)]}'
{"deployment/aodh/aodh-base.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"cfa054ba84a1bf8bbd5a7487bce8300ab4b550a5","unresolved":false,"context_lines":[{"line_number":108,"context_line":"        aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }"},{"line_number":109,"context_line":"        aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}"},{"line_number":110,"context_line":"        aodh::keystone::authtoken::service_token_roles_required: true"},{"line_number":111,"context_line":"        aodh::keystone::authtoken::service_token_roles: [\u0027service\u0027]"},{"line_number":112,"context_line":"        aodh::auth::auth_password: {get_param: AodhPassword}"},{"line_number":113,"context_line":"        aodh::auth::auth_region: {get_param: KeystoneRegion}"},{"line_number":114,"context_line":"        aodh::auth::auth_tenant_name: \u0027service\u0027"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"bf51134e_11223702","line":111,"range":{"start_line":111,"start_character":58,"end_line":111,"end_character":65},"updated":"2020-07-20 20:49:50.000000000","message":"It looks like the default values for some of these options in various puppet modules allow users with the \u0027service\u0027 role or the \u0027admin\u0027 role to act as service users.\n\nKeystone\u0027s RBAC enforcement has changed over the last year or two and now makes it easier for end users to have administrative rights on projects and domains. This could impact this work if the user has \u0027admin\u0027 on a project and attempts to validate an expired token, even though they\u0027re not technically a system administrator.\n\nIt might be worth it to only consider \"service\" roles as valid indicators of service users.","commit_id":"80df093966dfdde7a59cbabd3331615517c0308c"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"4a69f5010b8302099dd05b3db59e2af32b0a6117","unresolved":false,"context_lines":[{"line_number":108,"context_line":"        aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }"},{"line_number":109,"context_line":"        aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}"},{"line_number":110,"context_line":"        aodh::keystone::authtoken::service_token_roles_required: true"},{"line_number":111,"context_line":"        aodh::keystone::authtoken::service_token_roles: [\u0027service\u0027]"},{"line_number":112,"context_line":"        aodh::auth::auth_password: {get_param: AodhPassword}"},{"line_number":113,"context_line":"        aodh::auth::auth_region: {get_param: KeystoneRegion}"},{"line_number":114,"context_line":"        aodh::auth::auth_tenant_name: \u0027service\u0027"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"bf51134e_8f8f4274","line":111,"range":{"start_line":111,"start_character":58,"end_line":111,"end_character":65},"in_reply_to":"bf51134e_11223702","updated":"2020-07-20 23:06:53.000000000","message":"Currently no puppet modules set service_token_roles by default, so the default value in keystonemiddleware, [\u0027service\u0027], is used even if this line is not added.\n\nHowever I added it to explain explicitly that we use \u0027service\u0027 role for service token feature.","commit_id":"80df093966dfdde7a59cbabd3331615517c0308c"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"9611f12910305d1c59351bd967e15016c5c458bf","unresolved":false,"context_lines":[{"line_number":108,"context_line":"        aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }"},{"line_number":109,"context_line":"        aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}"},{"line_number":110,"context_line":"        aodh::keystone::authtoken::service_token_roles_required: true"},{"line_number":111,"context_line":"        aodh::keystone::authtoken::service_token_roles: [\u0027service\u0027]"},{"line_number":112,"context_line":"        aodh::auth::auth_password: {get_param: AodhPassword}"},{"line_number":113,"context_line":"        aodh::auth::auth_region: {get_param: KeystoneRegion}"},{"line_number":114,"context_line":"        aodh::auth::auth_tenant_name: \u0027service\u0027"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"bf51134e_001db872","line":111,"range":{"start_line":111,"start_character":58,"end_line":111,"end_character":65},"in_reply_to":"bf51134e_8f8f4274","updated":"2020-07-21 14:04:10.000000000","message":"Thanks for clarifying Takashi.","commit_id":"80df093966dfdde7a59cbabd3331615517c0308c"}]}