"line_number":37,"context_line":"example."},{"line_number":38,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":1,"id":"547064b4_f8a63efb","line":35,"range":{"start_line":35,"start_character":0,"end_line":35,"end_character":8},"in_reply_to":"1c216cf6_c3957bbb","updated":"2025-08-19 20:42:03.000000000","message":"Done","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b1e35335b26a73185f67e31c00982c4a4578e94b","unresolved":true,"context_lines":[{"line_number":37,"context_line":"example."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Additionally, the Cinder volume migration in Watcher created a new Keystone"},{"line_number":40,"context_line":"user with project admin for the instance owners\u0027 project and then used that"},{"line_number":41,"context_line":"user to perform APi requests on behalf of the project. This code has been"},{"line_number":42,"context_line":"removed."},{"line_number":43,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":1,"id":"a7a0398c_d54fa619","line":40,"range":{"start_line":40,"start_character":10,"end_line":40,"end_character":23},"updated":"2025-08-19 20:01:16.000000000","message":"``the admin role``\n\nagain when you asign a role to a user on a proejct tha tis sperate form scope so we should be clear that its assign the admin role  adn that make the created user a gloabl admin if you constuct a toke for the relevent proejct for that user.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":37,"context_line":"example."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Additionally, the Cinder volume migration in Watcher created a new Keystone"},{"line_number":40,"context_line":"user with project admin for the instance owners\u0027 project and then used that"},{"line_number":41,"context_line":"user to perform APi requests on behalf of the project. This code has been"},{"line_number":42,"context_line":"removed."},{"line_number":43,"context_line":""}],"source_content_type":"application/octet-stream","patch_set":1,"id":"18db660f_2db2feb8","line":40,"range":{"start_line":40,"start_character":10,"end_line":40,"end_character":23},"in_reply_to":"a7a0398c_d54fa619","updated":"2025-08-19 20:42:03.000000000","message":"Done","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"776cf5ff6c22a5003d4164ad5d5298b7090cc10a","unresolved":true,"context_lines":[{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Additionally, the Cinder volume migration in Watcher created a new Keystone"},{"line_number":40,"context_line":"user with project admin for the instance owners\u0027 project and then used that"},{"line_number":41,"context_line":"user to perform APi requests on behalf of the project. This code has been"},{"line_number":42,"context_line":"removed."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Finally, due to limited error handling and no validation that the objects"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"739f7328_416b66c8","line":41,"range":{"start_line":41,"start_character":16,"end_line":41,"end_character":20},"updated":"2025-08-19 03:51:51.000000000","message":"```suggestion\nuser to perform API requests on behalf of the project. This code has been\n```","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Additionally, the Cinder volume migration in Watcher created a new Keystone"},{"line_number":40,"context_line":"user with project admin for the instance owners\u0027 project and then used that"},{"line_number":41,"context_line":"user to perform APi requests on behalf of the project. This code has been"},{"line_number":42,"context_line":"removed."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"Finally, due to limited error handling and no validation that the objects"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"9e8719d3_390f65d1","line":41,"range":{"start_line":41,"start_character":16,"end_line":41,"end_character":20},"in_reply_to":"739f7328_416b66c8","updated":"2025-08-19 20:42:03.000000000","message":"Done","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"776cf5ff6c22a5003d4164ad5d5298b7090cc10a","unresolved":true,"context_lines":[{"line_number":48,"context_line":"Resolution"},{"line_number":49,"context_line":"~~~~~~~~~~"},{"line_number":50,"context_line":"Nova will now reject any request to swap a volume that has an empty migration"},{"line_number":51,"context_line":"status, effectively restricting the usage of this api to Cinder. This brings"},{"line_number":52,"context_line":"the api validation in line with the documentation."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Watchers internal implementation of swap volume has been deleted and updated"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"d1e4f0c3_e9dcde13","line":51,"range":{"start_line":51,"start_character":50,"end_line":51,"end_character":54},"updated":"2025-08-19 03:51:51.000000000","message":"```suggestion\nstatus, effectively restricting the usage of this API to Cinder. This brings\n```","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":48,"context_line":"Resolution"},{"line_number":49,"context_line":"~~~~~~~~~~"},{"line_number":50,"context_line":"Nova will now reject any request to swap a volume that has an empty migration"},{"line_number":51,"context_line":"status, effectively restricting the usage of this api to Cinder. This brings"},{"line_number":52,"context_line":"the api validation in line with the documentation."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Watchers internal implementation of swap volume has been deleted and updated"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"9b9a96d8_c28e3b2e","line":51,"range":{"start_line":51,"start_character":50,"end_line":51,"end_character":54},"in_reply_to":"d1e4f0c3_e9dcde13","updated":"2025-08-19 20:42:03.000000000","message":"Done","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"776cf5ff6c22a5003d4164ad5d5298b7090cc10a","unresolved":true,"context_lines":[{"line_number":49,"context_line":"~~~~~~~~~~"},{"line_number":50,"context_line":"Nova will now reject any request to swap a volume that has an empty migration"},{"line_number":51,"context_line":"status, effectively restricting the usage of this api to Cinder. This brings"},{"line_number":52,"context_line":"the api validation in line with the documentation."