<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Andersonvom</id>
		<title>OpenStack - User contributions [en]</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Andersonvom"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/wiki/Special:Contributions/Andersonvom"/>
		<updated>2026-07-09T01:18:09Z</updated>
		<subtitle>User contributions</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Meetings/HeatAgenda&amp;diff=37878</id>
		<title>Meetings/HeatAgenda</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Meetings/HeatAgenda&amp;diff=37878"/>
				<updated>2013-12-10T19:48:10Z</updated>
		
		<summary type="html">&lt;p&gt;Andersonvom: /* Agenda */ Add date to current agenda&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
= Weekly Heat (Orchestration) meeting =&lt;br /&gt;
The [https://launchpad.net/heat heat] Orchestration project team holds a meeting in &amp;lt;code&amp;gt;&amp;lt;nowiki&amp;gt;#openstack-meeting&amp;lt;/nowiki&amp;gt;&amp;lt;/code&amp;gt;:&lt;br /&gt;
* Wednesdays at [http://www.timeanddate.com/worldclock/fixedtime.html?hour=20&amp;amp;min=0&amp;amp;sec=0 2000 UTC]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Everyone is welcome.&lt;br /&gt;
&lt;br /&gt;
The blueprints that are used as a basis for [https://launchpad.net/heat the heat project] can be found at https://blueprints.launchpad.net/heat&lt;br /&gt;
&lt;br /&gt;
=== Agenda (2013-12-11) ===&lt;br /&gt;
* Review last meeting's actions&lt;br /&gt;
* Adding items to the agenda&lt;br /&gt;
* Unassigned icehouse-2 blueprints&lt;br /&gt;
* Repurposing of the stack/resource status columns - related to [https://blueprints.launchpad.net/heat/+spec/stack-convergence stack convergence]&lt;br /&gt;
* Open discussion&lt;br /&gt;
&lt;br /&gt;
== Previous meetings ==&lt;br /&gt;
* [http://eavesdrop.openstack.org/meetings/heat/2013/ 2013 Heat meeting archive]&lt;br /&gt;
* [http://eavesdrop.openstack.org/meetings/heat/2012/ 2012 Heat meeting archive]&lt;br /&gt;
&lt;br /&gt;
== Meeting organizers ==&lt;br /&gt;
* Publish the agenda 24h in advance&lt;br /&gt;
* Mail the agenda to the list and invite participants&lt;br /&gt;
* Ask each person responsible for an action from the previous meeting to prepare a line of the form, for each action item:   . #info nickname description of the action link to the diff / mailing list thread etc. describing the implementation of the action&lt;br /&gt;
* Use http://meetbot.debian.net/Manual.html to get an automatic summary&lt;br /&gt;
* Mail the automatic summary as a reply to the invitation&lt;/div&gt;</summary>
		<author><name>Andersonvom</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Glance&amp;diff=34921</id>
		<title>Glance</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Glance&amp;diff=34921"/>
				<updated>2013-11-06T20:06:08Z</updated>
		
		<summary type="html">&lt;p&gt;Andersonvom: /* Documentation */ Fix typo&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
= [[OpenStack]] Image service (&amp;quot;Glance&amp;quot;) =&lt;br /&gt;
&lt;br /&gt;
{| border=&amp;quot;1&amp;quot; cellpadding=&amp;quot;2&amp;quot; cellspacing=&amp;quot;0&amp;quot;&lt;br /&gt;
|  Source code &lt;br /&gt;
| https://github.com/openstack/glance  &lt;br /&gt;
|-&lt;br /&gt;
|  Bug tracker   &lt;br /&gt;
| https://bugs.launchpad.net/glance/+bugs&lt;br /&gt;
|-&lt;br /&gt;
|  Blueprints    &lt;br /&gt;
| https://blueprints.launchpad.net/glance&lt;br /&gt;
|-&lt;br /&gt;
|  Developer doc &lt;br /&gt;
| http://docs.openstack.org/developer/glance/&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== Related projects ==&lt;br /&gt;
* Python Glance client&lt;br /&gt;
* Image API documentation&lt;br /&gt;
&lt;br /&gt;
== Documentation ==&lt;br /&gt;
* [http://docs.openstack.org/api/openstack-image-service/2.0/content/openstack-image-service-api-v2-reference.html Image API (v2) specification]&lt;br /&gt;
* [http://docs.openstack.org/api/openstack-image-service/1.0/content/ Image API (v1) specification]&lt;br /&gt;
* [http://docs.openstack.org/trunk/openstack-compute/admin/content/ Administration Guide]&lt;br /&gt;
&lt;br /&gt;
== Other resources ==&lt;br /&gt;
* [[InstallInstructions/Glance|Install Instructions]]&lt;br /&gt;
* [[GlanceFeatureMatrix|Feature Support Matrix]]&lt;/div&gt;</summary>
		<author><name>Andersonvom</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/Trusts&amp;diff=34681</id>
		<title>Keystone/Trusts</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/Trusts&amp;diff=34681"/>
				<updated>2013-11-01T14:36:45Z</updated>
		
		<summary type="html">&lt;p&gt;Andersonvom: /* To enumerated the trusts */ Fix headers of HTTP calls&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Trusts =&lt;br /&gt;
== Use Cases ==&lt;br /&gt;
# HEAT and failover.  It needs to move a virtual machine from one host to another.&lt;br /&gt;
# Content production.    Something generates a large file and needs to store it in swift.&lt;br /&gt;
&lt;br /&gt;
In both cases, the users authorizes it at setup time to perform this  action any time in the future, long after the token is expired.&lt;br /&gt;
&lt;br /&gt;
== Rules ==&lt;br /&gt;
&amp;quot;Keystone is the Delegation Service that handles all the delegations for users. It is trusted to ensure that&lt;br /&gt;
&lt;br /&gt;
* a delegator cannot delegate an attribute he has not already been assigned&lt;br /&gt;
* a delegator cannot delegate once the delegation depth has been consumed&lt;br /&gt;
* a delegator cannot delegate outside the validity period of his own delegation.&lt;br /&gt;
&lt;br /&gt;
In other words, a delegator can only delegate less than (or equal to) what he already has, and not more than it.&lt;br /&gt;
&lt;br /&gt;
== Current Status of Delegation ==&lt;br /&gt;
Right now, a user delegates in a short term fashion using tokens. Once a token has been granted to a user, he hands that off to another (service) user in order to prove his identity and authorization to perform some set of actions.  In addition, since tokens are not scoped to a specific endpoint, they are currently passed on from one endpoint to another.  This is not a secure approach.  If any endpoint along the way is compromised, all the tokens in that endpoint are usable against any other service that accepts tokens. So  we limit the scope of tokens to only that single endpoint, and we remove the attack.  As a result, we also remove the ability of the remote service user  to request additional operations from additional remote services on behalf of the original user.  This is a problem that the trusts are designed to serve.&lt;br /&gt;
&lt;br /&gt;
== Rules ==&lt;br /&gt;
* A trust is a promise to allow delegation at some point in the future.  The actual delegation is performed in the token.  The trust is used to get the token.&lt;br /&gt;
* The data for the delegation itself is simply the uuid user_ids for the trustor and trustee, along with the privileges that are being delegated.&lt;br /&gt;
* The delegated privileges are a combination of a tenant id and a number  of roles that must be a subset of the roles assigned to the trustor.&lt;br /&gt;
** If all privileges are  missing, then nothing is being delegated (ie. there is not a way of  saying &amp;quot;delegate everything&amp;quot;).&lt;br /&gt;
* A final parameter, delegation depth, says  whether the delegation is recursive or not, and if recursive specifies  the length of the delegation chain.&lt;br /&gt;
** A value of 0 (or missing) means that  the delegate cannot delegate these permissions further.&lt;br /&gt;
** A value of 1  means that the delegate can delegate the permissions to any set of  delegates but the latter cannot delegate further.&lt;br /&gt;
** A value of 2 means the  delegation chain can be extended by a further length of 2 (ie. delegator  to delegate to subdelegate to subsubdelegate).&lt;br /&gt;
** A value of 'inf'  means  that the delegation is infinitely recursive.&lt;br /&gt;
* There is also a list of  endpoints associated with the delegation.&lt;br /&gt;
** This further restricts the delegation to the specified endpoints only.&lt;br /&gt;
** If the endpoints are missing, then the delegation is useless.&lt;br /&gt;
** A special value of 'all_endpoints' allows the trust to be used by  all endpoints associated with the delegated tenant.&lt;br /&gt;
* There is an optional value for duration, which  comprises the start time and end time for the trust.&lt;br /&gt;
