)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"64438a80f421ecd711623c5a20e248e386626fb9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"6babf191_4f30259b","updated":"2022-12-20 20:10:06.000000000","message":"few comments to make project reader work you need to fix current \u0027owner\u0027 rule also.","commit_id":"ee72d994b7703d78030136e2268dfc03a93e0bd6"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"18ca287a3c5f42467ceab0c71132e8f46a993e83","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"ba46c2d8_a9dd01b5","updated":"2022-12-23 04:27:59.000000000","message":"Thanks Ghanshyam san for review. ","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"38f4dfae_0ba69f8b","updated":"2022-12-24 02:22:49.000000000","message":"Thanks for updates, few more comments mostly to explain the things more for easy to understand/review.","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"d9251caaec4294095a28ce19b22d710522d5073c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"213f02b6_6f0dd495","updated":"2022-12-28 05:14:04.000000000","message":"Thank you for your patch. Please kindly check my comments.","commit_id":"57851aeeb00da8c293890d521f6d8096284c58dc"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"d1cf24ac_75c971f7","updated":"2022-12-28 04:47:09.000000000","message":"Thanks Ghanshyam san for the review comments.","commit_id":"57851aeeb00da8c293890d521f6d8096284c58dc"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"ff70f7e84a0ae991df4d05f9d031032792abd9ab","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"01ebd137_68132964","updated":"2022-12-28 05:32:03.000000000","message":"Thank you Yuta Kazato san for quick review, please find my inline replies.","commit_id":"a883ada16e5817e0b76e852358e766f29300442b"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"226baf4e86566bc753f47ca3ead1780abb507eaf","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"ebdd23e3_1cee1d2b","updated":"2022-12-28 05:56:26.000000000","message":"Thank you for your quick replies. Please kindly check my just one request.","commit_id":"a883ada16e5817e0b76e852358e766f29300442b"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"88e7d21cf0745f7be9cde1b029424e4f70a5b366","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"b4422814_aeb3779b","updated":"2022-12-28 05:44:22.000000000","message":"Thanks manpreet, this looks good to me.","commit_id":"a883ada16e5817e0b76e852358e766f29300442b"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"96c2dc0c952fd680eb50c62bca7b27fad3222a33","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"d40600d4_24371fb0","updated":"2022-12-28 06:10:23.000000000","message":"Thank you for your great work, manpreet-san. LGTM!","commit_id":"a46ebac66330632ea637f115b14b3e2d8072e7b0"},{"author":{"_account_id":25701,"name":"Yasufumi Ogawa","email":"yasufum.o@gmail.com","username":"yasufum"},"change_message_id":"f9a21f32f88efc526424aa4d241435740c881e25","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"dcba08dd_3f6dfe07","updated":"2022-12-28 06:42:30.000000000","message":"Thanks all for the comments.","commit_id":"a46ebac66330632ea637f115b14b3e2d8072e7b0"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"36a10e1f33c4a7e0f6a17ee8c753f49b55548b04","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":10,"id":"d17f4111_7bdece5f","updated":"2022-12-28 06:12:05.000000000","message":"this version too lgtm ","commit_id":"a46ebac66330632ea637f115b14b3e2d8072e7b0"}],"specs/2023.1/srbac-implement-project-personas.rst":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":26,"context_line":"This is to introduce the member and reader roles to operate things"},{"line_number":27,"context_line":"within their project. By default, any other project role like foo"},{"line_number":28,"context_line":"will not be allowed to do anything in the project."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Legacy admin will be unchanged and continue to work the same way as it"},{"line_number":31,"context_line":"does today."},{"line_number":32,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"cd51324d_a097c638","line":29,"range":{"start_line":29,"start_character":0,"end_line":29,"end_character":0},"updated":"2022-12-24 02:22:49.000000000","message":"it will be good to add the current \u0027owner\u0027 rule problem. Currently any role (say foo) behave as onwer of project resources instead of only \u0027Member\u0027 and \u0027admin\u0027","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":26,"context_line":"This is to introduce the member and reader roles to operate things"},{"line_number":27,"context_line":"within their project. By default, any other project role like foo"},{"line_number":28,"context_line":"will not be allowed to do anything in the project."},{"line_number":29,"context_line":""},{"line_number":30,"context_line":"Legacy admin will be unchanged and continue to work the same way as it"},{"line_number":31,"context_line":"does today."},{"line_number":32,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fcdacd9_1e582b8e","line":29,"range":{"start_line":29,"start_character":0,"end_line":29,"end_character":0},"in_reply_to":"cd51324d_a097c638","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":30,"context_line":"Legacy admin will be unchanged and continue to work the same way as it"},{"line_number":31,"context_line":"does today."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In Tacker, we need to implement both project-member and project-reader"},{"line_number":34,"context_line":"personas to restrict access to project-owned resources."