Tuesday, 2021-03-02

*** tosky has quit IRC		00:17
*** k_mouza has joined #openstack-glance		00:21
*** k_mouza has quit IRC		00:25
*** jv_ has quit IRC		01:07
*** zzzeek has quit IRC		01:49
*** zzzeek has joined #openstack-glance		01:51
*** rcernin has quit IRC		02:34
*** rcernin has joined #openstack-glance		02:47
abhishekk	lbragstad, ack, thank you	04:03
*** zzzeek has quit IRC		04:32
*** zzzeek has joined #openstack-glance		04:33
*** udesale has joined #openstack-glance		05:08
*** whoami-rajat_ has joined #openstack-glance		05:25
*** m75abrams has joined #openstack-glance		05:25
*** lbragstad_ has joined #openstack-glance		06:03
*** lbragstad has quit IRC		06:06
*** zzzeek has quit IRC		06:10
*** zzzeek has joined #openstack-glance		06:11
*** k_mouza has joined #openstack-glance		06:21
*** k_mouza has quit IRC		06:25
*** gyee has quit IRC		06:47
*** whoami-rajat_ is now known as whoami-rajat		06:54
*** ralonsoh has joined #openstack-glance		06:55
*** rcernin has quit IRC		06:57
*** m75abrams has quit IRC		07:02
*** jawad_axd has joined #openstack-glance		07:25
*** lpetrut has joined #openstack-glance		07:27
openstackgerrit	Abhishek Kekane proposed openstack/python-glanceclient master: Get tasks associated with image https://review.opendev.org/c/openstack/python-glanceclient/+/776403	08:08
*** tosky has joined #openstack-glance		08:35
*** udesale_ has joined #openstack-glance		10:15
*** udesale has quit IRC		10:19
*** m75abrams has joined #openstack-glance		10:51
*** k_mouza has joined #openstack-glance		10:56
*** dirtwash has quit IRC		11:18
*** udesale_ has quit IRC		11:40
*** udesale has joined #openstack-glance		11:43
*** hoonetorg has quit IRC		11:49
*** Luzi has joined #openstack-glance		11:57
*** hoonetorg has joined #openstack-glance		12:03
*** zzzeek has quit IRC		12:20
*** zzzeek has joined #openstack-glance		12:23
openstackgerrit	Felix Huettner proposed openstack/glance master: Fix missing backend deletion of disabled images https://review.opendev.org/c/openstack/glance/+/772872	12:54
*** jv_ has joined #openstack-glance		13:05
openstackgerrit	Lance Bragstad proposed openstack/glance master: Fail to start if authorization and policy is misconfigured https://review.opendev.org/c/openstack/glance/+/776588	13:30
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	13:30
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	13:30
openstackgerrit	Lance Bragstad proposed openstack/glance master: Add glance functional protection tests to check and gate https://review.opendev.org/c/openstack/glance/+/778079	13:30
abhishekk	jokke, rosmaita, smcginnis, dansmith, lbragstad_, https://etherpad.opendev.org/p/glance-wallaby-m3-status	13:39
abhishekk	Etherpad with list of patches to get merged before M3	13:40
rosmaita	ack	13:40
*** lbragstad_ is now known as lbragstad		13:41
lbragstad	thanks abhishekk	13:43
abhishekk	no problem, please check if I missed any of the rbac patches to list there	13:43
lbragstad	nope - i think it's just the four	13:44
lbragstad	er - six rather	13:44
lbragstad	four to glance proper - two to gtp	13:44
abhishekk	cool, thank you	14:12
openstackgerrit	Felix Huettner proposed openstack/glance master: Fix missing backend deletion of disabled images https://review.opendev.org/c/openstack/glance/+/772872	14:23
*** jawad_axd has quit IRC		14:31
*** jawad_axd has joined #openstack-glance		14:32
*** Luzi has quit IRC		14:36
openstackgerrit	Dan Smith proposed openstack/glance master: Add administrator docs for distributed-import https://review.opendev.org/c/openstack/glance/+/778072	14:45
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	14:49
openstackgerrit	Lance Bragstad proposed openstack/glance master: Add glance functional protection tests to check and gate https://review.opendev.org/c/openstack/glance/+/778079	14:49
openstackgerrit	Lance Bragstad proposed openstack/glance master: Fail to start if authorization and policy is misconfigured https://review.opendev.org/c/openstack/glance/+/776588	14:54
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	14:54
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	14:54