&lt;br /&gt;
== APIs ==&lt;br /&gt;
=== To create a trust ===&lt;br /&gt;
POST /trusts&lt;br /&gt;
&lt;br /&gt;
When POSTing to trusts,  the trustor supplies&lt;br /&gt;
&lt;br /&gt;
* trustee: a user ID&lt;br /&gt;
* tenantId:&lt;br /&gt;
* roles&lt;br /&gt;
* endpoints&lt;br /&gt;
* trust start time (optional, defaults to submission time)&lt;br /&gt;
* trust end time (optional, defaults to never)&lt;br /&gt;
* delegation depth (optional)&lt;br /&gt;
&lt;br /&gt;
The trustor ID is implied from the creating users ID.&lt;br /&gt;
&lt;br /&gt;
=== To enumerated the trusts ===&lt;br /&gt;
GET /trusts/&lt;br /&gt;
&lt;br /&gt;
This will return a document with two lists:&lt;br /&gt;
* The first is the list of trusts for which the user is the trustor&lt;br /&gt;
* The second is a list of trusts for which the user is the trustee&lt;br /&gt;
&lt;br /&gt;
=== To enumerate the list of trustees for trusts that the user has created: ===&lt;br /&gt;
GET /user/&amp;lt;id&amp;gt;/trustees&lt;br /&gt;
&lt;br /&gt;
* Which will return a list of trustee user ids, each of which is associated with a list of URLS for the associated trusts.&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
=== To enumerate the set of trustors that have nominated the user as the trustee: ===&lt;br /&gt;
GET /user/&amp;lt;id&amp;gt;/trustors&lt;br /&gt;
&lt;br /&gt;
* Which will return a list of trustor user ids, each of which is associated with a list of URLS for the associated trusts.&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden)&lt;br /&gt;
&lt;br /&gt;
=== To view a trust ===&lt;br /&gt;
* GET /trusts/{trustID}&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor or trustee will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
=== To deactivate a trust ===&lt;br /&gt;
* DELETE /trusts/{trustID}&lt;br /&gt;
* This sets the trust status to disabled.&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
=== TrustID ===&lt;br /&gt;
The trust id is a blob, and for the first implementation, will be a UUID.  It should be  useless to anyone but the trustor and the trustee.  No other user should be  able to view it.  The user should be able to enumerate her  preauthentications, in order to view, modify, and delete them. /users/preauthentications&lt;br /&gt;
&lt;br /&gt;
== Implementation ==&lt;br /&gt;
Implemented in two phases.&lt;br /&gt;
&lt;br /&gt;
== Token Format Changes ==&lt;br /&gt;
Each token created from a Trust will have two additional fields.&lt;br /&gt;
&lt;br /&gt;
* '''trustee''' field with the userID of the trustee&lt;br /&gt;
* '''trust''' field with the trust ID.&lt;br /&gt;
&lt;br /&gt;
When performing recursive delegation, there needs to be a record of the delegation chain, not least so that  the trustor can understand how the new trustee has been added to the  token.   Thus,  each token will have a '''trusts '''field. This will be a list with the name of each trustee in the chain, ordered from the original trustee to the trustee that requested the token.&lt;br /&gt;
&lt;br /&gt;
Phase 1&lt;br /&gt;
&lt;br /&gt;
# Trusts get implemented today &amp;quot;hard wired&amp;quot; with the attributes that are currently exposed in a token:  (trustor) user, tenant, roles, endpoints.&lt;br /&gt;
# Tokens that get generated from the trusts will look just like normal tokens.  They will have an additional field &amp;quot;trustee&amp;quot;.  This will allow the current consumers of tokens to continue to use a trust token just like they do now.&lt;br /&gt;
&lt;br /&gt;
Phase 2.&lt;br /&gt;
&lt;br /&gt;
# Modify the token architecture to allow arbitrary sets of attributes.&lt;br /&gt;
# Modify the trust architecture to specify arbitrary sets of attributes to be used in a token.&lt;/div&gt;</summary>
		<author><name>Andersonvom</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/Trusts&amp;diff=34680</id>
		<title>Keystone/Trusts</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/Trusts&amp;diff=34680"/>
				<updated>2013-11-01T14:25:14Z</updated>
		
		<summary type="html">&lt;p&gt;Andersonvom: /* To enumerated the trusts */ Fix lists and HTTP calls&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Trusts =&lt;br /&gt;
== Use Cases ==&lt;br /&gt;
# HEAT and failover.  It needs to move a virtual machine from one host to another.&lt;br /&gt;
# Content production.    Something generates a large file and needs to store it in swift.&lt;br /&gt;
&lt;br /&gt;
In both cases, the users authorizes it at setup time to perform this  action any time in the future, long after the token is expired.&lt;br /&gt;
&lt;br /&gt;
== Rules ==&lt;br /&gt;
&amp;quot;Keystone is the Delegation Service that handles all the delegations for users. It is trusted to ensure that&lt;br /&gt;
&lt;br /&gt;
* a delegator cannot delegate an attribute he has not already been assigned&lt;br /&gt;
* a delegator cannot delegate once the delegation depth has been consumed&lt;br /&gt;
* a delegator cannot delegate outside the validity period of his own delegation.&lt;br /&gt;
&lt;br /&gt;
In other words, a delegator can only delegate less than (or equal to) what he already has, and not more than it.&lt;br /&gt;
&lt;br /&gt;
== Current Status of Delegation ==&lt;br /&gt;
Right now, a user delegates in a short term fashion using tokens. Once a token has been granted to a user, he hands that off to another (service) user in order to prove his identity and authorization to perform some set of actions.  In addition, since tokens are not scoped to a specific endpoint, they are currently passed on from one endpoint to another.  This is not a secure approach.  If any endpoint along the way is compromised, all the tokens in that endpoint are usable against any other service that accepts tokens. So  we limit the scope of tokens to only that single endpoint, and we remove the attack.  As a result, we also remove the ability of the remote service user  to request additional operations from additional remote services on behalf of the original user.  This is a problem that the trusts are designed to serve.&lt;br /&gt;
&lt;br /&gt;
== Rules ==&lt;br /&gt;
* A trust is a promise to allow delegation at some point in the future.  The actual delegation is performed in the token.  The trust is used to get the token.&lt;br /&gt;
* The data for the delegation itself is simply the uuid user_ids for the trustor and trustee, along with the privileges that are being delegated.&lt;br /&gt;
* The delegated privileges are a combination of a tenant id and a number  of roles that must be a subset of the roles assigned to the trustor.&lt;br /&gt;
** If all privileges are  missing, then nothing is being delegated (ie. there is not a way of  saying &amp;quot;delegate everything&amp;quot;).&lt;br /&gt;
* A final parameter, delegation depth, says  whether the delegation is recursive or not, and if recursive specifies  the length of the delegation chain.&lt;br /&gt;
** A value of 0 (or missing) means that  the delegate cannot delegate these permissions further.&lt;br /&gt;
** A value of 1  means that the delegate can delegate the permissions to any set of  delegates but the latter cannot delegate further.&lt;br /&gt;
** A value of 2 means the  delegation chain can be extended by a further length of 2 (ie. delegator  to delegate to subdelegate to subsubdelegate).&lt;br /&gt;
** A value of 'inf'  means  that the delegation is infinitely recursive.&lt;br /&gt;
* There is also a list of  endpoints associated with the delegation.&lt;br /&gt;
** This further restricts the delegation to the specified endpoints only.&lt;br /&gt;
** If the endpoints are missing, then the delegation is useless.&lt;br /&gt;
** A special value of 'all_endpoints' allows the trust to be used by  all endpoints associated with the delegated tenant.&lt;br /&gt;
* There is an optional value for duration, which  comprises the start time and end time for the trust.&lt;br /&gt;
&lt;br /&gt;
== APIs ==&lt;br /&gt;
=== To create a trust ===&lt;br /&gt;
POST /trusts&lt;br /&gt;
&lt;br /&gt;
When POSTing to trusts,  the trustor supplies&lt;br /&gt;
&lt;br /&gt;
* trustee: a user ID&lt;br /&gt;
* tenantId:&lt;br /&gt;
* roles&lt;br /&gt;