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a41ace13_bd256625","line":33,"range":{"start_line":33,"start_character":22,"end_line":33,"end_character":70},"updated":"2022-12-24 02:22:49.000000000","message":"I will rephrase this to:\n\n..fix the existing \u0027owner\u0027 (project-member role) and implement the project-reader...","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":30,"context_line":"Legacy admin will be unchanged and continue to work the same way as it"},{"line_number":31,"context_line":"does today."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"In Tacker, we need to implement both project-member and project-reader"},{"line_number":34,"context_line":"personas to restrict access to project-owned resources."},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":5,"id":"af5edcdf_9b45c8b9","line":33,"range":{"start_line":33,"start_character":22,"end_line":33,"end_character":70},"in_reply_to":"a41ace13_bd256625","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Implement support of project-reader"},{"line_number":40,"context_line":"-----------------------------------"},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"09bbdf70_97992c78","line":38,"range":{"start_line":38,"start_character":0,"end_line":38,"end_character":0},"updated":"2022-12-24 02:22:49.000000000","message":"You can mention keystone implied role things also so that it will be easy to understand that the reader role means admin and member will get access automatically which means we do not change the existing way but give more access to the reader role also. Something like below:\n\nKeystone already supports implied roles which means assignment of one role implies the assignment of another. New defaults roles reader, member also has been added in bootstrap. If the bootstrap process is re-run, and a reader, member, or admin role already exists, a role implication chain will be created: admin implies member implies reader.\n\nIt means if we make something like role:reader in policy rule means role:admin and role:member can still access that policy.","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":35,"context_line":""},{"line_number":36,"context_line":"Proposed change"},{"line_number":37,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Implement support of project-reader"},{"line_number":40,"context_line":"-----------------------------------"},{"line_number":41,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"07da800b_a2406e04","line":38,"range":{"start_line":38,"start_character":0,"end_line":38,"end_character":0},"in_reply_to":"09bbdf70_97992c78","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"  policy.RuleDefault("},{"line_number":68,"context_line":"      \"project_reader_or_admin\","},{"line_number":69,"context_line":"      \"rule:project_reader or rule:context_is_admin\","},{"line_number":70,"context_line":"      \"Default rule for Project reader or admin APIs.\","},{"line_number":71,"context_line":"      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"d46ede5d_69b99087","line":69,"range":{"start_line":69,"start_character":30,"end_line":69,"end_character":51},"updated":"2022-12-24 02:22:49.000000000","message":"you can mention it directly role:admin","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"  policy.RuleDefault("},{"line_number":68,"context_line":"      \"project_reader_or_admin\","},{"line_number":69,"context_line":"      \"rule:project_reader or rule:context_is_admin\","},{"line_number":70,"context_line":"      \"Default rule for Project reader or admin APIs.\","},{"line_number":71,"context_line":"      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)"},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"08bab452_60acf76d","line":69,"range":{"start_line":69,"start_character":30,"end_line":69,"end_character":51},"in_reply_to":"d46ede5d_69b99087","updated":"2022-12-28 04:47:09.000000000","message":"I have used the existing rule, https://opendev.org/openstack/tacker/src/branch/master/tacker/policies/base.py#L26","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":76,"context_line":"project-reader persona in the policy check string:"},{"line_number":77,"context_line":"For example, the policy check string for query to show an individual VNF"},{"line_number":78,"context_line":"instance will be change as follow."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":".. code-block::"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":83,"context_line":"      name\u003dVNFLCM % \u0027show\u0027,"},{"line_number":84,"context_line":"      check_str\u003dbase.RULE_ADMIN_OR_OWNER,"},{"line_number":85,"context_line":"      description\u003d\"Query an Individual VNF instance.\","},{"line_number":86,"context_line":"      operations\u003d["},{"line_number":87,"context_line":"          {"},{"line_number":88,"context_line":"              \u0027method\u0027: \u0027GET\u0027,"},{"line_number":89,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances/{vnfInstanceId}\u0027"},{"line_number":90,"context_line":"          }"},{"line_number":91,"context_line":"      ]"},{"line_number":92,"context_line":"  )"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":95,"context_line":"      name\u003dVNFLCM % \u0027show\u0027,"},{"line_number":96,"context_line":"      check_str\u003dbase.RULE_PROJECT_READER_OR_ADMIN"},{"line_number":97,"context_line":"      description\u003d\"Query an Individual VNF instance.