Wednesday, 2017-09-06

« Tuesday, 2017-09-05 Index Thursday, 2017-09-07 »
*** harlowja has joined #openstack-glance00:03
*** harlowja has quit IRC00:09
*** harlowja has joined #openstack-glance00:14
*** lin_yang has joined #openstack-glance00:40
*** zhurong has joined #openstack-glance00:53
*** harlowja has quit IRC00:57
*** harlowja has joined #openstack-glance01:01
*** nicolasbock has quit IRC01:06
*** nicolasbock has joined #openstack-glance01:21
*** markvoelker has joined #openstack-glance01:43
*** markvoelker has quit IRC02:18
*** zhurong has quit IRC02:58
*** markvoelker has joined #openstack-glance03:15
*** nicolasbock has quit IRC03:20
*** links has joined #openstack-glance03:28
wxyrosmaita: Can I add the new PTG topic now? Is it closed already?03:44
*** udesale has joined #openstack-glance03:46
*** markvoelker has quit IRC03:48
*** adisky__ has quit IRC03:55
*** gyee has quit IRC04:00
*** zhurong has joined #openstack-glance04:09
*** gcb has quit IRC04:19
*** trungnv has quit IRC04:19
*** gcb has joined #openstack-glance04:21
rosmaitawxy: not too late, go ahead and add to the etherpad04:25
rosmaitahttps://etherpad.openstack.org/p/glance-queens-ptg-planning04:26
*** rosmaita has quit IRC04:27
*** aavraham has joined #openstack-glance04:29
*** trungnv has joined #openstack-glance04:37
*** trungnv has quit IRC04:37
*** markvoelker has joined #openstack-glance04:45
*** tshefi has quit IRC05:16
*** markvoelker has quit IRC05:18
*** pcaruana has joined #openstack-glance05:27
*** ratailor has joined #openstack-glance05:41
*** mosulica has joined #openstack-glance05:52
*** udesale__ has joined #openstack-glance05:53
*** groen692 has joined #openstack-glance05:55
*** udesale has quit IRC05:56
*** pdeore has joined #openstack-glance06:00
*** mosulica has quit IRC06:06
*** e0ne has joined #openstack-glance06:28
*** udesale__ has quit IRC06:28
*** links has quit IRC06:29
*** ratailor has quit IRC06:29
*** pdeore has quit IRC06:29
*** adisky__ has joined #openstack-glance06:38
*** udesale has joined #openstack-glance06:55
*** pdeore has joined #openstack-glance06:55
*** links has joined #openstack-glance06:55
*** ratailor has joined #openstack-glance06:55
*** rcernin has joined #openstack-glance06:57
*** e0ne has quit IRC06:57
*** udesale__ has joined #openstack-glance06:57
*** udesale__ has quit IRC06:58
*** udesale__ has joined #openstack-glance06:59
*** udesale has quit IRC07:00
*** mosulica has joined #openstack-glance07:06
*** udesale__ has quit IRC07:09
*** udesale__ has joined #openstack-glance07:10
*** udesale__ has quit IRC07:15
*** udesale has joined #openstack-glance07:15
*** markvoelker has joined #openstack-glance07:15
*** mosulica has quit IRC07:20
*** tesseract has joined #openstack-glance07:30
openstackgerrityanghuichan proposed openstack/glance_store master: Fix wrong links  in glance_store  https://review.openstack.org/50113407:41
*** markvoelker has quit IRC07:49
*** hoonetorg has quit IRC07:58
*** udesale has quit IRC07:58
*** udesale has joined #openstack-glance07:59
*** abhishekk has joined #openstack-glance08:08
*** hoonetorg has joined #openstack-glance08:15
*** gcb has quit IRC08:23
*** tshefi has joined #openstack-glance08:46
*** markvoelker has joined #openstack-glance08:46
*** pdeore has quit IRC08:54
*** e0ne has joined #openstack-glance09:03
*** dalgaaf has quit IRC09:07
*** dalgaaf has joined #openstack-glance09:10
*** bmwiedemann2 has joined #openstack-glance09:14
bmwiedemann2Hi, is there anything I can do to get my 1-line bugfix reviewed? https://review.openstack.org/49959209:14