openstackgerrit	Lance Bragstad proposed openstack/glance master: Add glance functional protection tests to check and gate https://review.opendev.org/c/openstack/glance/+/778079	14:54
*** jawad_axd has quit IRC		15:15
*** jawad_axd has joined #openstack-glance		15:16
*** jawad_axd has quit IRC		15:24
*** lpetrut has quit IRC		15:34
*** openstackgerrit has quit IRC		15:35
dansmith	lbragstad: question for you here: https://review.opendev.org/c/openstack/glance/+/764754/19/glance/api/v2/image_data.py	15:36
* abhishekk going for dinner break		16:03
dansmith	smcginnis: maybe we could get you to +W this utility patch? It's been up for a long time, I think it's uncontroversial, and getting it merged will help reduce the load of what we're asking rosmaita to look at during cruch time here: https://review.opendev.org/c/openstack/glance/+/770682	16:23
smcginnis	dansmith: Sure will take a look after this meeting.	16:24
dansmith	smcginnis: thanks	16:24
dansmith	lbragstad: I think the tempest plugin stuff probably covers my concern about not testing the actual protections, and will further convince myself of that after I'm done with my current call	16:24
lbragstad	dansmith cool - no worries	16:25
lbragstad	fwiw - i am working on a response to your comment	16:25
dansmith	lbragstad: I think we could have done that verification in functional tests without having to make it a tempest plugin.. glance's functional tests are very out of body and start a full api worker and use http against it	16:25
* lbragstad nods		16:28
lbragstad	dansmith ok - i think i see what you mean with the upload_image policy	16:55
*** m75abrams has quit IRC		17:01
*** udesale has quit IRC		17:04
dansmith	lbragstad: is there some reason we can't run your base tests against glance as it is, and also against it after your changes to make sure we've got all the same holes and plugs?	17:10
dansmith	ProjectMemberTests is basically just regular surface coverage that should work the same before and after, right?	17:10
lbragstad	base tests?	17:10
lbragstad	oh - yeah	17:10
lbragstad	ProjectMember is pretty much just testing end user API access	17:11
lbragstad	ProjectReader won't work unless the new defaults are enabled	17:11
dansmith	so can we drop the Depends-On in that patch and throw another DNM on top with depends-on so we can see the before/after?	17:11
dansmith	oh okay	17:11
lbragstad	without the new defaults project-readers could do things like creating a private image	17:12
dansmith	those could be skipped on the base patch and un-skipped in the upper one maybe with the depends-on?	17:12
dansmith	I know we're down to the wire here and I certainly don't want to get in the way, but this kind of stuff makes me super nervous, especially as a last-minute shoo-in, so I tend to be fairly cautuous	17:12
dansmith	*cautious	17:12
lbragstad	yep - that makes sense	17:13
dansmith	abhishekk: are you similarly wary of this, or are you all good?	17:13
dansmith	if we're revisiting why we broke something or opened a hole, I'd like to be able to point to the procedure we followed as "had tests before, confirmed tests after, but we missed a condition"	17:14
dansmith	instead of "had almost no tests before and added them after making the change" :)	17:14
abhishekk	I guess it will be good verify before we go in	17:14
abhishekk	*good to verify	17:14
lbragstad	i'm in the middle of the keystone team meeting, but i can try and wip something up after	17:15
abhishekk	Also in addition to these RBAC patches, we need a patch to Bump image API version to flag experimental rbac support	17:17
dansmith	abhishekk: do we? what changes about the api because of this?	17:18
abhishekk	dansmith, I think its a practice in glance to add experimental api version if we introduce any feature as experimental	17:19
dansmith	abhishekk: sure, for something the client can use or leverage,	17:19
dansmith	but in this case, it's just about "can the operator enable persona things in the backend config"	17:19
dansmith	not anything a user or client will do differently, right?	17:20
abhishekk	right	17:20
dansmith	like, it's not that the client needs to know if /image/tasks is there or not	17:20
dansmith	and, AFAIK, we could _technically_ backport this to older APIs, which would make the version bump not make sense	17:20
