Friday, 2021-03-05

openstackgerrit	Dan Smith proposed openstack/glance master: WIP: Pass a target to task policy enforce https://review.opendev.org/c/openstack/glance/+/778799	00:08
dansmith	lbragstad: total guess for when you get back ^	00:08
*** tosky has quit IRC		00:11
dansmith	seems to work for me locally	00:12
*** yoctozepto has quit IRC		00:13
*** yoctozepto has joined #openstack-glance		00:13
dansmith	oh yeah, I think that's the ticket :)	00:39
*** ajitha has joined #openstack-glance		00:51
*** felixhuettner[m] has quit IRC		01:49
*** k_mouza has joined #openstack-glance		02:21
*** k_mouza has quit IRC		02:26
*** felixhuettner[m] has joined #openstack-glance		02:31
lbragstad	dansmith dang - i suppose... everything was essentially "" before... so having the target be {} didn't matter	02:42
lbragstad	but now that the check is reasonable and more opinionated, the target needs to be, too	02:43
lbragstad	just 3 failures it looks like https://zuul.opendev.org/t/openstack/build/875a97024c6a4075b35e7e93fb2aa3ac	02:45
*** irclogbot_0 has quit IRC		02:52
*** irclogbot_2 has joined #openstack-glance		02:55
*** gyee has quit IRC		03:08
dansmith	lbragstad: yeah, about the target	03:37
dansmith	lbragstad: so I guess that policy rule also probably is not usable now anyway	03:37
dansmith	meaning you can't really write sane rules? or maybe you could if it's just a role check or somethin	03:38
dansmith	lbragstad: but yeah, still several class of problem to resolve in the tests, but muuuuuch closer	03:38
*** k_mouza has joined #openstack-glance		03:59
*** k_mouza has quit IRC		04:04
*** ratailor has joined #openstack-glance		04:37
*** ratailor_ has joined #openstack-glance		04:59
*** ratailor__ has joined #openstack-glance		05:02
*** ratailor has quit IRC		05:03
*** ratailor_ has quit IRC		05:06
*** eandersson has left #openstack-glance		05:42
*** udesale has joined #openstack-glance		05:55
*** rcernin has quit IRC		06:00
openstackgerrit	Abhishek Kekane proposed openstack/glance master: WIP: download_image policy check https://review.opendev.org/c/openstack/glance/+/778845	06:33
*** ralonsoh has joined #openstack-glance		07:03
*** zzzeek has quit IRC		07:52
*** zzzeek has joined #openstack-glance		07:53
*** lpetrut has joined #openstack-glance		08:00
*** zzzeek has quit IRC		08:08
*** zzzeek has joined #openstack-glance		08:09
*** zzzeek has quit IRC		08:40
*** zzzeek has joined #openstack-glance		08:41
*** zzzeek has quit IRC		08:42
*** zzzeek has joined #openstack-glance		08:43
*** tosky has joined #openstack-glance		09:23
*** k_mouza has joined #openstack-glance		09:42
*** Underknowledge has quit IRC		09:48
*** Underknowledge1 has joined #openstack-glance		09:49
*** Underknowledge1 is now known as Underknowledge		09:49
*** udesale has quit IRC		10:59
*** udesale has joined #openstack-glance		10:59
*** k_mouza has quit IRC		11:10
*** jv_ has quit IRC		11:15
*** k_mouza has joined #openstack-glance		11:22
*** k_mouza has quit IRC		12:16
*** tkajinam has quit IRC		12:35
*** tkajinam has joined #openstack-glance		12:35
*** ratailor__ has quit IRC		12:36
*** belmoreira has joined #openstack-glance		12:40
lbragstad	dansmith yeah - i'll roll that patch into the main one for tasks here in a bit	12:41
lbragstad	good call	12:41
*** k_mouza has joined #openstack-glance		12:52
*** k_mouza has quit IRC		12:52
*** k_mouza has joined #openstack-glance		12:53
*** whoami-rajat has joined #openstack-glance		12:58
lbragstad	so - now i'm wondering...	13:22
lbragstad	afaict - we have policies in the policy file that, when changed to be inconsistent with other policies in glance (copy_image/set_image_location/get_image_location) or other policies in OpenStack, it'll cause issues like this	13:25
lbragstad	the external task APIs remains admin-only and is protected by the task_api_access policy	13:27
lbragstad	(and it's deprecated)	13:27
lbragstad	i'm just digging through old branched	13:30
lbragstad	branches*	13:30
lbragstad	stable/ocata for example wires the policy for add_task up to the controller	13:31
lbragstad	but yeah, still several class of problem to res	13:31
lbragstad	bad paste from above*	13:31
lbragstad	https://github.com/openstack/glance/blob/stable/ocata/glance/api/v2/tasks.py#L77	13:31
lbragstad	https://github.com/openstack/glance/blob/stable/ocata/glance/api/policy.py#L340-L342	13:31
lbragstad	https://github.com/openstack/glance/blob/stable/ocata/glance/api/policy.py#L344-L346	13:32
lbragstad	i don't think that flow is possible anymore now that the API is deprecated and moved to admin-only	13:32
lbragstad	should we consider removing the add_task, get_tasks, get_task, and modify_task policies?	13:33
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	13:38
openstackgerrit	Lance Bragstad proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	13:38
openstackgerrit	Lance Bragstad proposed openstack/glance master: DNM: Check some jobs with new policy defaults https://review.opendev.org/c/openstack/glance/+/778736	13:38
abhishekk	lbragstad, at this time of cycle it is not good idea to remove those policies, may be in next cycle we can consider it	13:59
abhishekk	smcginnis, if you are around and have little time, could you please have a look at below patches?	14:01
abhishekk	https://review.opendev.org/c/openstack/glance/+/775860	14:01