\","},{"line_number":98,"context_line":"      operations\u003d["},{"line_number":99,"context_line":"          {"},{"line_number":100,"context_line":"              \u0027method\u0027: \u0027GET\u0027,"},{"line_number":101,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances/{vnfInstanceId}\u0027"},{"line_number":102,"context_line":"          }"},{"line_number":103,"context_line":"      ]"},{"line_number":104,"context_line":"  )"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"Implement support of project-member"},{"line_number":107,"context_line":"-----------------------------------"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"49fe1fa2_00de90fd","line":105,"range":{"start_line":79,"start_character":0,"end_line":105,"end_character":0},"updated":"2022-12-24 02:22:49.000000000","message":"to make it clear about what is changed, you can mention something like:\n\n\nExisting Rule (RULE_ADMIN_OR_OWNER) which allow admin, or any role in project to get VNF instance:\n\n.. code-block::\n\n  policy.DocumentedRuleDefault(\n      name\u003dVNFLCM % \u0027show\u0027,\n      check_str\u003dbase.RULE_ADMIN_OR_OWNER,\n      description\u003d\"Query an Individual VNF instance.\",\n      operations\u003d[\n          {\n              \u0027method\u0027: \u0027GET\u0027,\n              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances/{vnfInstanceId}\u0027\n          }\n      ]\n  )\n\nNew Rule (RULE_PROJECT_READER_OR_ADMIN) which allow admin, project_member, project_reader to get VNF instance:\n\n.. code-block::\n\n  policy.DocumentedRuleDefault(\n      name\u003dVNFLCM % \u0027show\u0027,\n      check_str\u003dbase.RULE_PROJECT_READER_OR_ADMIN\n      description\u003d\"Query an Individual VNF instance.\",\n      operations\u003d[\n          {\n              \u0027method\u0027: \u0027GET\u0027,\n              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances/{vnfInstanceId}\u0027\n          }\n      ]\n  )","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":76,"context_line":"project-reader persona in the policy check string:"},{"line_number":77,"context_line":"For example, the policy check string for query to show an individual VNF"},{"line_number":78,"context_line":"instance will be change as follow."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":".. code-block::"},{"line_number":81,"context_line":""},{"line_number":82,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":83,"context_line":"      name\u003dVNFLCM % \u0027show\u0027,"},{"line_number":84,"context_line":"      check_str\u003dbase.RULE_ADMIN_OR_OWNER,"},{"line_number":85,"context_line":"      description\u003d\"Query an Individual VNF instance.\","},{"line_number":86,"context_line":"      operations\u003d["},{"line_number":87,"context_line":"          {"},{"line_number":88,"context_line":"              \u0027method\u0027: \u0027GET\u0027,"},{"line_number":89,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances/{vnfInstanceId}\u0027"},{"line_number":90,"context_line":"          }"},{"line_number":91,"context_line":"      ]"},{"line_number":92,"context_line":"  )"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":95,"context_line":"      name\u003dVNFLCM % \u0027show\u0027,"},{"line_number":96,"context_line":"      check_str\u003dbase.RULE_PROJECT_READER_OR_ADMIN"},{"line_number":97,"context_line":"      description\u003d\"Query an Individual VNF instance.\","},{"line_number":98,"context_line":"      operations\u003d["},{"line_number":99,"context_line":"          {"},{"line_number":100,"context_line":"              \u0027method\u0027: \u0027GET\u0027,"},{"line_number":101,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances/{vnfInstanceId}\u0027"},{"line_number":102,"context_line":"          }"},{"line_number":103,"context_line":"      ]"},{"line_number":104,"context_line":"  )"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"Implement support of project-member"},{"line_number":107,"context_line":"-----------------------------------"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"4962106d_7e232d35","line":105,"range":{"start_line":79,"start_character":0,"end_line":105,"end_character":0},"in_reply_to":"49fe1fa2_00de90fd","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":103,"context_line":"      ]"},{"line_number":104,"context_line":"  )"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"Implement support of project-member"},{"line_number":107,"context_line":"-----------------------------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"The project-member is denoted by someone with a member role on"}],"source_content_type":"text/x-rst","patch_set":5,"id":"aec7fc3a_0feaa337","line":106,"range":{"start_line":106,"start_character":0,"end_line":106,"end_character":35},"updated":"2022-12-24 02:22:49.000000000","message":"this you can call \"Fix the \u0027owner\u0027 rule\".","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":103,"context_line":"      ]"},{"line_number":104,"context_line":"  )"},{"line_number":105,"context_line":""},{"line_number":106,"context_line":"Implement support of project-member"},{"line_number":107,"context_line":"-----------------------------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"The project-member is denoted by someone with a member role on"}],"source_content_type":"text/x-rst","patch_set":5,"id":"10e94ea6_8ee476ba","line":106,"range":{"start_line":106,"start_character":0,"end_line":106,"end_character":35},"in_reply_to":"aec7fc3a_0feaa337","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":106,"context_line":"Implement support of project-member"},{"line_number":107,"context_line":"-----------------------------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"The project-member is denoted by someone with a member role on"},{"line_number":110,"context_line":"a project. It is intended to be used by end users who consume"},{"line_number":111,"context_line":"resources within a project. It inherits all the permissions of a"},{"line_number":112,"context_line":"project-reader."