*** openstackgerrit has quit IRC09:18
*** markvoelker has quit IRC09:19
*** adisky__ has quit IRC09:32
*** amrith has quit IRC10:02
*** nicolasbock has joined #openstack-glance10:02
*** nicolasbock has quit IRC10:07
*** amrith has joined #openstack-glance10:12
*** amrith is now known as Guest5755910:12
*** Guest57559 is now known as amrith10:12
*** markvoelker has joined #openstack-glance10:17
*** nicolasbock has joined #openstack-glance10:36
*** gaurangt has quit IRC10:48
*** markvoelker has quit IRC10:49
*** udesale has quit IRC10:50
*** gaurangt has joined #openstack-glance10:52
*** zhurong has quit IRC10:54
*** nicolasbock has quit IRC11:07
*** nicolasbock has joined #openstack-glance11:09
*** ratailor has quit IRC11:20
*** links has quit IRC11:20
*** rosmaita has joined #openstack-glance11:26
*** ratailor has joined #openstack-glance11:31
*** links has joined #openstack-glance11:32
*** nicolasbock has quit IRC11:40
*** markvoelker has joined #openstack-glance11:46
*** smatzek has joined #openstack-glance11:47
*** smatzek has quit IRC11:49
*** smatzek has joined #openstack-glance11:49
*** kristaps_ has quit IRC11:49
*** nicolasbock has joined #openstack-glance11:52
*** gcb has joined #openstack-glance12:05
*** tshefi has quit IRC12:06
*** udesale has joined #openstack-glance12:07
*** kavitha has quit IRC12:13
*** markvoelker has quit IRC12:20
*** ratailor has quit IRC12:20
*** markvoelker has joined #openstack-glance12:28
*** udesale has quit IRC12:56
*** adisky__ has joined #openstack-glance13:07
*** takedakn has joined #openstack-glance13:10
*** lucasxu has joined #openstack-glance13:10
*** aavraham has left #openstack-glance13:12
*** smatzek has quit IRC13:16
jokke_rosmaita: around?13:20
rosmaitayep13:28
rosmaitajokke_: good morning/afternoon13:28
*** catintheroof has joined #openstack-glance13:29
*** thegreenhundred has joined #openstack-glance13:30
jokke_hey13:43
jokke_quick question ... do we really need to set the tasks work dir to use the IIR? (reviewing the admin doc change)13:44
rosmaitagood question13:50
rosmaitamaybe not13:50
rosmaitabut, it doesn't hurt to have it set13:51
rosmaitai'm not sure whether the current code checks up front when the task is created that the work_dir is writable or not13:52
*** bmwiedemann2 has left #openstack-glance13:52
jokke_yeah, that's kind of what I'm worried about. If it's necessary to get the task running, we need to open bug for that13:54
rosmaitagimme a sec, i have an ocata devstack with IIR working somewhere that i can fire up and see13:55
*** d0ugal has quit IRC13:55
jokke_that would be gr813:55
rosmaitathanks for your ML reply about https://bugs.launchpad.net/glance/+bug/171441613:56
openstackLaunchpad bug 1714416 in neutron "Incorrect response returned for invalid Accept header" [Undecided,New]13:56
rosmaitai marked it "invalid" for Glance13:56
jokke_goodie13:58
rosmaitaok, you're right, work_dir is not required14:02
rosmaitajokke_ ^^14:03
jokke_phef14:04
jokke_I was worried14:04
jokke_because it would have been horrible if we demanded to configure 2 paths just to enable simple image upload14:04
* jokke_ did not fuck this up :P14:05
rosmaita:)14:05
rosmaitai was so focused on getting the tasks to run that i didn't notice the extra config!14:05
*** abhishekk has quit IRC14:07
*** mfedosin has quit IRC14:08
jokke_No worries. I'm glad it works ... just put a comment on the doc change. Otherwise looks good14:09
*** mfedosin has joined #openstack-glance14:09
rosmaitai may have spoken too soon ... i just got the old import task to succeed with the default work_dir (which doesn't exist)14:09
jokke_I'm pretty sure the IIR code path does not use work_dir anywhere14:11
jokke_I was more worried that we actually fail the task by check if the dir is not set14:11
rosmaita2017-09-06 10:10:52.930 DEBUG glance.common.config [-] task.work_dir                  = None14:13
rosmaitathis must be another of those "sample" values that looks like a default value14:13
rosmaitabut actually isn't14:13
*** d0ugal has joined #openstack-glance14:16
*** takedakn has quit IRC14:17
rosmaitaok, old iport fails with workdir = /workdir, but IIR succeeds14:17
jokke_yeah, would expect the old to fail if there's no work_dir14:18
*** smatzek has joined #openstack-glance14:19
*** links has quit IRC14:31
*** openstackgerrit has joined #openstack-glance14:34
openstackgerritMerged openstack/glance_store master: Updated from global requirements  https://review.openstack.org/50027814:34
*** efried_zzz is now known as efried15:01
*** aavraham has joined #openstack-glance15:05
*** amorin has joined #openstack-glance15:27
amorinhello everybody15:28