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Watchers internal implementation of swap volume has been deleted and updated"},{"line_number":55,"context_line":"to use Cinder\u0027s native volume migration as a replacement. Watcher no longer"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"a0671358_9a5d6ebb","line":52,"range":{"start_line":52,"start_character":4,"end_line":52,"end_character":8},"updated":"2025-08-19 03:51:51.000000000","message":"```suggestion\nthe API validation in line with the documentation.\n```","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":49,"context_line":"~~~~~~~~~~"},{"line_number":50,"context_line":"Nova will now reject any request to swap a volume that has an empty migration"},{"line_number":51,"context_line":"status, effectively restricting the usage of this api to Cinder. This brings"},{"line_number":52,"context_line":"the api validation in line with the documentation."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Watchers internal implementation of swap volume has been deleted and updated"},{"line_number":55,"context_line":"to use Cinder\u0027s native volume migration as a replacement. Watcher no longer"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"36d2ed07_a2cc50a9","line":52,"range":{"start_line":52,"start_character":4,"end_line":52,"end_character":8},"in_reply_to":"a0671358_9a5d6ebb","updated":"2025-08-19 20:42:03.000000000","message":"Done","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"9a84bafc209c30f2e3678d3dc99ae5da34f77757","unresolved":true,"context_lines":[{"line_number":54,"context_line":"Watchers internal implementation of swap volume has been deleted and updated"},{"line_number":55,"context_line":"to use Cinder\u0027s native volume migration as a replacement. Watcher no longer"},{"line_number":56,"context_line":"creates temporary Keystone users in normal operation."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"### Recommended Actions ###"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* Operators using Watcher\u0027s zone migration strategy should apply the provided"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"16032ec9_5cbd8df3","line":57,"updated":"2025-08-18 22:59:39.000000000","message":"Add a Patches section with a list of all patches available for this.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b1e35335b26a73185f67e31c00982c4a4578e94b","unresolved":true,"context_lines":[{"line_number":54,"context_line":"Watchers internal implementation of swap volume has been deleted and updated"},{"line_number":55,"context_line":"to use Cinder\u0027s native volume migration as a replacement. Watcher no longer"},{"line_number":56,"context_line":"creates temporary Keystone users in normal operation."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"### Recommended Actions ###"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* Operators using Watcher\u0027s zone migration strategy should apply the provided"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"25129f08_e6db7af9","line":57,"in_reply_to":"16032ec9_5cbd8df3","updated":"2025-08-19 20:01:16.000000000","message":"that shoudl effectivly be this topic \n\nhttps://review.opendev.org/q/topic:%22bug/2112187%22\n\nwould it make sense to also set the topic of this review to `bug/2112187`\nso that it appears in the topic list.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":54,"context_line":"Watchers internal implementation of swap volume has been deleted and updated"},{"line_number":55,"context_line":"to use Cinder\u0027s native volume migration as a replacement. Watcher no longer"},{"line_number":56,"context_line":"creates temporary Keystone users in normal operation."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"### Recommended Actions ###"},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* Operators using Watcher\u0027s zone migration strategy should apply the provided"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"c570e567_27d15343","line":57,"in_reply_to":"25129f08_e6db7af9","updated":"2025-08-19 20:42:03.000000000","message":"I linked to the individual patches directly to simplify for operators. Ideally we\u0027d have releases cut already, but we can update to indicate fixed releases once they are made.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b1e35335b26a73185f67e31c00982c4a4578e94b","unresolved":false,"context_lines":[{"line_number":61,"context_line":"  Watcher and Nova patches ASAP."},{"line_number":62,"context_line":"* Operators should refrain from using the swap volume migration action in"},{"line_number":63,"context_line":"  Watcher. The compatability code for swap volume that uses a Cinder-based"},{"line_number":64,"context_line":"  migration may be removed in a future API version."},{"line_number":65,"context_line":"* Operators should audit all users with the system admin role and ensure"},{"line_number":66,"context_line":"  no temporary Watcher-created users remain. "},{"line_number":67,"context_line":"* Operators using custom policy for volume attachment API or live migration"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"c82a917d_b2200684","line":64,"updated":"2025-08-19 20:01:16.000000000","message":"being realsitic we proably wont do that any time soon because we have much more imortant work to do but ya i would pefer if they didn create new audits using it.\n\ni need to discuss with the watcher team exactly how we want to handle deprecations of parameter values going forward as i think this would be the first example of that and there are no docs on this topic so it will need some reflection before we actually consider removing it.