* endpoints&lt;br /&gt;
* trust start time (optional, defaults to submission time)&lt;br /&gt;
* trust end time (optional, defaults to never)&lt;br /&gt;
* delegation depth (optional)&lt;br /&gt;
&lt;br /&gt;
The trustor ID is implied from the creating users ID.&lt;br /&gt;
&lt;br /&gt;
=== To enumerated the trusts ===&lt;br /&gt;
GET /trusts/&lt;br /&gt;
&lt;br /&gt;
This will return a document with two lists:&lt;br /&gt;
* The first is the list of trusts for which the user is the trustor&lt;br /&gt;
* The second is a list of trusts for which the user is the trustee&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To enumerate the list of trustees for trusts that the user has created:&lt;br /&gt;
&lt;br /&gt;
GET /user/&amp;lt;id&amp;gt;/trustees&lt;br /&gt;
&lt;br /&gt;
* Which will return a list of trustee user ids, each of which is associated with a list of URLS for the associated trusts.&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
To enumerate the set of trustors that have nominated the user as the trustee:&lt;br /&gt;
&lt;br /&gt;
GET /user/&amp;lt;id&amp;gt;/trustors&lt;br /&gt;
&lt;br /&gt;
* Which will return a list of trustor user ids, each of which is associated with a list of URLS for the associated trusts.&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden)&lt;br /&gt;
&lt;br /&gt;
=== To view a trust ===&lt;br /&gt;
* GET /trusts/{trustID}&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor or trustee will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
=== To deactivate a trust ===&lt;br /&gt;
* DELETE /trusts/{trustID}&lt;br /&gt;
* This sets the trust status to disabled.&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
=== TrustID ===&lt;br /&gt;
The trust id is a blob, and for the first implementation, will be a UUID.  It should be  useless to anyone but the trustor and the trustee.  No other user should be  able to view it.  The user should be able to enumerate her  preauthentications, in order to view, modify, and delete them. /users/preauthentications&lt;br /&gt;
&lt;br /&gt;
== Implementation ==&lt;br /&gt;
Implemented in two phases.&lt;br /&gt;
&lt;br /&gt;
== Token Format Changes ==&lt;br /&gt;
Each token created from a Trust will have two additional fields.&lt;br /&gt;
&lt;br /&gt;
* '''trustee''' field with the userID of the trustee&lt;br /&gt;
* '''trust''' field with the trust ID.&lt;br /&gt;
&lt;br /&gt;
When performing recursive delegation, there needs to be a record of the delegation chain, not least so that  the trustor can understand how the new trustee has been added to the  token.   Thus,  each token will have a '''trusts '''field. This will be a list with the name of each trustee in the chain, ordered from the original trustee to the trustee that requested the token.&lt;br /&gt;
&lt;br /&gt;
Phase 1&lt;br /&gt;
&lt;br /&gt;
# Trusts get implemented today &amp;quot;hard wired&amp;quot; with the attributes that are currently exposed in a token:  (trustor) user, tenant, roles, endpoints.&lt;br /&gt;
# Tokens that get generated from the trusts will look just like normal tokens.  They will have an additional field &amp;quot;trustee&amp;quot;.  This will allow the current consumers of tokens to continue to use a trust token just like they do now.&lt;br /&gt;
&lt;br /&gt;
Phase 2.&lt;br /&gt;
&lt;br /&gt;
# Modify the token architecture to allow arbitrary sets of attributes.&lt;br /&gt;
# Modify the trust architecture to specify arbitrary sets of attributes to be used in a token.&lt;/div&gt;</summary>
		<author><name>Andersonvom</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/Trusts&amp;diff=34679</id>
		<title>Keystone/Trusts</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/Trusts&amp;diff=34679"/>
				<updated>2013-11-01T14:20:15Z</updated>
		
		<summary type="html">&lt;p&gt;Andersonvom: /* Rules */ Reword and fix typo&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Trusts =&lt;br /&gt;
== Use Cases ==&lt;br /&gt;
# HEAT and failover.  It needs to move a virtual machine from one host to another.&lt;br /&gt;
# Content production.    Something generates a large file and needs to store it in swift.&lt;br /&gt;
&lt;br /&gt;
In both cases, the users authorizes it at setup time to perform this  action any time in the future, long after the token is expired.&lt;br /&gt;
&lt;br /&gt;
== Rules ==&lt;br /&gt;
&amp;quot;Keystone is the Delegation Service that handles all the delegations for users. It is trusted to ensure that&lt;br /&gt;
&lt;br /&gt;
* a delegator cannot delegate an attribute he has not already been assigned&lt;br /&gt;
* a delegator cannot delegate once the delegation depth has been consumed&lt;br /&gt;
* a delegator cannot delegate outside the validity period of his own delegation.&lt;br /&gt;
&lt;br /&gt;
In other words, a delegator can only delegate less than (or equal to) what he already has, and not more than it.&lt;br /&gt;
&lt;br /&gt;
== Current Status of Delegation ==&lt;br /&gt;
Right now, a user delegates in a short term fashion using tokens. Once a token has been granted to a user, he hands that off to another (service) user in order to prove his identity and authorization to perform some set of actions.  In addition, since tokens are not scoped to a specific endpoint, they are currently passed on from one endpoint to another.  This is not a secure approach.  If any endpoint along the way is compromised, all the tokens in that endpoint are usable against any other service that accepts tokens. So  we limit the scope of tokens to only that single endpoint, and we remove the attack.  As a result, we also remove the ability of the remote service user  to request additional operations from additional remote services on behalf of the original user.  This is a problem that the trusts are designed to serve.&lt;br /&gt;
&lt;br /&gt;
== Rules ==&lt;br /&gt;
* A trust is a promise to allow delegation at some point in the future.  The actual delegation is performed in the token.  The trust is used to get the token.&lt;br /&gt;
* The data for the delegation itself is simply the uuid user_ids for the trustor and trustee, along with the privileges that are being delegated.&lt;br /&gt;
* The delegated privileges are a combination of a tenant id and a number  of roles that must be a subset of the roles assigned to the trustor.&lt;br /&gt;
** If all privileges are  missing, then nothing is being delegated (ie. there is not a way of  saying &amp;quot;delegate everything&amp;quot;).&lt;br /&gt;
* A final parameter, delegation depth, says  whether the delegation is recursive or not, and if recursive specifies  the length of the delegation chain.&lt;br /&gt;
** A value of 0 (or missing) means that  the delegate cannot delegate these permissions further.&lt;br /&gt;
** A value of 1  means that the delegate can delegate the permissions to any set of  delegates but the latter cannot delegate further.&lt;br /&gt;
** A value of 2 means the  delegation chain can be extended by a further length of 2 (ie. delegator  to delegate to subdelegate to subsubdelegate).&lt;br /&gt;
** A value of 'inf'  means  that the delegation is infinitely recursive.&lt;br /&gt;
* There is also a list of  endpoints associated with the delegation.&lt;br /&gt;
** This further restricts the delegation to the specified endpoints only.&lt;br /&gt;
** If the endpoints are missing, then the delegation is useless.&lt;br /&gt;
** A special value of 'all_endpoints' allows the trust to be used by  all endpoints associated with the delegated tenant.&lt;br /&gt;
* There is an optional value for duration, which  comprises the start time and end time for the trust.&lt;br /&gt;
&lt;br /&gt;
== APIs ==&lt;br /&gt;
=== To create a trust ===&lt;br /&gt;
POST /trusts&lt;br /&gt;
&lt;br /&gt;
When POSTing to trusts,  the trustor supplies&lt;br /&gt;
&lt;br /&gt;
* trustee: a user ID&lt;br /&gt;
* tenantId:&lt;br /&gt;
* roles&lt;br /&gt;
* endpoints&lt;br /&gt;
* trust start time (optional, defaults to submission time)&lt;br /&gt;
* trust end time (optional, defaults to never)&lt;br /&gt;
* delegation depth (optional)&lt;br /&gt;
&lt;br /&gt;
The trustor ID is implied from the creating users ID.&lt;br /&gt;
&lt;br /&gt;
=== To enumerated the trusts ===&lt;br /&gt;
* GET /trusts/&lt;br /&gt;
* This will return a document with two lists.&lt;br /&gt;