*** amrith has quit IRC15:28
*** amrith has joined #openstack-glance15:28
*** amrith is now known as Guest5560115:28
amorinquick question for glance masters: is glance swift store able to manage swiftclient threads?15:29
amorinI see nothing in code related to that15:29
*** aavraham has quit IRC15:37
*** aavraham has joined #openstack-glance15:39
*** gyee has joined #openstack-glance15:55
*** groen692 has quit IRC15:56
*** lucasxu has quit IRC16:00
*** rosmaita has quit IRC16:12
*** aavraham has quit IRC16:40
*** lucasxu has joined #openstack-glance16:47
*** e0ne has quit IRC17:01
*** rcernin has quit IRC17:02
*** harlowja has quit IRC17:07
*** harlowja has joined #openstack-glance17:07
*** rosmaita has joined #openstack-glance17:24
openstackgerritLance Bragstad proposed openstack/glance master: Move base policies into code  https://review.openstack.org/50136017:27
*** lbragstad has joined #openstack-glance17:27
*** adisky__ has quit IRC17:32
*** Guest55601 is now known as amrith17:52
*** nicolasbock has quit IRC17:53
*** harlowja has quit IRC18:02
*** tesseract has quit IRC18:31
*** catinthe_ has joined #openstack-glance19:04
*** catintheroof has quit IRC19:06
*** catintheroof has joined #openstack-glance19:06
*** e0ne has joined #openstack-glance19:08
*** catinthe_ has quit IRC19:10
*** rosmaita has quit IRC19:12
*** rosmaita has joined #openstack-glance19:14
openstackgerritBrian Rosmaita proposed openstack/glance master: Add image import docs to admin guide  https://review.openstack.org/49813819:23
*** pcaruana has quit IRC19:34
*** lbragstad has quit IRC19:43
*** kuzko has quit IRC19:48
*** kuzko has joined #openstack-glance19:50
*** smatzek has quit IRC20:29
*** e0ne has quit IRC20:38
*** lucasxu has quit IRC20:42
*** kuzko has quit IRC21:01
*** kuzko has joined #openstack-glance21:04
*** lbragstad has joined #openstack-glance21:20
lbragstadhi all - i'm wondering if any glance folks have a minute to walk me through some of the policy stuff in glance?21:20
lbragstadi see glance has two oslo_policy.policy.Enforcer objects in tree21:29
lbragstadone in property_utils and one in glance/api/policy.py21:29
rosmaitalbragstad: hi21:29
rosmaitathe policies are used for two different purposes21:29
lbragstadrosmaita: o/21:29
rosmaita(1) the normal use21:30
rosmaita(2) for "properrty protections"21:30
lbragstadrosmaita: is normal use just considered API protection?21:30
rosmaita#2 allows an operator to set CRUD on image metadata21:30
rosmaitalbragstad: well, sort of ... the glance policies don't track the API directly21:30
rosmaitathey police access to glance internal objects in at least some cases21:31
rosmaitalike locations21:31
rosmaitaand tasks21:31
lbragstadahh - so that's where the usage in property_utils comes into play i assume21:31
rosmaitaright, so the property_utils is kind of a convenience thing21:31
rosmaitayou can define who can do CRUD referencing policy rules21:32
rosmaita(for image properties, i.e., image metadata)21:32
lbragstadso you protect properties or attributes of resources with policy21:33
lbragstadand that toolkit lives in property_utils.pu21:33
lbragstadpy*21:33
rosmaitaright, and to keep it complicated, whether or not you use policies for property protections is a config option21:34
lbragstadaha21:35
lbragstadso deployers can customize how/if they want to protect certain resources21:35
lbragstador attributes of resources21:35
rosmaitayes21:36
lbragstadwow - interesting21:36
lbragstadthat's good to know21:36
lbragstadi was struggling to put the pieces together, that helps21:36
lbragstadso that's the second case21:36
rosmaitathe property protections don't have to use the same policy.json file as the "regular" policies21:36
lbragstadright - because it's a separate config?21:37
rosmaitaright21:37
lbragstadok21:37
lbragstadwell - that might be a good thing21:37
rosmaitayes, i am thinking so21:37
lbragstadwhat's the default behavior there?21:37
rosmaitaprobably best to keep them completely separatew21:37
lbragstadif i deploy glance and i don't specify a property policy file21:37
lbragstadwhat happens?21:38