\n\nstill in any case this is good advice.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b1e35335b26a73185f67e31c00982c4a4578e94b","unresolved":true,"context_lines":[{"line_number":62,"context_line":"* Operators should refrain from using the swap volume migration action in"},{"line_number":63,"context_line":"  Watcher. The compatability code for swap volume that uses a Cinder-based"},{"line_number":64,"context_line":"  migration may be removed in a future API version."},{"line_number":65,"context_line":"* Operators should audit all users with the system admin role and ensure"},{"line_number":66,"context_line":"  no temporary Watcher-created users remain. "},{"line_number":67,"context_line":"* Operators using custom policy for volume attachment API or live migration"},{"line_number":68,"context_line":"  API should review the state of existing instances which have had volume"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"ca87f684_97bd85f1","line":65,"range":{"start_line":65,"start_character":43,"end_line":65,"end_character":61},"updated":"2025-08-19 20:01:16.000000000","message":"again this shoudl just be ``admin role`` to avoid the confution with scopes.\n\nanyone with the admin role in openstack is a global admin under default policy\nand the share SRBAC goal defintion.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":62,"context_line":"* Operators should refrain from using the swap volume migration action in"},{"line_number":63,"context_line":"  Watcher. The compatability code for swap volume that uses a Cinder-based"},{"line_number":64,"context_line":"  migration may be removed in a future API version."},{"line_number":65,"context_line":"* Operators should audit all users with the system admin role and ensure"},{"line_number":66,"context_line":"  no temporary Watcher-created users remain. "},{"line_number":67,"context_line":"* Operators using custom policy for volume attachment API or live migration"},{"line_number":68,"context_line":"  API should review the state of existing instances which have had volume"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"5a4ac16c_c18d8a1c","line":65,"range":{"start_line":65,"start_character":43,"end_line":65,"end_character":61},"in_reply_to":"ca87f684_97bd85f1","updated":"2025-08-19 20:42:03.000000000","message":"Done","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"42405f4635034852b385f5e7e87d1a865d5a3e4e","unresolved":false,"context_lines":[{"line_number":63,"context_line":"  Watcher. The compatability code for swap volume that uses a Cinder-based"},{"line_number":64,"context_line":"  migration may be removed in a future API version."},{"line_number":65,"context_line":"* Operators should audit all users with the system admin role and ensure"},{"line_number":66,"context_line":"  no temporary Watcher-created users remain. "},{"line_number":67,"context_line":"* Operators using custom policy for volume attachment API or live migration"},{"line_number":68,"context_line":"  API should review the state of existing instances which have had volume"},{"line_number":69,"context_line":"  migrations. Any instance in an inconsistent state can be resolved by"}],"source_content_type":"application/octet-stream","patch_set":1,"id":"145b4851_35c0902b","line":66,"updated":"2025-08-19 14:09:28.000000000","message":"Nit: Trailing whitespace here.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"776cf5ff6c22a5003d4164ad5d5298b7090cc10a","unresolved":true,"context_lines":[{"line_number":64,"context_line":"  migration may be removed in a future API version."},{"line_number":65,"context_line":"* Operators should audit all users with the system admin role and ensure"},{"line_number":66,"context_line":"  no temporary Watcher-created users remain. "},{"line_number":67,"context_line":"* Operators using custom policy for volume attachment API or live migration"},{"line_number":68,"context_line":"  API should review the state of existing instances which have had volume"},{"line_number":69,"context_line":"  migrations. Any instance in an inconsistent state can be resolved by"},{"line_number":70,"context_line":"  hard rebooting the instance using Nova\u0027s API."}],"source_content_type":"application/octet-stream","patch_set":1,"id":"5764c9b2_82dab871","line":67,"range":{"start_line":67,"start_character":36,"end_line":67,"end_character":57},"updated":"2025-08-19 03:51:51.000000000","message":"```suggestion\n* Operators using custom policy for ``/servers/{server_id}/os-volume_attachments/{volume_id}`` API or live migration\n```","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"c9b804bc846f709e715ecf45a0b2238e811d7439","unresolved":false,"context_lines":[{"line_number":64,"context_line":"  migration may be removed in a future API version."},{"line_number":65,"context_line":"* Operators should audit all users with the system admin role and ensure"},{"line_number":66,"context_line":"  no temporary Watcher-created users remain. "},{"line_number":67,"context_line":"* Operators using custom policy for volume attachment API or live migration"},{"line_number":68,"context_line":"  API should review the state of existing instances which have had volume"},{"line_number":69,"context_line":"  migrations. Any instance in an inconsistent state can be resolved by"},{"line_number":70,"context_line":"  hard rebooting the instance using Nova\u0027s API."}],"source_content_type":"application/octet-stream","patch_set":1,"id":"e6fd94c1_cf7ed184","line":67,"range":{"start_line":67,"start_character":36,"end_line":67,"end_character":57},"in_reply_to":"5764c9b2_82dab871","updated":"2025-08-19 20:42:03.000000000","message":"Added the URL and left the text description as well.","commit_id":"faab24be594068eb9cdce40e8fbf61b008af8cc2"}]}