** The first is the list of trusts for which the user is the trustor&lt;br /&gt;
** The second is a list of trusts for which the user is the trustee&lt;br /&gt;
&lt;br /&gt;
To enumerate the list of trustees for trusts that the user has created:&lt;br /&gt;
&lt;br /&gt;
* GET /user/&amp;lt;id&amp;gt;/trustees&lt;br /&gt;
* Which will return a list of trustee user ids, each of which is associated with a list of URLS for the associated trusts.&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
To enumerate the set of trustors that have nominated the user as the trustee:&lt;br /&gt;
&lt;br /&gt;
* GET /user/&amp;lt;id&amp;gt;/trustors&lt;br /&gt;
* Which will return a list of trustor user ids, each of which is associated with a list of URLS for the associated trusts.&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden)&lt;br /&gt;
&lt;br /&gt;
=== To view a trust ===&lt;br /&gt;
* GET /trusts/{trustID}&lt;br /&gt;
* This will view active trusts. disabled trusts will require an additional paramater (disabled)&lt;br /&gt;
* Only the trustor or trustee will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
=== To deactivate a trust ===&lt;br /&gt;
* DELETE /trusts/{trustID}&lt;br /&gt;
* This sets the trust status to disabled.&lt;br /&gt;
* Only the trustor will be able to access this URL.  Any other user will get a 403 (Forbidden).&lt;br /&gt;
&lt;br /&gt;
=== TrustID ===&lt;br /&gt;
The trust id is a blob, and for the first implementation, will be a UUID.  It should be  useless to anyone but the trustor and the trustee.  No other user should be  able to view it.  The user should be able to enumerate her  preauthentications, in order to view, modify, and delete them. /users/preauthentications&lt;br /&gt;
&lt;br /&gt;
== Implementation ==&lt;br /&gt;
Implemented in two phases.&lt;br /&gt;
&lt;br /&gt;
== Token Format Changes ==&lt;br /&gt;
Each token created from a Trust will have two additional fields.&lt;br /&gt;
&lt;br /&gt;
* '''trustee''' field with the userID of the trustee&lt;br /&gt;
* '''trust''' field with the trust ID.&lt;br /&gt;
&lt;br /&gt;
When performing recursive delegation, there needs to be a record of the delegation chain, not least so that  the trustor can understand how the new trustee has been added to the  token.   Thus,  each token will have a '''trusts '''field. This will be a list with the name of each trustee in the chain, ordered from the original trustee to the trustee that requested the token.&lt;br /&gt;
&lt;br /&gt;
Phase 1&lt;br /&gt;
&lt;br /&gt;
# Trusts get implemented today &amp;quot;hard wired&amp;quot; with the attributes that are currently exposed in a token:  (trustor) user, tenant, roles, endpoints.&lt;br /&gt;
# Tokens that get generated from the trusts will look just like normal tokens.  They will have an additional field &amp;quot;trustee&amp;quot;.  This will allow the current consumers of tokens to continue to use a trust token just like they do now.&lt;br /&gt;
&lt;br /&gt;
Phase 2.&lt;br /&gt;
&lt;br /&gt;
# Modify the token architecture to allow arbitrary sets of attributes.&lt;br /&gt;
# Modify the trust architecture to specify arbitrary sets of attributes to be used in a token.&lt;/div&gt;</summary>
		<author><name>Andersonvom</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Gerrit_Workflow&amp;diff=34582</id>
		<title>Gerrit Workflow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Gerrit_Workflow&amp;diff=34582"/>
				<updated>2013-10-31T20:39:33Z</updated>
		
		<summary type="html">&lt;p&gt;Andersonvom: /* Add dependency */ Fix typo&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
= Gerrit Workflow Quick Reference =&lt;br /&gt;
Use this section as a quick reference for commands that you need to run to begin work in a new repository. Read this entire section before you complete the steps in the workflow for the first time. Then, review this section when you start work on a new [[OpenStack]] project.  For a more complete description of the setup, see [[GerritJenkinsGit]].&lt;br /&gt;
&lt;br /&gt;
[[File:Contribution path.png]]&lt;br /&gt;
&lt;br /&gt;
== Account Setup ==&lt;br /&gt;
You'll need a [https://launchpad.net/+login Launchpad account], since this is how the Web interface for the Gerrit Code Review system will identify you. This is also useful for automatically crediting bug fixes to you when you address them with your code commits.&lt;br /&gt;
&lt;br /&gt;
If you haven't already, [https://www.openstack.org/join/ join The OpenStack Foundation] (it's free and required for all code contributors). Among other privileges, this also allows you to vote in elections and run for elected positions within The OpenStack Project. When signing up for Foundation Membership, make sure to give the same E-mail address you'll use for code contributions, since this will need to match your preferred E-mail address in Gerrit.&lt;br /&gt;
&lt;br /&gt;
Visit https://review.openstack.org/ and click the '''Sign In''' link at the top-right corner of the page.  Log in with your Launchpad ID.&lt;br /&gt;
&lt;br /&gt;
Because Gerrit uses Launchpad OpenID single sign-on, you won't need a separate password for Gerrit, and once you log in to one of Launchpad,  Gerrit, or Jenkins, you won't have to enter your password for the others.&lt;br /&gt;
 &lt;br /&gt;
Unless you are an U.S. Government Employee (see below), [https://review.openstack.org/#/settings/agreements agree to the Individual Contributor License Agreement] and provide contact information. Your full name and E-mail address will be public (since they also appear in project commit logs) and the latter needs to match the user.email in your Git configuration. The other contact information (postal address, phone numbers) will be kept confidential and is only used as a fallback record in the unlikely event The OpenStack Foundation needs to reach you directly over code contribution related matters. This contact information can also be easily [https://review.openstack.org/#/settings/contact updated] later if desired, but make sure the primary E-mail address always matches the one you set for your OpenStack Foundation Membership--otherwise Gerrit will give you an error message and refuse to accept your contact information.&lt;br /&gt;
 &lt;br /&gt;
Employees of the the U.S. Government do not sign the Individual CLA. Instead, someone with authority to sign on behalf of your agency should sign the [[GovernmentCLA|U.S. Government Contributor License Agreement]]. Please contact the OpenStack Foundation to initiate this process.&lt;br /&gt;
 &lt;br /&gt;
If you are '''contributing on behalf of a company''' or organization, you still need to sign the ICLA above but someone at your company or organization also needs to sign the [https://review.openstack.org/#/settings/agreements Corporate Contributor License Agreement] providing a list of people authorized to commit code to OpenStack. Check [[HowToUpdateCorporateCLA|How to update the CCLA]] to provide changes to such list. A list of current companies and organizations with an existing [[Contributors/Corporate|Corporate CLA]] is available for your review.&lt;br /&gt;
&lt;br /&gt;
You'll also want to [https://review.openstack.org/#/settings/ssh-keys upload an SSH key] while you're at it, so that you'll be able to [[GerritWorkflow|commit changes for review]] later.&lt;br /&gt;
&lt;br /&gt;
Ensure that you have run these steps to let git know about your email address:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git config --global user.name &amp;quot;Firstname Lastname&amp;quot;&lt;br /&gt;
git config --global user.email &amp;quot;your_email@youremail.com&amp;quot;&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
To check your git configuration:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git config --list&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Git Review Installation ==&lt;br /&gt;
We recommend using the &amp;quot;git-review&amp;quot; tool which is a git subcommand that handles all the details of working with Gerrit, the code review system used in [[OpenStack]] development.  Before you start work, make sure you have git-review installed on your system.&lt;br /&gt;
&lt;br /&gt;
On Ubuntu, MacOSx, or most other Unix-like systems, it is as simple as:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