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Add a new policy in the tacker policy file."},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"1e8d9ac4_ef05ca2a","line":112,"range":{"start_line":109,"start_character":0,"end_line":112,"end_character":15},"updated":"2022-12-24 02:22:49.000000000","message":"I think you should exlain what is issue in existing \u0027owner\u0027. you can mention that current \u0027owner\u0027 rules check only \u0027project_id\u0027 but does not check the role:member\n\n- https://github.com/openstack/tacker/blob/b34b40944b31a490f6997fd4b797ba052152c5cb/tacker/policies/base.py#L31\n\nSo any role say role:foo in that project behave as member role. and to make new persona project_reader actually behave as reader (role:reader in that project can access only GET APIs) we need to fix this owner rule also.","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":106,"context_line":"Implement support of project-member"},{"line_number":107,"context_line":"-----------------------------------"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"The project-member is denoted by someone with a member role on"},{"line_number":110,"context_line":"a project. It is intended to be used by end users who consume"},{"line_number":111,"context_line":"resources within a project. It inherits all the permissions of a"},{"line_number":112,"context_line":"project-reader."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Add a new policy in the tacker policy file."},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"13f1ce05_a2d59390","line":112,"range":{"start_line":109,"start_character":0,"end_line":112,"end_character":15},"in_reply_to":"1e8d9ac4_ef05ca2a","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":112,"context_line":"project-reader."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Add a new policy in the tacker policy file."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":".. code-block::"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"  RULE_PROJECT_MEMBER \u003d \u0027rule:project_member\u0027"},{"line_number":119,"context_line":"  RULE_PROJECT_MEMBER_OR_ADMIN \u003d \u0027rule:project_member_or_admin\u0027"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"  policy.RuleDefault("},{"line_number":122,"context_line":"      \"project_member\","},{"line_number":123,"context_line":"      \"role:member and project_id:%(project_id)s\","},{"line_number":124,"context_line":"      \"Default rule for Project level non admin APIs.\""},{"line_number":125,"context_line":"      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"  policy.RuleDefault("},{"line_number":128,"context_line":"      \"project_member_or_admin\","},{"line_number":129,"context_line":"      \"rule:project_member_api or rule:context_is_admin\","},{"line_number":130,"context_line":"      \"Default rule for Project Member or admin APIs.\","},{"line_number":131,"context_line":"      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":".. note:: Using it in policy rule (with admin + member access) to intact"},{"line_number":134,"context_line":"          legacy admin behavior, to give access of non-admin APIs to admin"}],"source_content_type":"text/x-rst","patch_set":5,"id":"6d97c930_2995fd08","line":131,"range":{"start_line":115,"start_character":0,"end_line":131,"end_character":55},"updated":"2022-12-24 02:22:49.000000000","message":"ditto, you can mention these change same way I commented for reader role. something like:\n\nExisting admin_or_owner rule which gives access to any role(say foo) in project to behave as owner of project.\n\n.. code-block::\n\n    policy.RuleDefault(\n        \"admin_or_owner\",\n        \"is_admin:True or project_id:%(project_id)s\",\n        \"Default rule for most non-Admin APIs.\"),\n\nNew admin_or_owner rule which gives access to admin or member role in that project to behave as owner of project.\n\n.. code-block::\n\n  policy.RuleDefault(\n      \"project_member\",\n      \"role:member and project_id:%(project_id)s\",\n      \"Default rule for Project level non admin APIs.\"\n      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)\n\n  policy.RuleDefault(\n      \"project_member_or_admin\",\n      \"rule:project_member_api or role:admin\",\n      \"Default rule for Project Member or admin APIs.\",\n      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":112,"context_line":"project-reader."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Add a new policy in the tacker policy file."},{"line_number":115,"context_line":""},{"line_number":116,"context_line":".. code-block::"},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"  RULE_PROJECT_MEMBER \u003d \u0027rule:project_member\u0027"},{"line_number":119,"context_line":"  RULE_PROJECT_MEMBER_OR_ADMIN \u003d \u0027rule:project_member_or_admin\u0027"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"  policy.RuleDefault("},{"line_number":122,"context_line":"      \"project_member\","},{"line_number":123,"context_line":"      \"role:member and project_id:%(project_id)s\","},{"line_number":124,"context_line":"      \"Default rule for Project level non admin APIs.