abhishekk	Hmm, we can take that off the list	17:21
dansmith	I mean, again, I'm not speaking definitively, and if glance just uses that version number to signal things to the client, then okay, but IMHO we don't need one for something like this	17:22
dansmith	ack	17:22
abhishekk	yes	17:22
dansmith	abhishekk: very close on image tasks :)	17:27
abhishekk	:D, client remaining	17:27
*** lpetrut has joined #openstack-glance		17:28
dansmith	oh yeah	17:28
dansmith	abhishekk: question on the client exception.. if you agree either needs changing, let me know and I can do it for you so you can go to sleep :)	17:36
abhishekk	looking	17:37
lbragstad	dansmith ok - i have an idea	17:40
lbragstad	let me know if this seems reasonable to address your testing concerns	17:40
lbragstad	what if i squash https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/20 and https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742/4 into one patch (/me cringes)	17:41
lbragstad	and then i can add two different test jobs - one for legacy-rbac and one for secure-rbac	17:41
lbragstad	the legacy-rbac job can use a regex to only execute ProjectAdminTests and ProjectMemberTests	17:42
lbragstad	but - it will be voting	17:42
lbragstad	the secure-rbac protection jobs will run everything	17:42
lbragstad	and it will be non-voting	17:42
dansmith	why do we need to squash?	17:42
lbragstad	i guess we don't - i can tack the jobs on in a third patch	17:43
dansmith	that addresses the config differences right?	17:43
abhishekk	dansmith, replied to your comment	17:43
lbragstad	yeah - https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/20/.zuul.yaml#13 would be false	17:44
dansmith	lbragstad: I was more focused on trying to get a run (like even just a single one) asserting the tests pass before we go changing all the policy things	17:44
lbragstad	for the legacy job	17:44
abhishekk	if you have time then kindly do the change otherwise I can take it tomorrow	17:44
dansmith	abhishekk: ack thanks	17:45
dansmith	lbragstad: yeah I was just hoping to make sure that the set of things we can assert about what is/isn't authorized is the same before and after the actual glance changes, since we're doing things like flipping the order of some of the policy checks and what not	17:46
lbragstad	right	17:46
lbragstad	i was thinking we could address that with two different jobs	17:46
lbragstad	one would be the legacy job and it would be voting, the other would be the secure-rbac job and it would be non-voting	17:46
dansmith	well, that just doesn't mean as much to me because it's all still running after the changes to glance are made	17:46
dansmith	you'd be assuming you haven't regressed anything in the legacy config, but you've still made a bunch of changes	17:47
lbragstad	well - i was going to say we would merge the gtp patches first	17:47
lbragstad	then add the same jobs to the glance gates	17:47
lbragstad	so - all my changes would be gated on a legacy rbac setup and test run	17:47
dansmith	oh, well, that's all I was asking for.. is to remove the depends-on so we could see the tests running before the glance things merge and then again after	17:47
lbragstad	yeah - that makes sense	17:49
dansmith	and fwiw,	17:49
dansmith	I wasn't even saying we needed to land them ahead of time, it would just be nice to see _a_ run before the changes are applied	17:49
dansmith	but looking at your tests, I'm concerned that'll be invasive surgery	17:49
dansmith	but if you think it's doable in short order that'd sure give me a lot more of the good feels	17:50
abhishekk	does depends-on tag restrict tempest-plugin test first?	17:50
lbragstad	ok - let me try something quick	17:51
lbragstad	dansmith what invasive surgery are you seeing?	17:51
jokke	IMO the version bump would be good as the API doe change, you need totally different set of tokens to interact with the API if the new rbac is eabled. And dansmith, yes it's purely there to signal the client that there's been changes in the API	17:52
dansmith	abhishekk: depends-on with required_projects will make sure glance is applied in front of the tests it's about to run yeah	17:52