abhishekk	https://review.opendev.org/c/openstack/python-glanceclient/+/776403	14:02
abhishekk	https://review.opendev.org/c/openstack/glance/+/777012	14:02
abhishekk	https://review.opendev.org/c/openstack/glance/+/778493	14:02
lbragstad	abhishekk ok - i updated the most recent tasks policy patch to only include a role check... since i'm not sure building a valid target is possible	14:21
lbragstad	but, i could be wrong there, too	14:21
abhishekk	so for valid target at the moment we just need project_id right?	14:22
dansmith	lbragstad: modify_task should have a task dict as the target, but we don't have one immediately where we need it I think, maybe that's what you meant	14:24
abhishekk	task_dict like similar what we passing as ImageTarget?	14:25
dansmith	yeah, I mean that's the right thing to do, but I'm not sure it really matters,	14:27
dansmith	because having this policy check here just allows operators to break import in weird ways they wouldn't understand	14:27
dansmith	if there's no way for import to work without these "inner" policies being configured the same as import, then they're pretty pointless	14:28
dansmith	but I agree I'd be nervous about removing them at this point in the cycle	14:28
abhishekk	So how about we not touching task policies at all?	14:29
abhishekk	or just the one which we are ideally depends like add_tasks?	14:29
dansmith	will it work with just that one? the task stuff uses the context to modify the tasks during the process, I didn't test	14:31
dansmith	we could just leave them blank (like they are today) or just do what I did in my WIP patch, and then remove them in X	14:31
abhishekk	Former option sounds good to me	14:32
dansmith	also,	14:32
dansmith	does your image/tasks api need get_tasks permission?	14:32
abhishekk	no	14:32
dansmith	it bypasses these layers? I can't remember	14:32
abhishekk	It bypasses these layers	14:33
dansmith	smart guy :)	14:33
abhishekk	I thought there was no point if we want this open for all	14:34
dansmith	yup	14:35
abhishekk	Looks like we have plenty of work to do in next cycle	14:35
lbragstad	ok - so we're thinking about just leaving those policies open because 1.) they're only internal policies 2.) we can't really build a valid target for it anyway	14:37
lbragstad	and we'll deprecate them for removal next cycle?	14:37
abhishekk	and task API's are already marked as deprecated	14:38
dansmith	lbragstad: and you can't really make them more restrictive than the high-level operations that use them or things break	14:38
lbragstad	yeah - exactly	14:38
dansmith	lbragstad: we're considering whether to do that, or just do what I did in my WIP	14:38
dansmith	either works for me.. it'd debt either way, one feels more consistent with what we're doing now (passing a target) and the other feels more like "we're ignoring this because we're going to remove it anyway"	14:39
dansmith	s/it'd/it's/	14:39
lbragstad	yeah...	14:39
abhishekk	dansmith, with your WIP patch as well I saw couple of 403 for add_task	14:39
lbragstad	would anyone be opposed to deprecating them this cycle as is?	14:41
abhishekk	I doubt, I remember either rosmaita or jokke saying even task APIs are deprecated we need to keep it forever	14:43
openstackgerrit	Felix Huettner proposed openstack/glance master: Fix users being able to delete disabled images https://review.opendev.org/c/openstack/glance/+/778951	14:44
dansmith	abhishekk: yep, I commented that I'd look at those this morning	14:44
abhishekk	ack	14:44
dansmith	lbragstad: so what's your suggestion? leave them as they are today but mark them as deprecated in W?	14:45
dansmith	basically drop that patch?	14:46
openstackgerrit	Ghanshyam proposed openstack/glance master: Move setting of enforce_scope to devstack side https://review.opendev.org/c/openstack/glance/+/778952	14:48
lbragstad	dansmith yeah - just mark them as deprecated	14:48
lbragstad	they would still work as is, but it would be a stronger signal to operators?	14:48
lbragstad	with a warning that says modifying these policies can result in weird issues with other services and call out the copy-image thing we're hitting	14:49
* lbragstad shrugs		14:49
lbragstad	i have the least experience of anyone here :)	14:50
openstackgerrit	Ghanshyam proposed openstack/glance-tempest-plugin master: Consume enforce_scope config from Tempest https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778954	14:51
gmann	lbragstad: ^^ consuming the enforce_scope setting from tempest/devstack side	14:53
gmann	this and its depends-on patches	14:53
dansmith	lbragstad: yeah, maybe it's just because it's friday but I don't have a strong opinion.. I defer to abhishekk :)	14:53
lbragstad	gmann excellent - thank you	14:53
gmann	lbragstad: I will start adding devstack setting for other services too so that you can consume those in yoru tests	14:54
abhishekk	I am just thinking that we can mark these policies as deprecated now, and work towards either improving them with context to rbac in next cycle or else remove them as per deprecation policy in following cycle which will be Y or Z	14:55
gmann	just for context, in nova we still added the new policy for deprecated API also (as they might be used) for consistency of token and policy enforcement. and policy can go away along with APIs.	14:57