\""},{"line_number":125,"context_line":"      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)"},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"  policy.RuleDefault("},{"line_number":128,"context_line":"      \"project_member_or_admin\","},{"line_number":129,"context_line":"      \"rule:project_member_api or rule:context_is_admin\","},{"line_number":130,"context_line":"      \"Default rule for Project Member or admin APIs.\","},{"line_number":131,"context_line":"      deprecated_rule\u003dDEPRECATED_ADMIN_OR_OWNER_POLICY)"},{"line_number":132,"context_line":""},{"line_number":133,"context_line":".. note:: Using it in policy rule (with admin + member access) to intact"},{"line_number":134,"context_line":"          legacy admin behavior, to give access of non-admin APIs to admin"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f73cc31d_ec1b9020","line":131,"range":{"start_line":115,"start_character":0,"end_line":131,"end_character":55},"in_reply_to":"6d97c930_2995fd08","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":138,"context_line":"For example, the policy check string for query to create an VNF instance"},{"line_number":139,"context_line":"will be change as follow."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":".. code-block::"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":144,"context_line":"      name\u003dVNFLCM % \u0027create\u0027,"},{"line_number":145,"context_line":"      check_str\u003dbase.RULE_ADMIN_OR_OWNER,"},{"line_number":146,"context_line":"      description\u003d\"Creates vnf instance.\","},{"line_number":147,"context_line":"      operations\u003d["},{"line_number":148,"context_line":"          {"},{"line_number":149,"context_line":"              \u0027method\u0027: \u0027POST\u0027,"},{"line_number":150,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances\u0027"},{"line_number":151,"context_line":"          }"},{"line_number":152,"context_line":"      ]"},{"line_number":153,"context_line":"  )"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":156,"context_line":"      name\u003dVNFLCM % \u0027create\u0027,"},{"line_number":157,"context_line":"      check_str\u003dbase.RULE_PROJECT_MEMBER_OR_ADMIN,"},{"line_number":158,"context_line":"      description\u003d\"Creates vnf instance.\","},{"line_number":159,"context_line":"      operations\u003d["},{"line_number":160,"context_line":"          {"},{"line_number":161,"context_line":"              \u0027method\u0027: \u0027POST\u0027,"},{"line_number":162,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances\u0027"},{"line_number":163,"context_line":"          }"},{"line_number":164,"context_line":"      ]"},{"line_number":165,"context_line":"  )"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":".. note:: Tacker APIs with a policy define as \"RULE ANY\" will not be change."},{"line_number":168,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"a7ee6877_96d93da8","line":165,"range":{"start_line":141,"start_character":0,"end_line":165,"end_character":3},"updated":"2022-12-24 02:22:49.000000000","message":"ditto, explain it same way as I commented for project_reader section","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":138,"context_line":"For example, the policy check string for query to create an VNF instance"},{"line_number":139,"context_line":"will be change as follow."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":".. code-block::"},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":144,"context_line":"      name\u003dVNFLCM % \u0027create\u0027,"},{"line_number":145,"context_line":"      check_str\u003dbase.RULE_ADMIN_OR_OWNER,"},{"line_number":146,"context_line":"      description\u003d\"Creates vnf instance.\","},{"line_number":147,"context_line":"      operations\u003d["},{"line_number":148,"context_line":"          {"},{"line_number":149,"context_line":"              \u0027method\u0027: \u0027POST\u0027,"},{"line_number":150,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances\u0027"},{"line_number":151,"context_line":"          }"},{"line_number":152,"context_line":"      ]"},{"line_number":153,"context_line":"  )"},{"line_number":154,"context_line":""},{"line_number":155,"context_line":"  policy.DocumentedRuleDefault("},{"line_number":156,"context_line":"      name\u003dVNFLCM % \u0027create\u0027,"},{"line_number":157,"context_line":"      check_str\u003dbase.RULE_PROJECT_MEMBER_OR_ADMIN,"},{"line_number":158,"context_line":"      description\u003d\"Creates vnf instance.\","},{"line_number":159,"context_line":"      operations\u003d["},{"line_number":160,"context_line":"          {"},{"line_number":161,"context_line":"              \u0027method\u0027: \u0027POST\u0027,"},{"line_number":162,"context_line":"              \u0027path\u0027: \u0027/vnflcm/v1/vnf_instances\u0027"},{"line_number":163,"context_line":"          }"},{"line_number":164,"context_line":"      ]"},{"line_number":165,"context_line":"  )"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":".. note:: Tacker APIs with a policy define as \"RULE ANY\" will not be change."},{"line_number":168,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"93610acb_015aac51","line":165,"range":{"start_line":141,"start_character":0,"end_line":165,"end_character":3},"in_reply_to":"a7ee6877_96d93da8","updated":"2022-12-28 04:47:09.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"479510de05b09154f273363f28e9d85c360a8b6f","unresolved":true,"context_lines":[{"line_number":281,"context_line":"Testing"},{"line_number":282,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"Add unit and functional test cases to validate the new rules."