pip install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On Ubuntu Precise (12.04) and later, git-review is included in the distribution, so install it as any other package:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
apt-get install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On Fedora 16 and later, git-review is included into the distribution, so install it as any other package:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
yum install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On Fedora 15 and earlier you have to install pip (its package name is `python-pip`), then install git-review using pip in a conventional way.&lt;br /&gt;
&lt;br /&gt;
On Red Hat Enterprise Linux, you must first enable the [http://fedoraproject.org/wiki/EPEL EPEL] repository, then install it as any other package:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
yum install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On openSUSE 12.2 and later, git-review is included in the distribution under the name python-git-review, so install it as any other package:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
zypper in python-git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
All of git-review's interactions with gerrit are sequences of normal git commands. If you want to know more about what it's doing, just add -v to the options and it will print out all of the commands it's running.&lt;br /&gt;
&lt;br /&gt;
== Project Setup ==&lt;br /&gt;
Clone a project in the usual way, for example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git clone git://git.openstack.org/openstack/nova.git&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
You may want to ask git-review to configure your project to know about Gerrit at this point.  If you don't, it will do so the first time you submit a change for review, but you probably want to do this ahead of time so the Gerrit Change-Id commit hook gets installed.  To do so (again, using Nova as an example):&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
cd nova&lt;br /&gt;
git review -s&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Git-review checks that you can log in to gerrit with your ssh key. It assumes that your gerrit/launchpad user name is the same as the current running user.  If that doesn't work, it asks for your gerrit/launchpad user name. If you don't remember the user name go to the [https://review.openstack.org/#/settings/ settings page on gerrit] to check it out (it's not your email address).&lt;br /&gt;
&lt;br /&gt;
Note that you can verify the SSH host keys for review.openstack.org here: https://review.openstack.org/#/settings/ssh-keys&lt;br /&gt;
&lt;br /&gt;
If you get the error &amp;quot;We don't know where your gerrit is.&amp;quot;, you will need to add a new git remote. The url should be in the error message. Copy that and create the new remote.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git remote add gerrit ssh://&amp;lt;username&amp;gt;@review.openstack.org:29418/openstack/nova.git&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In the project directory, you have a `.git` hidden directory and a `.gitreview` hidden file. You can see them with:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
ls -la&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Normal Workflow ==&lt;br /&gt;
Once your local repository is set up as above, you must use the following workflow.&lt;br /&gt;
&lt;br /&gt;
Make sure you have the latest upstream changes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git remote update&lt;br /&gt;
git checkout master&lt;br /&gt;
git pull --ff-only origin master&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Create a [http://progit.org/book/ch3-4.html topic branch] to hold your work and switch to it.  If you are working on a blueprint, name your topic branch '''bp/BLUEPRINT''' where BLUEPRINT is the name of a blueprint in launchpad (for example, &amp;quot;bp/authentication&amp;quot;).  The general convention when working on bugs is to name the branch '''bug/BUG-NUMBER''' (for example, &amp;quot;bug/1234567&amp;quot;). Otherwise, give it a meaningful name because it will show up as the topic for your change in Gerrit.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git checkout -b TOPIC-BRANCH&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
To generate documentation artifacts, navigate to the directory where the pom.xml file is located for the project and run the following command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
mvn clean generate-sources&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
For complete information about generating documentation artifacts, see &amp;quot;Build Output Locally&amp;quot; on the https://wiki.openstack.org/wiki/Documentation/HowTo page.&lt;br /&gt;
&lt;br /&gt;
=== Committing Changes ===&lt;br /&gt;
[[GitCommitMessages|Git commit messages]] should start with a short 50 character or less summary in a single paragraph.  The following paragraph(s) should explain the change in more detail.&lt;br /&gt;
&lt;br /&gt;
If your changes addresses a blueprint or a bug, be sure to mention them in the commit message using the following syntax:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
Implements: blueprint BLUEPRINT&lt;br /&gt;
Closes-Bug: ####### (Partial-Bug or Related-Bug are options)&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
Adds keystone support&lt;br /&gt;
&lt;br /&gt;
...Long multiline description of the change...&lt;br /&gt;
&lt;br /&gt;
Implements: blueprint authentication&lt;br /&gt;
Closes-Bug: #123456&lt;br /&gt;
Change-Id: I4946a16d27f712ae2adf8441ce78e6c0bb0bb657&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Note that in most cases the Change-Id line should be automatically added by a Gerrit commit hook that you will want to install.  See [[Gerrit_Workflow#Project_Setup|Project Setup]] for details on configuring your project for Gerrit.  If you already made the commit and the Change-Id was not added, do the Gerrit setup step and run:&lt;br /&gt;
&amp;lt;pre&amp;gt;git commit --amend&amp;lt;/pre&amp;gt;&lt;br /&gt;
The commit hook will automatically add the Change-Id when you finish amending the commit message, even if you don't actually make any changes.&lt;br /&gt;
&lt;br /&gt;
Make your changes, commit them, and submit them for review:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git commit -a&lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
'''Caution: Do not check in changes on your master branch.  Doing so will cause merge commits when you pull new upstream changes, and merge commits will not be accepted by Gerrit.&lt;br /&gt;
&lt;br /&gt;
Prior to checking in make sure that you run &amp;quot;[http://testrun.org/tox/latest/ tox]&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
=== Review ===&lt;br /&gt;
Once the code is committed, it appears at https://review.openstack.org. Please refer http://wiki.openstack.org/GerritJenkinsGit for more information. If the link corresponding to your code is clicked, it shows the status and other information. Automatic testing occurs and the results are displayed. Reviewers comment in the comment box or in the code itself.&lt;br /&gt;
&lt;br /&gt;
If someone leaves an in-line comment, you can see it from expanded &amp;quot;Patch Set.&amp;quot; &amp;quot;Comments&amp;quot; column shows how many comments are in each file. If you click a file name that has comments, the new page shows a diff page with the reviewer's name and comments. Click &amp;quot;Reply&amp;quot; and write your response. It is saved as a draft if you click &amp;quot;Save.&amp;quot; Now, go back to the page that shows a list of patch sets and click &amp;quot;Review,&amp;quot; and then, click &amp;quot;Publish comments.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
If your code is not ready for review, click &amp;quot;Work in Progress&amp;quot; to indicate that a reviewer does not need to review it for now. Note that the button is invisible until you login the site. &lt;br /&gt;
&lt;br /&gt;
More on what happens next is described on [[GerritJenkinsGit#Reviewing_a_Change]].&lt;br /&gt;
&lt;br /&gt;
=== Drafts ===&lt;br /&gt;