dansmith	jokke: okay, but it doesn't actually mean that right? unless you know the configuration that the operator has selected, you don't know which tokens you need correct?	17:53
* abhishekk time's up, will be back tomorrow		17:54
abhishekk	we can use https://etherpad.opendev.org/p/glance-wallaby-m3-status to exchange status	17:55
jokke	dansmith: so having version bump for the experimental RBAC would signal to the user that they could use scoped tokens, the version being below that telling "don't bother, it will not work"	17:55
dansmith	jokke: yeah, I understand your point.. it tells them it's possible, but it doesn't tell them if they can or should	17:56
jokke	dansmith: that's been the glance API versioning always, it's just indication that the service is running version that supports api extensions xyz	17:56
dansmith	ack	17:56
jokke	it's not microversion you could request specific behaviour and we avoid breaking the API as much as possible	17:57
*** openstackgerrit has joined #openstack-glance		17:57
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	17:57
openstackgerrit	Dan Smith proposed openstack/python-glanceclient master: Get tasks associated with image https://review.opendev.org/c/openstack/python-glanceclient/+/776403	18:02
openstackgerrit	Merged openstack/glance master: Fail to start if authorization and policy is misconfigured https://review.opendev.org/c/openstack/glance/+/776588	18:05
*** lpetrut has quit IRC		18:07
abhishekk	dansmith, before signing out, added one question on client patch	18:14
abhishekk	signing out now, have a good day ahead to all, o/~	18:14
dansmith	abhishekk: ack, will reply, g'nite	18:17
*** ralonsoh has quit IRC		18:29
*** k_mouza has quit IRC		18:36
*** k_mouza_ has joined #openstack-glance		18:36
*** k_mouza_ has quit IRC		19:04
*** k_mouza has joined #openstack-glance		19:05
*** k_mouza has quit IRC		19:29
openstackgerrit	Merged openstack/glance master: Add get_ksa_client() helper https://review.opendev.org/c/openstack/glance/+/770682	19:42
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	19:45
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	19:45
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	19:46
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	19:46
openstackgerrit	Lance Bragstad proposed openstack/glance master: Add glance functional protection tests to check and gate https://review.opendev.org/c/openstack/glance/+/778079	19:50
lbragstad	dansmith ok - i reversed the order of thos	19:50
lbragstad	those* ^	19:50
openstackgerrit	Dan Smith proposed openstack/glance master: Make functional tests set node_staging_uri https://review.opendev.org/c/openstack/glance/+/777277	19:51
openstackgerrit	Dan Smith proposed openstack/glance master: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/777012	19:51
dansmith	lbragstad: ack will look in a bit	19:51
openstackgerrit	Dan Smith proposed openstack/glance master: Distributed image import https://review.opendev.org/c/openstack/glance/+/769976	19:53
openstackgerrit	Dan Smith proposed openstack/glance master: Enable second glance worker for import testing https://review.opendev.org/c/openstack/glance/+/770629	19:53
openstackgerrit	Dan Smith proposed openstack/glance master: Add administrator docs for distributed-import https://review.opendev.org/c/openstack/glance/+/778072	19:53
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	19:54
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	19:54
openstackgerrit	Lance Bragstad proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	19:54
dansmith	lbragstad: ah, okay so we'll see the results on the job patch first, cool	19:55
lbragstad	yeah - so if i understood your concern correctly, the legacy-rbac job is going to test what you want	19:55
lbragstad	so long as that is green throughout the changes, we should be good	19:56
dansmith	not just that, but in the stack before the changes	19:56
dansmith	yeah	19:56
dansmith	exactly	19:56
lbragstad	right	19:56
lbragstad	do you want to keep that job around after?	19:56
dansmith	well, after the changes, it is probably best to just add that tempest plugin as a requirement for one of the other jobs, so we're running it alongside other stuff	19:57
dansmith	but we can worry about that later, just to drop our gate footprint back down	19:57