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":"Documentation Impact"},{"line_number":287,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"a0dae875_e1781270","line":284,"range":{"start_line":284,"start_character":60,"end_line":284,"end_character":61},"updated":"2022-12-24 02:22:49.000000000","message":"Along with unit and functional test, I will say add a single integration gate job to run with new defaults so that we can verify that it works fine with all cross project APIs (tacker -\u003eheat-\u003enova/neutron etc) interaction.\n\nWhile adding it for nova/neutron/cinder/glance, I found few bugs in some policies so testing integration testing gate job is very helpful .","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"88e7d21cf0745f7be9cde1b029424e4f70a5b366","unresolved":false,"context_lines":[{"line_number":281,"context_line":"Testing"},{"line_number":282,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"Add unit and functional test cases to validate the new rules."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":"Documentation Impact"},{"line_number":287,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"f60781f5_fdded740","line":284,"range":{"start_line":284,"start_character":60,"end_line":284,"end_character":61},"in_reply_to":"25d41f59_082655d8","updated":"2022-12-28 05:44:22.000000000","message":"Ack","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":true,"context_lines":[{"line_number":281,"context_line":"Testing"},{"line_number":282,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"Add unit and functional test cases to validate the new rules."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":"Documentation Impact"},{"line_number":287,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"25d41f59_082655d8","line":284,"range":{"start_line":284,"start_character":60,"end_line":284,"end_character":61},"in_reply_to":"a0dae875_e1781270","updated":"2022-12-28 04:47:09.000000000","message":"In my understanding, the tacker functional test cases behave as integration jobs. For instance, the \"heat\" and other OpenStack services are involved in different VNF operations. Moreover, in tacker, we do not have dedicated integration jobs.","commit_id":"f1fdf6537d8f2d31f72b6bd76dc439593a0c9915"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"d9251caaec4294095a28ce19b22d710522d5073c","unresolved":true,"context_lines":[{"line_number":164,"context_line":"      ]"},{"line_number":165,"context_line":"  )"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":".. note:: Tacker APIs with a policy define as \"RULE ANY\" will not be change."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"How to design Functional Testing"},{"line_number":170,"context_line":"--------------------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"1becfcf8_f4bad2a7","line":167,"updated":"2022-12-28 05:14:04.000000000","message":"Refer to Tacker Policies[1], Is this change for NFV Orchestration API v1.0 only?\nI think the NFV Orchestration API v2.0 policy should also be reviewed, what do you think?\n\n[1]https://docs.openstack.org/tacker/latest/configuration/policy.html","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"ff70f7e84a0ae991df4d05f9d031032792abd9ab","unresolved":false,"context_lines":[{"line_number":164,"context_line":"      ]"},{"line_number":165,"context_line":"  )"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":".. note:: Tacker APIs with a policy define as \"RULE ANY\" will not be change."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"How to design Functional Testing"},{"line_number":170,"context_line":"--------------------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"5e44010e_8fe65e4f","line":167,"in_reply_to":"1becfcf8_f4bad2a7","updated":"2022-12-28 05:32:03.000000000","message":"The NFV Orchestration API v2.0 policies support the \"RULE ANY\" rule, to revise them we might require a brainstorming session and discussion. This specification scope is to modify existing policies and insure backward compatibility. IMO, in upcoming releases, we can target modification/revision of NFV Orchestration API v2.0.","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"226baf4e86566bc753f47ca3ead1780abb507eaf","unresolved":false,"context_lines":[{"line_number":164,"context_line":"      ]"},{"line_number":165,"context_line":"  )"},{"line_number":166,"context_line":""},{"line_number":167,"context_line":".. note:: Tacker APIs with a policy define as \"RULE ANY\" will not be change."},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"How to design Functional Testing"},{"line_number":170,"context_line":"--------------------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"e99a343c_c7006135","line":167,"in_reply_to":"5e44010e_8fe65e4f","updated":"2022-12-28 05:56:26.000000000","message":"Thank you for your opinion. I understood.\nI agree with you because it spends much time to discuss the revising policies of API v2.0.\nIt is better to discuss in IRC or PTG, thanks.","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"d9251caaec4294095a28ce19b22d710522d5073c","unresolved":true,"context_lines":[{"line_number":229,"context_line":"Security impact"},{"line_number":230,"context_line":"---------------"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"None"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"Notifications impact"},{"line_number":235,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"61d17173_b93ef9b4","line":232,"updated":"2022-12-28 05:14:04.000000000","message":"Is it necessary to describe the security impact of the new roles/personas?