A change can be submitted as a draft if, for example, it's not ready for merging, or even general code review, but you would like to share it selectively to get early comments.  If you upload a change as a draft, by default, no one else can see it.  You must explicitly add each person you would like to share it with as a reviewer.  Reviewers you add can leave comments, but cannot vote at this stage.  You can continue to upload new patchsets to the change as it evolves, and once it is ready for general review, you can click the &amp;quot;Publish&amp;quot; button.  It becomes a normal change in Gerrit that everyone can see, including the earlier reviews from the draft stage.  This is a one way transition; once a draft is published, it can't be made a draft again.&lt;br /&gt;
&lt;br /&gt;
A draft change is uploaded by adding the &amp;quot;-D&amp;quot; option. Simply make changes, commit them, and submit them as a draft:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git commit -a&lt;br /&gt;
git review -D&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
'''Caution: Earlier versions (prior to 1.16) of git-review may also have the &amp;quot;-D&amp;quot; option, but the git ref that Gerrit uses to indicate a change should be a draft was changed; so if using &amp;quot;-D&amp;quot; results in an error, you may need to upgrade to latest.'''&lt;br /&gt;
&lt;br /&gt;
=== Long-lived Topic Branches ===&lt;br /&gt;
If you are working on a larger project, you may be working on your topic branch for a while.  In that case, you may want to check in your changes frequently during development and you must rebase your change to the current state of the master repository before submitting it for code review.  In these situations you should prepare your change carefully before submitting it.&lt;br /&gt;
&lt;br /&gt;
If the master repository has changed since you started, you should rebase your changes to the current state.  And if you have made many small commits, you should squash them so that they do not show up in the public repository.  Remember: each commit becomes a change in Gerrit, and must be approved separately.  If you are making one &amp;quot;change&amp;quot; to the project, squash your many &amp;quot;checkpoint&amp;quot; commits into one commit for public consumption.  Here's how:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git checkout master&lt;br /&gt;
git pull origin master&lt;br /&gt;
git checkout TOPIC-BRANCH&lt;br /&gt;
git rebase -i master&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Use the editor to squash any commits that should not appear in the public history.  If you want one change to be submitted to Gerrit, you should only have one &amp;quot;pick&amp;quot; line at the end of this process.  After completing this, you can prepare your public commit message(s) in your editor.  You start with the commit message from the commit that you picked, and it should have a Change-Id line in the message.  Be sure to leave that Change-Id line in place when editing.&lt;br /&gt;
&lt;br /&gt;
Once the commit history in your branch looks correct, run '''git review''' to submit your changes to Gerrit.&lt;br /&gt;
&lt;br /&gt;
=== Updating a Change ===&lt;br /&gt;
If the code review process suggests additional changes, make and amend the changes to the the existing commit. Leave the existing Change-Id: footer in the commit message as-is. Gerrit knows that this is an updated patch for an existing change:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git commit -a --amend&lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add dependency ===&lt;br /&gt;
When you want to start new work that is based on the commit under the review, you can add the commit as a dependency.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
#fetch change under review and check out branch based on that change.&lt;br /&gt;
git review -d $PARENT_CHANGE_NUMBER&lt;br /&gt;
git checkout -b $DEV_TOPIC_BRANCH&lt;br /&gt;
# Edit files, add files to git&lt;br /&gt;
git commit &lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* '''NOTE:''' git review rebases the existing change (the dependency) and the new commit if there is a conflict against the branch they are being proposed to. Typically this is desired behavior as merging cannot happen until these conflicts are resolved. If you don't want to deal with new patchsets in the existing change immediately you can pass the -R option to git review in the last step above to prevent rebasing. This requires future rebasing to resolve conflicts.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
If the commit your work depends on is updated, and you need to get the latest patch from the depended commit, you can do the following.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
# fetch and checkout the parent change&lt;br /&gt;
git review -d $PARENT_CHANGE_NUMBER&lt;br /&gt;
# Note the branch created by git review. Should be review/$USER/$PARENT_CHANGE_ID or similar.&lt;br /&gt;
# Checkout existing development topic branch for the child commit.&lt;br /&gt;
git checkout $DEV_TOPIC_BRANCH&lt;br /&gt;
# Rebase onto updated parent branch to create a dependency on the latest version of that change.&lt;br /&gt;
git rebase -i review/$USER/$PARENT_CHANGE #This is the branch created by git review that was noted earlier.&lt;br /&gt;
# Do the revisions&lt;br /&gt;
git commit -a --amend&lt;br /&gt;
# submit for review&lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The note for the previous example applies here as well. Typically you want the rebase behavior in git review. If you would rather postpone resolving merge conflicts you can use git review -R as the last step above.&lt;/div&gt;</summary>
		<author><name>Andersonvom</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Gerrit_Workflow&amp;diff=34581</id>
		<title>Gerrit Workflow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Gerrit_Workflow&amp;diff=34581"/>
				<updated>2013-10-31T20:34:32Z</updated>
		
		<summary type="html">&lt;p&gt;Andersonvom: Fix git commit message example&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
= Gerrit Workflow Quick Reference =&lt;br /&gt;
Use this section as a quick reference for commands that you need to run to begin work in a new repository. Read this entire section before you complete the steps in the workflow for the first time. Then, review this section when you start work on a new [[OpenStack]] project.  For a more complete description of the setup, see [[GerritJenkinsGit]].&lt;br /&gt;
&lt;br /&gt;
[[File:Contribution path.png]]&lt;br /&gt;
&lt;br /&gt;
== Account Setup ==&lt;br /&gt;
You'll need a [https://launchpad.net/+login Launchpad account], since this is how the Web interface for the Gerrit Code Review system will identify you. This is also useful for automatically crediting bug fixes to you when you address them with your code commits.&lt;br /&gt;
&lt;br /&gt;
If you haven't already, [https://www.openstack.org/join/ join The OpenStack Foundation] (it's free and required for all code contributors). Among other privileges, this also allows you to vote in elections and run for elected positions within The OpenStack Project. When signing up for Foundation Membership, make sure to give the same E-mail address you'll use for code contributions, since this will need to match your preferred E-mail address in Gerrit.&lt;br /&gt;
&lt;br /&gt;
Visit https://review.openstack.org/ and click the '''Sign In''' link at the top-right corner of the page.  Log in with your Launchpad ID.&lt;br /&gt;
&lt;br /&gt;
Because Gerrit uses Launchpad OpenID single sign-on, you won't need a separate password for Gerrit, and once you log in to one of Launchpad,  Gerrit, or Jenkins, you won't have to enter your password for the others.&lt;br /&gt;
 &lt;br /&gt;
Unless you are an U.S. Government Employee (see below), [https://review.openstack.org/#/settings/agreements agree to the Individual Contributor License Agreement] and provide contact information. Your full name and E-mail address will be public (since they also appear in project commit logs) and the latter needs to match the user.email in your Git configuration. The other contact information (postal address, phone numbers) will be kept confidential and is only used as a fallback record in the unlikely event The OpenStack Foundation needs to reach you directly over code contribution related matters. This contact information can also be easily [https://review.openstack.org/#/settings/contact updated] later if desired, but make sure the primary E-mail address always matches the one you set for your OpenStack Foundation Membership--otherwise Gerrit will give you an error message and refuse to accept your contact information.&lt;br /&gt;