rosmaitadefault behavior is no property protections21:38
lbragstadok - so default ALLOW all behavior21:38
rosmaitaright, owner can CRUD all properties21:38
lbragstadhow do you track the owner?21:39
lbragstadsomeone in the project?21:39
lbragstador the actual person who created the thing?21:39
rosmaitawell, that's another config option21:39
lbragstad:)21:39
rosmaitadefault is owner_is_tenant=True21:39
rosmaitaAFAIOK, no one admits to using owner_is_tenant=False21:39
rosmaitaand no one remembers why it's even an option21:39
rosmaita*AFAIK21:40
lbragstadand glance has logic somewhere in the api to protect resources based on that?21:40
rosmaitayes, it's independent of policy (in most cases)21:40
lbragstadbecause it has to somehow determine who the owner of the resource is and so on...21:41
rosmaitaexactly21:41
lbragstadok - cool21:41
lbragstadgood to know21:41
rosmaitabtw, thanks for putting up the patches to get this started21:42
lbragstadotherwise - APIs in glance are protected by calling .enforce on the Enforcer in glance.api.policy it looks like21:42
lbragstadrosmaita: yeah - anytime21:42
rosmaitapretty much, though sometimes the enforcement happens pretty far down in the stack21:43
rosmaitalike for image locations21:43
rosmaitathe getters and setters are wrapped in policy checks21:43
rosmaitabut i'm pretty sure we will introduce a new policy for locations like we did for 'tasks_api_access' in Pike21:44
lbragstadis that in glance/api/v2/images.py?21:44
rosmaitathe locations may be in locations.py21:44
*** harlowja has joined #openstack-glance21:45
rosmaitathe policy code around locations is crazy, part policy and part config option21:45
rosmaitaintertwined in a not good way21:46
lbragstadok - these are all the policy locations i'm seeing so far21:46
lbragstadhttp://paste.openstack.org/show/620575/21:46
lbragstadwhich is good - because i think we should be able to get by with making most of our modifications to https://github.com/openstack/glance/blob/master/glance/api/policy.py#L40-L8821:47
lbragstadsomewhere in there we need to make a change similar to https://review.openstack.org/#/c/435609/31/keystone/common/policy.py21:49
lbragstadaround line 6721:49
lbragstador 3521:49
lbragstadwhere the enforcer object has the ability to populate default values for policies that are not defined in policy.json21:50
lbragstad(e.g. filling in the gaps)21:50
rosmaitaok, and you're right, the locations stuff is in glance/api/policy.py21:50
lbragstadaha - line 16021:51
lbragstadi see it21:51
rosmaitayeah, a lot of stuff happening in that file21:51
lbragstadso in my patch i should be modifying glance.api.policy21:54
rosmaitalbragstad we'll be discussing this at the PTG, I just pasted your suggestions into the etherpad21:54
rosmaitalbragstad yes, i think that's right21:54
lbragstadrosmaita: awesome - what time are you getting into Denver?21:54
rosmaitasunday afternoon, i think21:54
lbragstadok - perfect21:54
lbragstadwe have two sessions dedicated to helping teams work through the goal21:55
lbragstadone is monday morning and the other is tuesday afternoon21:55
rosmaitaok, great, i'll make sure to attend at least one, and encourage the other glancers to do the same21:55
rosmaitai know at least 2 other glance cores will be there all week21:56
*** catintheroof has quit IRC21:56
lbragstadhttp://lists.openstack.org/pipermail/openstack-dev/2017-September/121888.html21:56
lbragstadrosmaita: ^21:56
lbragstadthat's more information in there if you haven't seen it already21:56
rosmaitahave not seen it yet, so thanks21:57
lbragstadrosmaita:  is this bit exposed to endusers somehow?22:06
lbragstadhttps://github.com/openstack/glance/blob/master/glance/api/policy.py#L44-L4822:06
lbragstadit looks like it is through config?22:06
lbragstadoh... i think i see it22:07
lbragstadif the policy file exists, its loaded into the enforcer, if it doesn't the enforcer gets a deny-all-like policy22:08
rosmaitaright, not exposed to end users22:09
rosmaitathere's currently no way for end users to discover what the policy settings are22:10
rosmaita(except by inference)22:10