gmann	even policy were already deprecated with API sometime in old releases.	14:58
abhishekk	for glance I think we have only marked API as deprecated and restrict its use for Admin only (at least that was the case earlier)	14:59
*** lpetrut has quit IRC		15:03
lbragstad	ok - i can update that patch again - i just rebased things to see if a role-only check string would help	15:07
abhishekk	ack	15:07
lbragstad	i have to run to an appt, but feel free to tinker with things in the mean time if y'all want to try anything, i'll catch up on the differences when i get back	15:08
abhishekk	ack	15:13
dansmith	so, if we just leave them as-is and deprecate,	15:33
dansmith	does that mean that a scoped token will be unusable for any path that runs across those rules?	15:33
dansmith	or are those unlikely to really be usable for anything in W anyway?	15:34
abhishekk	not sure	15:34
*** udesale has quit IRC		15:43
openstackgerrit	Ghanshyam proposed openstack/glance-tempest-plugin master: Consume enforce_scope config from Tempest https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778954	15:49
dansmith	lbragstad: okay so we're still failing the download_image policy check for some things.. I see you've got a specific rule for that, but it's hard for me to tell what is actually failing about that check	15:56
*** jv_ has joined #openstack-glance		15:57
abhishekk	dansmith, even after changing it to admin_or_project_member it keeps failing	16:06
abhishekk	https://review.opendev.org/c/openstack/glance/+/778845	16:06
dansmith	abhishekk: okay that failed like everything though.. are you sure something else didn't break?	16:07
dansmith	the weird thing is that it only fails on a couple of situations, like server rescue	16:08
dansmith	and that rescue image is created in the test itself	16:08
abhishekk	no, didn't checked thorough	16:09
dansmith	https://52be629c92393d57c88f-4c748ecb2936007225f2a0c5ad22f670.ssl.cf1.rackcdn.com/778799/1/check/tempest-integrated-storage-import/8c3b7eb/testr_results.html	16:09
dansmith	we failed a couple of base image tests with that same download_image thing	16:09
dansmith	which seems weird	16:09
dansmith	oh, interesting	16:10
dansmith	hang on let me confirm something	16:12
abhishekk	ok	16:12
dansmith	okay nevermind, I thought it seemed like the tests might be calling deactivate on the cirros image or something,	16:18
dansmith	but I see the deactivate test tries to download the image, which is what looked like it was the other test at the same time trying to get the image we just deactivated, but it's not	16:18
dansmith	although.. that's the thing that's failing in the deactivate test.. the show_image	16:19
dansmith	oh,	16:20
dansmith	that one is failing because we don't reactivate the image apparently	16:20
dansmith	https://github.com/openstack/tempest/blob/4de12b1113a2b9a1b1991dba87572706302cd414/tempest/api/image/v2/test_images.py#L337-L339	16:21
dansmith	failing with download_image there	16:21
dansmith	so we can show the image after reactivation as expected, but we can't download it	16:21
dansmith	although we didn't try downloading it before deactivation, so ... maybe it isn't related to the deactivation, I dunno	16:22
dansmith	ahh, these are the only two tests that try to download the image	16:23
dansmith	I guess I'm pretty slow	16:24
abhishekk	yes	16:24
dansmith	but I guess that means that the cirros public image is fine, and nova can use that for almost everything,	16:24
dansmith	but rescue downloads and re-creates the image, and it's these images that we create in tempest that are not downloadable because of this policy?	16:24
abhishekk	what is the visibility of that image?	16:25
dansmith	https://github.com/openstack/tempest/blob/4de12b1113a2b9a1b1991dba87572706302cd414/tempest/api/image/v2/test_images.py#L230	16:25
dansmith	private	16:25
dansmith	in that case at least	16:26
abhishekk	that could be a problem?	16:26
dansmith	that _should_ be okay right? private means "private to me"	16:27
dansmith	abhishekk: maybe member_id isn't in the target?	16:29
dansmith	oh, there's also no allowance for visibility==private?	16:30
abhishekk	yeah that was I thought	16:30
dansmith	abhishekk: that's probably it	16:30
abhishekk	but it is failing for admin_or_project_member as well	16:30
dansmith	although	16:31
dansmith	those are OR'd in and we should have passed project_id==$us	16:31
abhishekk	hmm	16:32
* lbragstad catches up		16:37
lbragstad	still having issues with the download_image policy?	16:39
dansmith	yup, that's what we're trying to figure out	16:39
lbragstad	so the image that gets created from the server is technically considered private, yeah?	16:49
dansmith	"from the server" ?	16:49
lbragstad	i worded that wrong - i'm looking at one of the failed tests https://github.com/openstack/tempest/blob/bf66abce089a2e2169b9945a18d1e6508dfcdb44/tempest/api/compute/servers/test_server_rescue.py#L165	16:50
lbragstad	that creates a server and then updates the image	16:51
dansmith	oh sorry, you're right it does actually create a snapshot and use that as the rescue image	16:51
dansmith	I thought it was copying the cirros image to make that, but clearly didn't read	16:51
dansmith	however,	16:51
dansmith	the other base image test doesn't use a server as the intermediate, so it's a little more straightforward	16:51