 &lt;br /&gt;
Employees of the the U.S. Government do not sign the Individual CLA. Instead, someone with authority to sign on behalf of your agency should sign the [[GovernmentCLA|U.S. Government Contributor License Agreement]]. Please contact the OpenStack Foundation to initiate this process.&lt;br /&gt;
 &lt;br /&gt;
If you are '''contributing on behalf of a company''' or organization, you still need to sign the ICLA above but someone at your company or organization also needs to sign the [https://review.openstack.org/#/settings/agreements Corporate Contributor License Agreement] providing a list of people authorized to commit code to OpenStack. Check [[HowToUpdateCorporateCLA|How to update the CCLA]] to provide changes to such list. A list of current companies and organizations with an existing [[Contributors/Corporate|Corporate CLA]] is available for your review.&lt;br /&gt;
&lt;br /&gt;
You'll also want to [https://review.openstack.org/#/settings/ssh-keys upload an SSH key] while you're at it, so that you'll be able to [[GerritWorkflow|commit changes for review]] later.&lt;br /&gt;
&lt;br /&gt;
Ensure that you have run these steps to let git know about your email address:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git config --global user.name &amp;quot;Firstname Lastname&amp;quot;&lt;br /&gt;
git config --global user.email &amp;quot;your_email@youremail.com&amp;quot;&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
To check your git configuration:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git config --list&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Git Review Installation ==&lt;br /&gt;
We recommend using the &amp;quot;git-review&amp;quot; tool which is a git subcommand that handles all the details of working with Gerrit, the code review system used in [[OpenStack]] development.  Before you start work, make sure you have git-review installed on your system.&lt;br /&gt;
&lt;br /&gt;
On Ubuntu, MacOSx, or most other Unix-like systems, it is as simple as:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
pip install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On Ubuntu Precise (12.04) and later, git-review is included in the distribution, so install it as any other package:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
apt-get install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On Fedora 16 and later, git-review is included into the distribution, so install it as any other package:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
yum install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On Fedora 15 and earlier you have to install pip (its package name is `python-pip`), then install git-review using pip in a conventional way.&lt;br /&gt;
&lt;br /&gt;
On Red Hat Enterprise Linux, you must first enable the [http://fedoraproject.org/wiki/EPEL EPEL] repository, then install it as any other package:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
yum install git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On openSUSE 12.2 and later, git-review is included in the distribution under the name python-git-review, so install it as any other package:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
zypper in python-git-review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
All of git-review's interactions with gerrit are sequences of normal git commands. If you want to know more about what it's doing, just add -v to the options and it will print out all of the commands it's running.&lt;br /&gt;
&lt;br /&gt;
== Project Setup ==&lt;br /&gt;
Clone a project in the usual way, for example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git clone git://git.openstack.org/openstack/nova.git&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
You may want to ask git-review to configure your project to know about Gerrit at this point.  If you don't, it will do so the first time you submit a change for review, but you probably want to do this ahead of time so the Gerrit Change-Id commit hook gets installed.  To do so (again, using Nova as an example):&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
cd nova&lt;br /&gt;
git review -s&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Git-review checks that you can log in to gerrit with your ssh key. It assumes that your gerrit/launchpad user name is the same as the current running user.  If that doesn't work, it asks for your gerrit/launchpad user name. If you don't remember the user name go to the [https://review.openstack.org/#/settings/ settings page on gerrit] to check it out (it's not your email address).&lt;br /&gt;
&lt;br /&gt;
Note that you can verify the SSH host keys for review.openstack.org here: https://review.openstack.org/#/settings/ssh-keys&lt;br /&gt;
&lt;br /&gt;
If you get the error &amp;quot;We don't know where your gerrit is.&amp;quot;, you will need to add a new git remote. The url should be in the error message. Copy that and create the new remote.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git remote add gerrit ssh://&amp;lt;username&amp;gt;@review.openstack.org:29418/openstack/nova.git&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In the project directory, you have a `.git` hidden directory and a `.gitreview` hidden file. You can see them with:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
ls -la&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Normal Workflow ==&lt;br /&gt;
Once your local repository is set up as above, you must use the following workflow.&lt;br /&gt;
&lt;br /&gt;
Make sure you have the latest upstream changes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git remote update&lt;br /&gt;
git checkout master&lt;br /&gt;
git pull --ff-only origin master&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Create a [http://progit.org/book/ch3-4.html topic branch] to hold your work and switch to it.  If you are working on a blueprint, name your topic branch '''bp/BLUEPRINT''' where BLUEPRINT is the name of a blueprint in launchpad (for example, &amp;quot;bp/authentication&amp;quot;).  The general convention when working on bugs is to name the branch '''bug/BUG-NUMBER''' (for example, &amp;quot;bug/1234567&amp;quot;). Otherwise, give it a meaningful name because it will show up as the topic for your change in Gerrit.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git checkout -b TOPIC-BRANCH&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
To generate documentation artifacts, navigate to the directory where the pom.xml file is located for the project and run the following command:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
mvn clean generate-sources&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
For complete information about generating documentation artifacts, see &amp;quot;Build Output Locally&amp;quot; on the https://wiki.openstack.org/wiki/Documentation/HowTo page.&lt;br /&gt;
&lt;br /&gt;
=== Committing Changes ===&lt;br /&gt;
[[GitCommitMessages|Git commit messages]] should start with a short 50 character or less summary in a single paragraph.  The following paragraph(s) should explain the change in more detail.&lt;br /&gt;
&lt;br /&gt;
If your changes addresses a blueprint or a bug, be sure to mention them in the commit message using the following syntax:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
Implements: blueprint BLUEPRINT&lt;br /&gt;
Closes-Bug: ####### (Partial-Bug or Related-Bug are options)&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
Adds keystone support&lt;br /&gt;
&lt;br /&gt;
...Long multiline description of the change...&lt;br /&gt;
&lt;br /&gt;
Implements: blueprint authentication&lt;br /&gt;
Closes-Bug: #123456&lt;br /&gt;