lbragstadok - good deal22:10
lbragstadis there a reason why default is different in glance/api/policy.py from etc/policy.json?22:10
lbragstadhttps://github.com/openstack/glance/blob/master/glance/api/policy.py#L3522:10
lbragstadhttps://github.com/openstack/glance/blob/master/etc/policy.json#L322:11
rosmaitayes, we changed it in the config file in mitaka (i think) and forgot to fix it in policy.py22:12
lbragstadso - role:admin is the correct notation?22:12
rosmaitai think default should be "!", but that's just me ... role:admin is what got chosen22:12
rosmaitabut actually, there's no reason to have a default anymore, right?22:13
lbragstadrosmaita: using a character like ! or @ makes the policy unusable, like deny-all22:13
lbragstadwell - we're still going to have a default in glance22:13
rosmaitai thought '@' == "" == everyone22:13
lbragstadit's more a question of which one do we chose22:13
lbragstadrosmaita: oh - i wasn't aware of that22:14
lbragstadthat might vary across implementation i guess?22:14
lbragstad(yet another oddity in policy across openstack)22:14
rosmaitai think it's defined that way in oslo.policy (the @ == everyone, i mean)22:14
lbragstadoh - ok22:14
lbragstadcool22:14
lbragstadso do we want glance to have @ or role:admin as the default?22:15
lbragstadif a policy file isn't found in a deployment, then the default is going to @22:15
lbragstadwhich is open to everyone22:15
lbragstadif we change it to role:admin and someone upgrades without checking the policy file, the we've changed the default policy underneath them22:16
lbragstadfrom allow-all to deny-all22:16
lbragstad*if* they don't update their policy file22:16
lbragstadand explicitly set default: @ there instead22:16
lbragstad(which would override the default in code22:16
* rosmaita is thinking22:18
rosmaitai wonder whether we should have default at all22:18
lbragstadthe inverse of that argument is true as well22:18
rosmaitabecasue isn't it a setting in oslo.policy config what the rule used for 'default' is?22:19
rosmaitai think in the early days, if a target was missing, it was allow-all22:19
rosmaitaand that got changed to check for 'default' first before allow all22:19
lbragstadwell - if glance doesn't find a policy file it passes a default dictionary to oslo.policy https://github.com/openstack/glance/blob/master/glance/api/policy.py#L4722:19
rosmaitabut now, if a target is missing, and no default, then i/m pretty sure it's deny all22:20
lbragstadthat case should technically not happen - ideally22:20
lbragstadevery api should have a default policy provided to protect it22:20
lbragstadthat way operators who upgrade and miss the new policy definition don't notice weird behavior22:20
rosmaitaso my reason to prefer default: "!" instead of default: "role:admin22:21
rosmaita"22:21
rosmaitais so that if an operator is testing, using an admin account, a new policy target will be blocked for the admin22:21
rosmaitaand the operator will know to do something, ie., think about what the policy should be22:21
lbragstadso - you're opting for deny-all out of the box22:21
rosmaitayeah, but that22:22
rosmaitas just me22:22
rosmaita(sorry, new keyboard)22:22
rosmaita(and old fingers)22:22
lbragstadwell - it's serves as a more secure model by default22:22
lbragstadalways deny all and then explicitly open things up as needed after22:22
rosmaitayeah, if it's ok with you, use "!" and the glance community can fight it out on the patch22:22
lbragstador so i'm told22:23
lbragstadperfect22:23
rosmaitathanks!22:23
rosmaitalbragstad: btw, that business about '@' is here: http://git.openstack.org/cgit/openstack/oslo.policy/tree/oslo_policy/policy.py#n9722:24
lbragstadahh!22:24
lbragstadthanks22:24
rosmaitai am on dinner duty, gotta run ... have a good evening!22:24
lbragstadrosmaita: thanks for the information!22:24
openstackgerritLance Bragstad proposed openstack/glance master: Move base policies into code  https://review.openstack.org/50136022:49
*** thegreenhundred has quit IRC22:55
« Tuesday, 2017-09-05 Index Thursday, 2017-09-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!