dansmith	https://github.com/openstack/tempest/blob/4de12b1113a2b9a1b1991dba87572706302cd414/tempest/api/image/v2/test_images.py#L211	16:51
lbragstad	ok - looking at that quick	16:52
lbragstad	https://52be629c92393d57c88f-4c748ecb2936007225f2a0c5ad22f670.ssl.cf1.rackcdn.com/778799/1/check/tempest-integrated-storage-import/8c3b7eb/testr_results.html didn't come from https://review.opendev.org/c/openstack/glance/+/778799/1 i don't think?	16:57
dansmith	lbragstad: it did, look at the url	16:58
dansmith	778799/1/check/	16:58
lbragstad	aha - ok, nevermind	16:59
lbragstad	i was looking at the nova-ceph rbac job	16:59
dansmith	easier to look at the base job(s) now just because there is less going on	17:01
dansmith	I went straight for the most complicated job first, but realized we should get a very basic job run and focus on that, since it doesn't require the complex multistore copy stuff to do anything	17:02
abhishekk	yeah, results of nova-ceph-rbac looks scary	17:03
abhishekk	so from logs its not possible to know which policy check is invoked, right?	17:03
dansmith	yeah, you can	17:04
dansmith	if oslo_policy debug is enabled	17:04
dansmith	the nova-ceph-multistore job has that, which is another reason I went for that first	17:04
dansmith	we could add that debug to the others though	17:04
abhishekk	So could we have one patch wehere only two jobs (remove all other jobs) with debug flag on?	17:04
dansmith	https://github.com/openstack/nova/blob/master/.zuul.yaml#L400	17:04
lbragstad	http://paste.openstack.org/raw/803288/	17:05
dansmith	it sucks how you have to do it though	17:05
lbragstad	that's the oslo.policy debug logging from the nova-ceph-rbac job for this test	17:05
lbragstad	https://github.com/openstack/tempest/blob/4de12b1113a2b9a1b1991dba87572706302cd414/tempest/api/image/v2/test_images.py#L211	17:05
dansmith	the gate queues are filling up quick, good luck getting any results for about 10h at this point :/	17:06
lbragstad	based on that output - i don't see how that's failing the download_image check	17:06
lbragstad	the project_id from the context and the owner from the target match...	17:07
lbragstad	so - we should be short-circuiting the policy check at the first condition of the project-member check string for downloading the image	17:07
abhishekk	target does not have project id	17:08
*** belmoreira has quit IRC		17:10
lbragstad	damn...	17:10
lbragstad	"owner": "494c741f16504a8d96264a65cdd3a2de" is right though	17:10
dansmith	abhishekk: target does not have a project_id where?	17:10
abhishekk	in the above paste	17:10
abhishekk	http://paste.openstack.org/raw/803288	17:11
lbragstad	yep - i see it	17:11
lbragstad	that should be running through this though? https://review.opendev.org/c/openstack/glance/+/764754/27/glance/api/policy.py@269	17:11
dansmith	okay I see but I don't know where in the code that is,	17:11
dansmith	lbragstad: right exactly	17:11
dansmith	I'm saying target _should_ have a project_id based on what I see	17:12
lbragstad	what are these doing? https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L160	17:13
abhishekk	https://review.opendev.org/c/openstack/glance/+/764754/27/glance/api/policy.py@211	17:13
lbragstad	https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L292	17:14
dansmith	lbragstad: huzzah, I bet that's it	17:14
abhishekk	+1	17:14
lbragstad	it download_image is getting invoked from the image controller, 'project_id' should be set, even if it's None	17:15
lbragstad	s/it/if/	17:15
abhishekk	right, this means it is visiting cache for downloading image from the cache	17:16
* abhishekk brb		17:17
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	17:19
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	17:19
openstackgerrit	Lance Bragstad proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	17:19
openstackgerrit	Lance Bragstad proposed openstack/glance master: DNM: Check some jobs with new policy defaults https://review.opendev.org/c/openstack/glance/+/778736	17:19
dansmith	lbragstad: surely that is a bug too,	17:19
lbragstad	https://review.opendev.org/c/openstack/glance/+/764754/28/glance/api/middleware/cache.py trying this	17:19
dansmith	because it's not passing the full image as the target,	17:19
dansmith	so you could write a rule that would work against the real one, but fail in the cache one?	17:19
lbragstad	potentially?	17:19
dansmith	I'm not even sure what the image_metadata thing is that it's passing	17:20
lbragstad	https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L116	17:20
lbragstad	it's an image reference - from what i can tell	17:20
lbragstad	but - it also looks contingent on the API version	17:21
lbragstad	so - i'm not sure if that changes the image reference depending on the API version (e.g., you might have a policy that works for v1 but not for v2)	17:21
lbragstad	depending on the image?	17:21
dansmith	oh I see and it does wrap it in a target, okay	17:21
lbragstad	i guess now i'm wondering why this is in middleware?	17:22
dansmith	something something caching	17:22
lbragstad	specifically, if the caching bits are in middleware, do they need to have their own enforcement calls?	17:23
*** k_mouza has quit IRC		17:24
lbragstad	if we get past https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L149 we know the image isn't cached, right?	17:24
dansmith	lbragstad: looks like they have them right?	17:25