\nFor example, the keystone-spec[2] describes the security impact of the new role.\n\n[2] https://review.opendev.org/c/openstack/keystone-specs/+/818616/7/specs/keystone/2023.1/default-service-role.rst#142","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"226baf4e86566bc753f47ca3ead1780abb507eaf","unresolved":false,"context_lines":[{"line_number":229,"context_line":"Security impact"},{"line_number":230,"context_line":"---------------"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"None"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"Notifications impact"},{"line_number":235,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"208bd892_3c8f4bbf","line":232,"in_reply_to":"552a10dc_6a284491","updated":"2022-12-28 05:56:26.000000000","message":"OK, I understood.","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"ff70f7e84a0ae991df4d05f9d031032792abd9ab","unresolved":false,"context_lines":[{"line_number":229,"context_line":"Security impact"},{"line_number":230,"context_line":"---------------"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"None"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"Notifications impact"},{"line_number":235,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"552a10dc_6a284491","line":232,"in_reply_to":"61d17173_b93ef9b4","updated":"2022-12-28 05:32:03.000000000","message":"In my understanding, the Keystone specification describes the security impact regarding the service roles. Whereas in Tacker we are implementing/modifying the project roles without changing legacy admin behavior. IMO these changes do not impact security. What do you think.","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"d9251caaec4294095a28ce19b22d710522d5073c","unresolved":true,"context_lines":[{"line_number":291,"context_line":"References"},{"line_number":292,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. [#TC-GOALS] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2"},{"line_number":295,"context_line":".. [#TACKER-POLICY-DOC] https://docs.openstack.org/tacker/latest/configuration/policy.html"}],"source_content_type":"text/x-rst","patch_set":6,"id":"959c7c04_f2f8e188","line":294,"updated":"2022-12-28 05:14:04.000000000","message":"Why do you refer to \"phase-2\"?\nIMO, if you want to show the goal of SRBAC, it is better to refer to the whole page without \"#phase-2\".\nOr, if you want to show the implements of project-reader and project-member, it is \"#phase-1\" or \"#implement-support-for-project-reader-and-project-member-personas\".","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":34712,"name":"Yuta Kazato","display_name":"Yuta Kazato","email":"yuta.kazato.nw@hco.ntt.co.jp","username":"kazatoy-ntt"},"change_message_id":"226baf4e86566bc753f47ca3ead1780abb507eaf","unresolved":true,"context_lines":[{"line_number":291,"context_line":"References"},{"line_number":292,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. [#TC-GOALS] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2"},{"line_number":295,"context_line":".. [#TACKER-POLICY-DOC] https://docs.openstack.org/tacker/latest/configuration/policy.html"}],"source_content_type":"text/x-rst","patch_set":6,"id":"c6752a58_f3414c30","line":294,"in_reply_to":"47ca5998_19a73032","updated":"2022-12-28 05:56:26.000000000","message":"Thank you for your replies, so could you change the link of the whole page (deleting \"#phase-2\") or \"#phase-1\"?","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"ff70f7e84a0ae991df4d05f9d031032792abd9ab","unresolved":false,"context_lines":[{"line_number":291,"context_line":"References"},{"line_number":292,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. [#TC-GOALS] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2"},{"line_number":295,"context_line":".. [#TACKER-POLICY-DOC] https://docs.openstack.org/tacker/latest/configuration/policy.html"}],"source_content_type":"text/x-rst","patch_set":6,"id":"47ca5998_19a73032","line":294,"in_reply_to":"959c7c04_f2f8e188","updated":"2022-12-28 05:32:03.000000000","message":"Ack, yes we are implementing phase-1 of TC goals.","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"8296e4bd0200a5b7fbe7ad8f10f0214d0bb88e58","unresolved":false,"context_lines":[{"line_number":291,"context_line":"References"},{"line_number":292,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":293,"context_line":""},{"line_number":294,"context_line":".. [#TC-GOALS] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2"},{"line_number":295,"context_line":".. [#TACKER-POLICY-DOC] https://docs.openstack.org/tacker/latest/configuration/policy.html"}],"source_content_type":"text/x-rst","patch_set":6,"id":"4ffc72e9_7d085d68","line":294,"in_reply_to":"c6752a58_f3414c30","updated":"2022-12-28 06:00:25.000000000","message":"Ack","commit_id":"dc7f4493a871ab27aec1bc3072a8da6e283ee130"}],"specs/2023.1/srbac-implement-project-reader-persona.rst":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"64438a80f421ecd711623c5a20e248e386626fb9","unresolved":true,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"SRBAC: Implement Support Of Project Reader Persona"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":"https://blueprints.launchpad.net/tacker/+spec/implement-reader-role"},{"line_number":11,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"de59cb1a_3f16d636","line":8,"range":{"start_line":8,"start_character":28,"end_line":8,"end_character":50},"updated":"2022-12-20 20:10:06.000000000","message":"I will call it \"Project Persona\" as to have project reader you need to fix the current \u0027Owner\u0027 rule also.