lbragstad	and just run the secure-rbac job, you mean?	19:57
dansmith	yes, or configure one of our other-other jobs to run in secure-rbac mode, but.. either way	19:57
lbragstad	ok - sure, that makes sense	19:58
lbragstad	i did drop the legacy-rbac job here https://review.opendev.org/c/openstack/glance/+/778258/1	19:58
lbragstad	but that's the last patch in the series	19:58
dansmith	yeah, fancy problems when we get there :)	19:58
lbragstad	++	19:58
*** Underknowledge has quit IRC		20:26
*** Underknowledge has joined #openstack-glance		20:26
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	20:50
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	20:50
dansmith	smcginnis: another sweet, sweet stats-padding opportunity for you: https://review.opendev.org/c/openstack/glance/+/777277	20:50
*** abhishekk has quit IRC		21:06
*** bhagyashri\|rover has quit IRC		21:06
*** abhishekk has joined #openstack-glance		21:06
*** bhagyashris has joined #openstack-glance		21:07
*** hoonetorg has quit IRC		21:21
*** k_mouza has joined #openstack-glance		21:29
*** k_mouza has quit IRC		21:34
*** hoonetorg has joined #openstack-glance		21:42
*** gyee has joined #openstack-glance		21:43
lbragstad	dansmith so https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742/7 passed the legacy bits, the first patch failed on a post-failure	21:47
dansmith	cool, I have to recheck something too, this reminds me	21:47
dansmith	lbragstad: looks like they all skipped though	21:48
dansmith	https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_194/775742/7/check/glance-legacy-rbac-protection-functional/1941180/testr_results.html	21:48
lbragstad	bah - https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/23/glance_tempest_plugin/tests/rbac/v2/base.py@29	21:50
lbragstad	i ran that locally with a tempest config that has enforce_scope set to true	21:51
dansmith	nice try lbragstad...nice try.	21:51
lbragstad	works for me!	21:51
dansmith	+3: WFM!	21:51
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	21:56
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	21:56
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	22:11
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	22:11
*** rcernin has joined #openstack-glance		22:33
lbragstad	dansmith looks like it's working now https://zuul.openstack.org/stream/e7aa2129c6064f46a6c9b1259c84d1e6?logfile=console.log	22:41
openstackgerrit	Merged openstack/glance master: Make functional tests set node_staging_uri https://review.opendev.org/c/openstack/glance/+/777277	22:41
lbragstad	https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_a59/775742/9/check/glance-legacy-rbac-protection-functional/a5921b9/testr_results.html	22:41
dansmith	lbragstad: you mean now that you turned it on for realz? :)	22:41
lbragstad	i forgot to hit the go-baby-go button	22:42
dansmith	classic mistake	22:42
dansmith	lbragstad: okay so we need a patch in this series that has the Depends-On link right?	22:43
lbragstad	https://review.opendev.org/c/openstack/glance/+/778079/6	22:43
dansmith	oh okay, that works too	22:44
dansmith	lbragstad: okay let me go through the tests we've got enabled right now in detail	22:47
dansmith	lbragstad: I'm already confused by https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/25/glance_tempest_plugin/tests/rbac/v2/test_images.py on L612ish,	22:47
dansmith	er, wait	22:48
dansmith	yeah,	22:48
dansmith	this is creating an image as a different tenant.. I see your note there, but .. why is that not 404 right now?	22:48
lbragstad	on line 618?	22:48
dansmith	yeah	22:49
lbragstad	because the user executing that test is a project admin	22:49
lbragstad	or - more specifically, they have the 'admin' role	22:49
dansmith	oh, these are the admin tests, I see	22:49
lbragstad	yeah - i have the FIXMEs there to highlight places where "this will change when we adopt system-scope and actually implement tenancy"	22:49
dansmith	so there's some future when admins will be scoped such that they can see images they don't own, but with in their scope	22:50
dansmith	lbragstad: right, having them and me understanding them are different :)	22:50