lbragstad	at which point wouldn't https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L169 just invoke the normal API (that has policy enforcement in 1.) the controller or 2.) the glance/api/policy.py method)	17:25
dansmith	but not for forbidden?	17:26
dansmith	I'm not sure what you're saying	17:26
lbragstad	i'm wondering if this code is redundant https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L160	17:26
dansmith	ah, because that happens before the process_v2_request on?	17:26
dansmith	*one	17:26
lbragstad	yes	17:26
lbragstad	and if the request is GET /v2/image/{image_id}/data	17:27
lbragstad	we're going to enforce download_image policy in the controller anyway, right?	17:27
dansmith	hrm	17:27
dansmith	not if we return this without hitting the controller right?	17:27
lbragstad	if the request is GET /v2/image/{image_id} - why are we calling enforcement for download_image?	17:28
dansmith	but yeah I'm not sure why this wasn't deferring to the controller with the return None	17:28
dansmith	I thought this thing was for caching the image data	17:28
abhishekk	AFAIK if image is cached it will not visit the controller	17:29
dansmith	based on the PATTERNS above	17:29
dansmith	abhishekk: right, that's my assumption	17:29
lbragstad	hmm	17:29
abhishekk	I guess I am the one who added that check in cache 3-4 years before	17:29
lbragstad	so - our get_image policy is ADMIN_OR_PROJECT_READER	17:30
dansmith	abhishekk: which one, L160 or the later one?	17:30
abhishekk	the one pointed out by lbragstad	17:30
lbragstad	which is less restrictive than the policy for download_image	17:30
dansmith	lbragstad: I'm getting lost,	17:30
lbragstad	sorry - i'll let y'all finish	17:31
dansmith	we're clearly hitting this extra check and failing here and not just because of the stricter download policy right?	17:31
dansmith	the looser get_image policy would fail here too without the target['project_id'] addition ?	17:31
abhishekk	probably	17:32
lbragstad	correct	17:32
lbragstad	the targets don't have project_id = image.get('owner')	17:32
dansmith	ack, okay, thought you were saying the stricter policy was the problem	17:32
dansmith	right	17:32
lbragstad	but - now i'm wondering about something else, but related,	17:32
dansmith	I'm also not sure if/why the policies should be different (by default) between get_image and download_image	17:32
lbragstad	^ that's what i'm about to get at	17:32
dansmith	the operator may want to configure them differently, but by default they should be the same I would think	17:33
lbragstad	https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L44-L49 means this cache middleware is invoked for GET /v2/images/{image_id} and GET /v2/images/{image_id}/file	17:33
dansmith	I don't think so	17:33
dansmith	only /data for v2 right?	17:33
dansmith	er, /file	17:34
lbragstad	oh - right	17:34
abhishekk	yeah /file for v2	17:34
lbragstad	https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L45-L46 is only v1	17:34
dansmith	right	17:34
lbragstad	ok - i was worried by default download_image was going to get enforced before get_image	17:34
lbragstad	which download image having a more restrictive default (breaking project-readers getting images)	17:35
dansmith	not here I don't think	17:35
* lbragstad stays in his lane		17:35
lbragstad	ok - good deal	17:35
dansmith	lol	17:35
lbragstad	so - this middleware doesn't seem to have image get methods for v1 - is it always expected to be run with v2?	17:37
lbragstad	i don't see a v1 equivalent for https://github.com/openstack/glance/blob/master/glance/api/middleware/cache.py#L108	17:37
dansmith	I expect v1 and v2 differ in how the user gets the data (i.e. with what url_	17:38
dansmith	but I think this is _purely_ about caching the data and not the details	17:38
abhishekk	may be removed when v1 related code is removed	17:38
lbragstad	ok - so getting back to dansmith's concern	17:41
lbragstad	should download_image and get_image have different policy check strings?	17:41
dansmith	defaults you mean right?	17:41
lbragstad	yes - defaults	17:41
abhishekk	lbragstad, so related to your recent change at line #160, it will fail again at line #292 because line #169 will call that	17:41
abhishekk	may be we can revisit after current discussion	17:42
abhishekk	I think those should be different	17:43
dansmith	different defaults?	17:43
abhishekk	get will have only read access, but download means you can access the data, right?	17:43
dansmith	yeah, I agree they should be different policy names, but I would think the default values for each would be the same, unless the operator wants to change them	17:44
lbragstad	get_image would mean in can view data about the image, download_image would mean i can download an actual copy of the image data	17:44
abhishekk	you can view the image properties	17:45
lbragstad	yeah - as a project-reader, i can get the image properties, but i can't actually download the image (at least that's how the defaults are written now)	17:46
abhishekk	right	17:46
dansmith	what's the use-case there?	17:46
lbragstad	can images contain sensitive information that shouldn't be exposed to project-readers?	17:46
dansmith	but so can details	17:46
dansmith	I guess "downloading the image" seems like "reading" to me	17:47
dansmith	I could put my software license keys in my image details, or my root password, etc	17:47