Change-Id: I4946a16d27f712ae2adf8441ce78e6c0bb0bb657&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Note that in most cases the Change-Id line should be automatically added by a Gerrit commit hook that you will want to install.  See [[Gerrit_Workflow#Project_Setup|Project Setup]] for details on configuring your project for Gerrit.  If you already made the commit and the Change-Id was not added, do the Gerrit setup step and run:&lt;br /&gt;
&amp;lt;pre&amp;gt;git commit --amend&amp;lt;/pre&amp;gt;&lt;br /&gt;
The commit hook will automatically add the Change-Id when you finish amending the commit message, even if you don't actually make any changes.&lt;br /&gt;
&lt;br /&gt;
Make your changes, commit them, and submit them for review:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git commit -a&lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
'''Caution: Do not check in changes on your master branch.  Doing so will cause merge commits when you pull new upstream changes, and merge commits will not be accepted by Gerrit.&lt;br /&gt;
&lt;br /&gt;
Prior to checking in make sure that you run &amp;quot;[http://testrun.org/tox/latest/ tox]&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
=== Review ===&lt;br /&gt;
Once the code is committed, it appears at https://review.openstack.org. Please refer http://wiki.openstack.org/GerritJenkinsGit for more information. If the link corresponding to your code is clicked, it shows the status and other information. Automatic testing occurs and the results are displayed. Reviewers comment in the comment box or in the code itself.&lt;br /&gt;
&lt;br /&gt;
If someone leaves an in-line comment, you can see it from expanded &amp;quot;Patch Set.&amp;quot; &amp;quot;Comments&amp;quot; column shows how many comments are in each file. If you click a file name that has comments, the new page shows a diff page with the reviewer's name and comments. Click &amp;quot;Reply&amp;quot; and write your response. It is saved as a draft if you click &amp;quot;Save.&amp;quot; Now, go back to the page that shows a list of patch sets and click &amp;quot;Review,&amp;quot; and then, click &amp;quot;Publish comments.&amp;quot;&lt;br /&gt;
&lt;br /&gt;
If your code is not ready for review, click &amp;quot;Work in Progress&amp;quot; to indicate that a reviewer does not need to review it for now. Note that the button is invisible until you login the site. &lt;br /&gt;
&lt;br /&gt;
More on what happens next is described on [[GerritJenkinsGit#Reviewing_a_Change]].&lt;br /&gt;
&lt;br /&gt;
=== Drafts ===&lt;br /&gt;
A change can be submitted as a draft if, for example, it's not ready for merging, or even general code review, but you would like to share it selectively to get early comments.  If you upload a change as a draft, by default, no one else can see it.  You must explicitly add each person you would like to share it with as a reviewer.  Reviewers you add can leave comments, but cannot vote at this stage.  You can continue to upload new patchsets to the change as it evolves, and once it is ready for general review, you can click the &amp;quot;Publish&amp;quot; button.  It becomes a normal change in Gerrit that everyone can see, including the earlier reviews from the draft stage.  This is a one way transition; once a draft is published, it can't be made a draft again.&lt;br /&gt;
&lt;br /&gt;
A draft change is uploaded by adding the &amp;quot;-D&amp;quot; option. Simply make changes, commit them, and submit them as a draft:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git commit -a&lt;br /&gt;
git review -D&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
'''Caution: Earlier versions (prior to 1.16) of git-review may also have the &amp;quot;-D&amp;quot; option, but the git ref that Gerrit uses to indicate a change should be a draft was changed; so if using &amp;quot;-D&amp;quot; results in an error, you may need to upgrade to latest.'''&lt;br /&gt;
&lt;br /&gt;
=== Long-lived Topic Branches ===&lt;br /&gt;
If you are working on a larger project, you may be working on your topic branch for a while.  In that case, you may want to check in your changes frequently during development and you must rebase your change to the current state of the master repository before submitting it for code review.  In these situations you should prepare your change carefully before submitting it.&lt;br /&gt;
&lt;br /&gt;
If the master repository has changed since you started, you should rebase your changes to the current state.  And if you have made many small commits, you should squash them so that they do not show up in the public repository.  Remember: each commit becomes a change in Gerrit, and must be approved separately.  If you are making one &amp;quot;change&amp;quot; to the project, squash your many &amp;quot;checkpoint&amp;quot; commits into one commit for public consumption.  Here's how:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git checkout master&lt;br /&gt;
git pull origin master&lt;br /&gt;
git checkout TOPIC-BRANCH&lt;br /&gt;
git rebase -i master&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Use the editor to squash any commits that should not appear in the public history.  If you want one change to be submitted to Gerrit, you should only have one &amp;quot;pick&amp;quot; line at the end of this process.  After completing this, you can prepare your public commit message(s) in your editor.  You start with the commit message from the commit that you picked, and it should have a Change-Id line in the message.  Be sure to leave that Change-Id line in place when editing.&lt;br /&gt;
&lt;br /&gt;
Once the commit history in your branch looks correct, run '''git review''' to submit your changes to Gerrit.&lt;br /&gt;
&lt;br /&gt;
=== Updating a Change ===&lt;br /&gt;
If the code review process suggests additional changes, make and amend the changes to the the existing commit. Leave the existing Change-Id: footer in the commit message as-is. Gerrit knows that this is an updated patch for an existing change:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
git commit -a --amend&lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Add dependency ===&lt;br /&gt;
When you want to start new work that is based on the commit under the review, you can add the commit as a dependency.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
#fetch change under review and check out branch based on that change.&lt;br /&gt;
git review -d $PARENT_CHANGE_NUMBER&lt;br /&gt;
git checkout -b $DEV_TOPIC_BRANCH&lt;br /&gt;
# Edit files, add files to git&lt;br /&gt;
git commit &lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* NOTE* git review rebases the existing change (the dependency) and the new commit if there is a conflict against the branch they are being proposed to. Typically this is desired behavior as merging cannot happen until these conflicts are resolved. If you don't want to deal with new patchsets in the existing change immediately you can pass the -R option to git review in the last step above to prevent rebasing. This requires future rebasing to resolve conflicts.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
If the commit your work depends on is updated, and you need to get the latest patch from the depended commit, you can do the following.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;&lt;br /&gt;
# fetch and checkout the parent change&lt;br /&gt;
git review -d $PARENT_CHANGE_NUMBER&lt;br /&gt;
# Note the branch created by git review. Should be review/$USER/$PARENT_CHANGE_ID or similar.&lt;br /&gt;
# Checkout existing development topic branch for the child commit.&lt;br /&gt;
git checkout $DEV_TOPIC_BRANCH&lt;br /&gt;
# Rebase onto updated parent branch to create a dependency on the latest version of that change.&lt;br /&gt;
git rebase -i review/$USER/$PARENT_CHANGE #This is the branch created by git review that was noted earlier.&lt;br /&gt;
# Do the revisions&lt;br /&gt;
git commit -a --amend&lt;br /&gt;
# submit for review&lt;br /&gt;
git review&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The note for the previous example applies here as well. Typically you want the rebase behavior in git review. If you would rather postpone resolving merge conflicts you can use git review -R as the last step above.&lt;/div&gt;</summary>
		<author><name>Andersonvom</name></author>	</entry>

	</feed>