lbragstad	yeah, so today most operators are anyone with an 'admin' role	22:51
lbragstad	in the future, that will be a system-admin (someone with the admin role on the system in keystone - or $ openstack role add --user alice --system all admin)	22:52
dansmith	L1022 is what I was looking for I think.. that one user's private image is not visible by another	22:54
dansmith	well, L1025	22:54
lbragstad	yeah - the ProjectMemberTests are pretty much testing what's supported by 99% of end users today	22:54
dansmith	yeah	22:55
lbragstad	and i didn't enable the ProjectReaderTests in the legacy tests because those are going to fail	22:55
dansmith	okay, so, today there's really nothing other than "admin", so the ProjectAdminTests are really testing today what the SystemAdminTests will confirm after the change, right?	23:00
dansmith	like, you'll fix the fixmes in the projectadmin class to assert the right thing, and enable the systemadmin ones which should match (haven't looked) in the "I can do anything" sense	23:01
dansmith	lbragstad: is that right ^ ?	23:04
dansmith	man, bug 968696 is a serious who's who of openstack history.. hilarious.	23:09
openstack	bug 968696 in Glance ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696	23:09
lbragstad	dansmith yeah - you're right	23:11
lbragstad	the ProjectAdminTests should just be updates to the expected status codes in the future	23:11
dansmith	yeah, it's a little confusing,	23:11
lbragstad	and pretty much copied to the SystemAdminClass	23:11
dansmith	because you'd think that SystemAdmin is what we would enable now, since that's all we have,	23:11
dansmith	and then enable ProjectAdmin once we have that distinction	23:12
dansmith	but I assume there's some reason for why it's a bit upside down?	23:12
lbragstad	yeah - the only think you could have a role on initially was a project	23:12
lbragstad	so - project admins were the way to denote admin-ness	23:12
lbragstad	the only thing*	23:13
*** zzzeek has quit IRC		23:13
dansmith	okay, I think what you're saying is that the words in the patch are correct, but the words in real life have been improperly overloaded, which is why projectadmin is testing what the systemadmin behavior will be	23:14
dansmith	i.e. "project admin" is what we have today, but that was a terrible name, because it actually has permission to do anything across projects, not within projects	23:15
lbragstad	yes - exactly	23:15
lbragstad	and in the legacy rbac implementation - "project admin" is really an operator	23:15
lbragstad	and they have access to everything under the sun in the deployment	23:16
dansmith	okay, and the credentials = [ ... "project_admin"] matter in this case, depending on what the server config is?	23:16
lbragstad	so - that's wired up by tempest dynamic credentials	23:16
dansmith	right.. does that have some knob to tweak to tell it what the server is configured for?	23:16
lbragstad	using "project_admin" will create a new user and project, then make sure that user has the 'admin' role on the project	23:16
*** zzzeek has joined #openstack-glance		23:17
lbragstad	like if glance knows what the difference is between a project-admin and a system-admin?	23:17
dansmith	well, I guess I'm assuming that your secure-rbac job runs the SystemAdminTests with glance configured to enable it, but.. maybe that's a bad assumption?	23:18
lbragstad	we have to set this https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/25/.zuul.yaml@39	23:19
lbragstad	to run the rbac tests	23:19
dansmith	right, which allows the SystemAdminTests to run?	23:19
lbragstad	but tempest, itself, doesn't monkey patch in a different client for project_admin depending on if the server understands secure RBAC or not	23:20
lbragstad	yes - https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568/25/glance_tempest_plugin/tests/rbac/v2/base.py@28	23:20
lbragstad	and the protection tests inherit that base class	23:20
lbragstad	hah - sweet https://review.opendev.org/c/openstack/glance/+/778079	23:21
dansmith	hrm, I'm a bit confused	23:22
lbragstad	about the tempest credential bits?	23:24
*** k_mouza has joined #openstack-glance		23:30
*** k_mouza has quit IRC		23:34

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!