dansmith	maybe I don't know what project reader really is supposed to be	17:47
abhishekk	right	17:47
lbragstad	with the role implications built into keystone, reader is the role with the least privilege within a scope	17:48
lbragstad	so the person you would trust the least	17:48
dansmith	sure, but I just don't really know why you'd trust someone with your software keys and root password but not the actual image itself	17:49
dansmith	and if that's what project_reader is, it seems poorly named :)	17:49
abhishekk	:D	17:49
lbragstad	the least privilege definition applies to the reader role in general - since it the role at the bottom of the hierarchy	17:49
lbragstad	but in this case - it's applied to the project scope	17:49
dansmith	yeah, I get that, I just don't understand why you	17:50
abhishekk	and that's where property protection comes in the picture, if you put your sensitive information in the image details you can restrict it using property protection	17:50
dansmith	would expose one and not the other	17:50
*** jawad_axd has joined #openstack-glance		17:50
dansmith	abhishekk: ack that makes sense	17:51
abhishekk	and that's the reason why download_image policy is invoked in cache as well	17:51
dansmith	I guess my problem is just with the name. should be called "project_look_but_no_touch" or something :D	17:51
abhishekk	:D	17:51
dansmith	or project_browser	17:52
lbragstad	yeah - i can see that line of thinking	17:53
lbragstad	we attempted to clarify similar concerns in keystone's documentation directly https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#primer	17:53
dansmith	so project_reader is -----x--x, project_member is ------rwx, and project_admin is ---rwxrwx ?	17:53
abhishekk	so whats the suggestion, should we keep same defaults for get and download or keep those different in defaults as well?	17:53
dansmith	that was backwards	17:53
abhishekk	I am more inclined towards later one	17:54
lbragstad	dansmith switch the project_reader with project_member and i think you're right	17:54
dansmith	lbragstad: I reversed the ordering of the bits , and forgot x for group for project_member	17:55
dansmith	anyway	17:55
lbragstad	so - i guess what dansmith is saying, if you name a file 'my_password_is_foo.txt' then put a password (which is foo) in that file, the only thing the current proposal is doing is prevent the project_reader from confirm foo is your password in the file	17:55
dansmith	right, and abhishekk is saying "but we can selectively hide parts of filenames" (property protection)	17:55
dansmith	which makes sense	17:55
dansmith	it just seems weird to offer images to users they can't use	17:56
dansmith	back to my use-case, but it sounds like ya'll are on the same page, which is totally cool with me :)	17:56
dansmith	nova will do a lot of work on your behalf, allocate networks, volumes, etc, only to find out pretty late that ... sad trombone, I can't download the image	17:57
abhishekk	:)	17:58
lbragstad	i originally proposed https://review.opendev.org/c/openstack/glance/+/764754/8/glance/policies/image.py as a project-reader action	17:58
abhishekk	yes	17:59
lbragstad	but i bumped it to project-member and i guess i never really understood the whole story (but this is helping)	17:59
dansmith	project reader isn't really a thing today right?	17:59
lbragstad	correct - not unless you're implementing it via custom policy	18:00
dansmith	it's just a default role option people have after some point?	18:00
lbragstad	yes - once services are on the same page about default policies and implementing reader support, it will be a thing people can do	18:00
dansmith	yeah, so then whatever, it's just an option (poorly named IMHO) but it's not going to break anything if everyone is currently a member	18:00
dansmith	so we need not spend much time on the details	18:00
* lbragstad nods		18:01
abhishekk	agree	18:01
lbragstad	that's fair	18:01
dansmith	abhi says it should default to no download for readers, that's all that matters :)	18:01
abhishekk	:d	18:01
abhishekk	so coming back to policy enforcement in cache	18:02
abhishekk	can we add project id here, https://review.opendev.org/c/openstack/glance/+/764754/28/glance/api/middleware/cache.py@102	18:02
lbragstad	oh - i see what you mean	18:03
dansmith	yeah	18:03
*** irclogbot_2 has quit IRC		18:03
lbragstad	_enforce is only ever dealing with image references in there, it looks like	18:04
abhishekk	yes	18:04
*** irclogbot_3 has joined #openstack-glance		18:04
lbragstad	ok - fixed	18:06
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	18:06
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	18:06
openstackgerrit	Lance Bragstad proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	18:06
openstackgerrit	Lance Bragstad proposed openstack/glance master: DNM: Check some jobs with new policy defaults https://review.opendev.org/c/openstack/glance/+/778736	18:06
abhishekk	So now this only leaves us with tasks to worry about	18:06
dansmith	oh I asked about the scope thing	18:07
abhishekk	?	18:07
dansmith	lbragstad: if we just ignore the tasks policies, and don't add the scope= thing, will that cause people not to be able to experiment with scopes?	18:07
dansmith	or should we still add those new scoped rules, but default them to "" like they are today for the "internal" task policies	18:08