\n\nsame with spec file/BP name","commit_id":"ee72d994b7703d78030136e2268dfc03a93e0bd6"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"dd06ba6ef8718a99b405a809de99903e71300afe","unresolved":false,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"SRBAC: Implement Support Of Project Reader Persona"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":"https://blueprints.launchpad.net/tacker/+spec/implement-reader-role"},{"line_number":11,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"394b6d69_e9e51e6d","line":8,"range":{"start_line":8,"start_character":28,"end_line":8,"end_character":50},"in_reply_to":"7848801a_a484b775","updated":"2022-12-28 04:47:09.000000000","message":"Done","commit_id":"ee72d994b7703d78030136e2268dfc03a93e0bd6"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"18ca287a3c5f42467ceab0c71132e8f46a993e83","unresolved":true,"context_lines":[{"line_number":5,"context_line":""},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"SRBAC: Implement Support Of Project Reader Persona"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":"https://blueprints.launchpad.net/tacker/+spec/implement-reader-role"},{"line_number":11,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"7848801a_a484b775","line":8,"range":{"start_line":8,"start_character":28,"end_line":8,"end_character":50},"in_reply_to":"de59cb1a_3f16d636","updated":"2022-12-23 04:27:59.000000000","message":"Ack, Modified specification title and file name. I have updated the blueprint content as per the requested changes.","commit_id":"ee72d994b7703d78030136e2268dfc03a93e0bd6"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"64438a80f421ecd711623c5a20e248e386626fb9","unresolved":true,"context_lines":[{"line_number":41,"context_line":"within the project. Not allowed to make any writable changes to the"},{"line_number":42,"context_line":"project-owned resources."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The project-reader changes will make sure that by default any other"},{"line_number":45,"context_line":"role for example foo in that project will not be able to do anything."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"project-reader is denoted by someone with the reader role on a project."},{"line_number":48,"context_line":"It is intended to be used by end users for read-only access within a"}],"source_content_type":"text/x-rst","patch_set":4,"id":"a8abafc0_f9d8d056","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"updated":"2022-12-20 20:10:06.000000000","message":"To make it happen, you need to change the \u0027owner\u0027 rule also. As per the community-wide goal, we need to implement the project personas which include:\n\n1. project member which will be \"role:member and project_id:%(project_id)s\"\n- So that any other role say foo or reader will not be able to behave as project owner\n\n2. project reader which will be \"role:reader and project_id:%(project_id)s\"\n- So that any other role say foo will not be able to behave as project reader. This you already explained/proposed in this spec.\n\n\nFir 1st one, you need to change in tacker current owner rule[1] to add the role \u0027member\u0027 along with project_id match.\n\n[1] https://github.com/openstack/tacker/blob/990e6a73f34bc98cdd03a54f6f726467af3bd8da/tacker/policies/base.py#L31\n\nThese are reference of those in Nova:\nprojct_member: https://github.com/openstack/nova/blob/b9a49ffb04cb5ae2d8c439361a3552296df02988/nova/policies/base.py#L93\n\nproject_reader: https://github.com/openstack/nova/blob/b9a49ffb04cb5ae2d8c439361a3552296df02988/nova/policies/base.py#L98\n\nAnd to keep legacy admin behavior same as it is, you need to add Admin in logical OR in both rule (so that legacy admin can continue access the API along with member and reader role):\n\n1. project_member or admin - https://github.com/openstack/nova/blob/b9a49ffb04cb5ae2d8c439361a3552296df02988/nova/policies/base.py#L103\n\n2. project_reader or admin - https://github.com/openstack/nova/blob/b9a49ffb04cb5ae2d8c439361a3552296df02988/nova/policies/base.py#L108\n\nThen these two common base rule you can use for your specific policy.","commit_id":"ee72d994b7703d78030136e2268dfc03a93e0bd6"},{"author":{"_account_id":32102,"name":"Manpreet Kaur","email":"kaurmanpreet2620@gmail.com","username":"manpreet"},"change_message_id":"18ca287a3c5f42467ceab0c71132e8f46a993e83","unresolved":false,"context_lines":[{"line_number":41,"context_line":"within the project. Not allowed to make any writable changes to the"},{"line_number":42,"context_line":"project-owned resources."},{"line_number":43,"context_line":""},{"line_number":44,"context_line":"The project-reader changes will make sure that by default any other"},{"line_number":45,"context_line":"role for example foo in that project will not be able to do anything."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"project-reader is denoted by someone with the reader role on a project."},{"line_number":48,"context_line":"It is intended to be used by end users for read-only access within a"}],"source_content_type":"text/x-rst","patch_set":4,"id":"673e2150_ef05d7ac","line":45,"range":{"start_line":44,"start_character":0,"end_line":45,"end_character":69},"in_reply_to":"a8abafc0_f9d8d056","updated":"2022-12-23 04:27:59.000000000","message":"Ack!!\n\nThanks, Ghanshyam san for your insightful review.\nI have incorporated the changes in PatchSet 5, added policy changes for project-member role implementation in tacker","commit_id":"ee72d994b7703d78030136e2268dfc03a93e0bd6"}]}