lbragstad	if we don't set scope_types on the rule, i don't think it with break anything	18:09
lbragstad	even if someone sets enforce_scope=True	18:09
lbragstad	that check is only done in oslo.policy if the rule has scope_types set	18:10
lbragstad	https://opendev.org/openstack/oslo.policy/src/branch/master/oslo_policy/policy.py#L1034	18:10
*** k_mouza has joined #openstack-glance		18:10
dansmith	okay, so does that mean we could just drop the tasks patch and replace it with deprecation notices for those policies? I think that's what abhishekk was leaning towards	18:10
dansmith	s/drop/effectively drop/	18:10
lbragstad	yes - we could - i can propose the deprecations	18:10
abhishekk	yeah	18:11
dansmith	are we out of problems to solve now? :P	18:11
abhishekk	your DNM tempest patch will tell us that now	18:11
* lbragstad doesn't want to jinx anything		18:11
dansmith	abhishekk: yep	18:12
abhishekk	that was a smart move	18:12
dansmith	:)	18:12
abhishekk	Now coming back to other challenges	18:14
*** k_mouza has quit IRC		18:15
abhishekk	As we are having shortage on reviewers due to busy schedule, I am going to ninja approve some low priority patches to reduce the load in the next week	18:15
abhishekk	I will keep eyes on them during weekend where most probably will be less traffic in the zuul	18:16
*** gyee has joined #openstack-glance		18:17
*** irclogbot_3 has quit IRC		18:24
*** irclogbot_3 has joined #openstack-glance		18:28
abhishekk	dansmith, need to follow up with qa guys for this one as well https://review.opendev.org/c/openstack/tempest/+/774303	18:34
dansmith	abhishekk: what about ninja'ing your tasks api bump and client patch? are you thinking we'll get review on those at some point?	18:34
abhishekk	no harm	18:35
dansmith	abhishekk: yep	18:35
abhishekk	you could ninja approve those as well	18:35
dansmith	abhishekk: ack	18:35
*** ralonsoh has quit IRC		18:35
* abhishekk signing now, have a good weekend all o/~		18:42
abhishekk	dansmith, just to remind, please rebase your DNM tempest job on top of lbragstad work once deprecation for tasks patch is up	18:43
dansmith	I thought he did?	18:44
lbragstad	i'm working on the deprecation patch now	18:44
*** jawad_axd has quit IRC		18:44
abhishekk	yep, he did, sorry I overlooked	18:44
dansmith	cool	18:44
* abhishekk leaving		18:44
lbragstad	thanks abhishekk	18:45
*** jawad_axd has joined #openstack-glance		19:05
*** takamatsu has quit IRC		19:13
*** k_mouza has joined #openstack-glance		19:25
*** takamatsu has joined #openstack-glance		19:27
*** k_mouza has quit IRC		19:30
*** jv_ has quit IRC		19:46
*** jv_ has joined #openstack-glance		19:46
*** jawad_axd has quit IRC		19:52
*** jawad_axd has joined #openstack-glance		19:57
openstackgerrit	Lance Bragstad proposed openstack/glance master: DNM: Test is fake method work https://review.opendev.org/c/openstack/glance/+/779042	20:10
lbragstad	dansmith i'm still working through unit test failures on the policy patch - i'm not sure the fakes in the cache middleware unit tests are doing what they should ^	20:10
openstackgerrit	Lance Bragstad proposed openstack/glance master: DNM: Test if fake method works in cache middleware tests https://review.opendev.org/c/openstack/glance/+/779042	20:11
dansmith	I would find that utterly shocking	20:11
dansmith	lbragstad: if you want to push up what you have I can try iterating on unit tests while you go do something more important	20:11
lbragstad	the code that casts the ImageTarget to a dictionary is failing - and i though it was because the ImageStubs are different	20:12
lbragstad	https://github.com/openstack/glance/blob/master/glance/tests/unit/test_policy.py#L58-L88	20:12
lbragstad	https://github.com/openstack/glance/blob/master/glance/tests/unit/test_cache_middleware.py#L32-L42	20:12
lbragstad	so i updated this test to fix the ImageStub https://github.com/openstack/glance/blob/master/glance/tests/unit/test_cache_middleware.py#L407	20:13
lbragstad	and it failed with the same issue	20:13
lbragstad	let me push what i have	20:14
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	20:15
openstackgerrit	Lance Bragstad proposed openstack/glance master: Deprecate the external task API policies https://review.opendev.org/c/openstack/glance/+/763208	20:15
openstackgerrit	Lance Bragstad proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	20:15
openstackgerrit	Lance Bragstad proposed openstack/glance master: DNM: Check some jobs with new policy defaults https://review.opendev.org/c/openstack/glance/+/778736	20:15
openstackgerrit	Merged openstack/python-glanceclient master: Get tasks associated with image https://review.opendev.org/c/openstack/python-glanceclient/+/776403	20:15
lbragstad	this https://review.opendev.org/c/openstack/glance/+/764754/30/glance/api/middleware/cache.py is what breaks the tests	20:15
dansmith	pulled it down, will poke	20:16
lbragstad	ack - thank you	20:16
lbragstad	i have to hop into a meeting, but i'll circle back	20:16
dansmith	roger	20:16
dansmith	oh yeah,	20:21
dansmith	this is just because there are some properties we expect have to be there,	20:21
dansmith	but things treat this like it's a dict of optional stuff, which it's not	20:22
lbragstad	this probably isn't here or there, but there are at least two different implementations of ImageStub	20:23
lbragstad	(one implements container_format, the other doesn't)	20:23
lbragstad	and the failure for that test which my change complains about not having the container_format key in the Image	20:23
lbragstad	i think	20:24
dansmith	lbragstad: I'm sure there are more than tat	20:28
dansmith	lbragstad: I have a patch still in WIP from last summer to fix one of them that isn't this	20:28
dansmith	Ran 1 test in 0.158s	20:28
dansmith	OK	20:28
lbragstad	this is the failure i get	20:29
lbragstad	http://paste.openstack.org/raw/803291/	20:29
dansmith	I pasted that to show I fixed on	20:30
dansmith	*one	20:30
openstackgerrit	Dan Smith proposed openstack/glance master: Deprecate the external task API policies https://review.opendev.org/c/openstack/glance/+/763208	20:34
openstackgerrit	Dan Smith proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	20:34
openstackgerrit	Dan Smith proposed openstack/glance master: DNM: Check some jobs with new policy defaults https://review.opendev.org/c/openstack/glance/+/778736	20:34
dansmith	lbragstad: ^ how's that?	20:34
dansmith	oh crap	20:36
lbragstad	that passes for you locally?	20:36
dansmith	I pushed those into the wrong patch	20:36
dansmith	yeah that whole test_cache_middleware module works for me with that	20:37
lbragstad	hrm	20:37
lbragstad	ok - weird	20:37
lbragstad	i tried reusing an image stub i assumed to work	20:38
lbragstad	https://review.opendev.org/c/openstack/glance/+/764754/30/glance/tests/unit/test_cache_middleware.py	20:38
lbragstad	the ImageStub in test_policy has the container_format attribute	20:38
openstackgerrit	Dan Smith proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	20:40
openstackgerrit	Dan Smith proposed openstack/glance master: Deprecate the external task API policies https://review.opendev.org/c/openstack/glance/+/763208	20:40
openstackgerrit	Dan Smith proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	20:40
openstackgerrit	Dan Smith proposed openstack/glance master: DNM: Check some jobs with new policy defaults https://review.opendev.org/c/openstack/glance/+/778736	20:40
dansmith	okay that should be right	20:40
dansmith	lbragstad: were you looking at this? https://review.opendev.org/c/openstack/glance/+/764754/30..31/glance/tests/unit/test_cache_middleware.py	20:41
lbragstad	i started copying attributes into ImageStub like you did here https://review.opendev.org/c/openstack/glance/+/764754/31/glance/tests/unit/test_cache_middleware.py#46 - then i noticed we have an ImageStub in glance.tests.unit.test_policy, so I tried reusing it and things still didn't seem to work	20:45
lbragstad	so that's what made me question if the fake was doing what it was supposed to	20:45
lbragstad	but - maybe i overlooked something if they pass for you	20:45
dansmith	you'd have to have all of them	20:46
dansmith	but I apparently didn't fully pull those changes back a patch, just a sec	20:46
*** jv_ has quit IRC		20:46
lbragstad	ah	20:48
dansmith	ah no I also missed a couple cases, hang on	20:49
dansmith	yeah I think we'll be okay with rbac	20:50
dansmith	guh	20:50
dansmith	Ran 19 tests in 0.464s	20:50
dansmith	OK	20:50
openstackgerrit	Dan Smith proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	20:52
openstackgerrit	Dan Smith proposed openstack/glance master: Deprecate the external task API policies https://review.opendev.org/c/openstack/glance/+/763208	20:52
openstackgerrit	Dan Smith proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	20:52
openstackgerrit	Dan Smith proposed openstack/glance master: DNM: Check some jobs with new policy defaults https://review.opendev.org/c/openstack/glance/+/778736	20:52
dansmith	also fixed a pep8 error in there	20:52
dansmith	but yeah, that passes all the tests in that module for me now	20:52
*** jawad_axd has quit IRC		20:55
*** hoonetorg has quit IRC		20:57
*** jv_ has joined #openstack-glance		21:01
*** hoonetorg has joined #openstack-glance		21:01
*** k_mouza has joined #openstack-glance		21:10
*** k_mouza has quit IRC		21:15
*** jawad_axd has joined #openstack-glance		21:17
*** ajitha has quit IRC		21:18
*** jawad_axd has quit IRC		21:31
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Reuse project credentials from tempest for tenancy checks https://review.opendev.org/c/openstack/glance-tempest-plugin/+/779059	22:32
lbragstad	dansmith abhishekk that might help make things more readable and consistent eventually - i know keeping all the users and projects in some of those tests is tough	22:33
lbragstad	but - something we can choose to pursue next release if so	22:34
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Reuse project credentials from tempest for tenancy checks https://review.opendev.org/c/openstack/glance-tempest-plugin/+/779059	22:38
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Reuse project credentials from tempest for tenancy checks https://review.opendev.org/c/openstack/glance-tempest-plugin/+/779059	23:04
dansmith	ah yeah that's good	23:06
dansmith	man, 9 things in gate for glance for five hours, none have even been allocated nodes	23:13
lbragstad	=/ i was looking at that about an hour ago	23:13
lbragstad	i haven't bothered to check since	23:13
*** k_mouza has joined #openstack-glance		23:52
*** k_mouza has quit IRC		23:57

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!