| opendevreview | Cyril Roelandt proposed openstack/glance stable/ussuri: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/785552 | 00:16 |
|---|---|---|
| opendevreview | Rajat Dhasmana proposed openstack/glance_store master: Glance cinder nfs: Block creating qcow2 volumes https://review.opendev.org/c/openstack/glance_store/+/796577 | 06:46 |
| opendevreview | Rajat Dhasmana proposed openstack/glance_store master: WIP: Add multiattach handling https://review.opendev.org/c/openstack/glance_store/+/786410 | 06:47 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Refactor gateway auth layer for task APIs https://review.opendev.org/c/openstack/glance/+/802243 | 09:12 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Deprecate tasks_api_access policy https://review.opendev.org/c/openstack/glance/+/802244 | 09:12 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Move Tasks policy checks in the API https://review.opendev.org/c/openstack/glance/+/802245 | 09:12 |
| opendevreview | Pranali Deore proposed openstack/glance master: Implement project personas for metadef resource-types https://review.opendev.org/c/openstack/glance/+/799671 | 10:16 |
| opendevreview | Pranali Deore proposed openstack/glance master: Implement project personas for metadef objects https://review.opendev.org/c/openstack/glance/+/802054 | 10:16 |
| opendevreview | Pranali Deore proposed openstack/glance master: Implement project personas for metadef properties https://review.opendev.org/c/openstack/glance/+/802055 | 10:16 |
| opendevreview | Pranali Deore proposed openstack/glance master: Implement project personas for metadef tags https://review.opendev.org/c/openstack/glance/+/802056 | 10:16 |
| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Implement API protection testing for metadef namespaces https://review.opendev.org/c/openstack/glance-tempest-plugin/+/800902 | 10:34 |
| diablo_rojo | As you might have seen on the ML, there was discussion about collecting operator pain points for each project to focus on as a community goal. If you know what the top one or two issues are for glance operators are, please add them to this etherpad!https://etherpad.opendev.org/p/pain-point-elimination | 13:07 |
| croelandt | https://github.com/openstack/glance/blob/master/glance/common/wsgi_app.py#L96 my Python foo is probably failing me here | 13:19 |
| croelandt | but how is "glance" resolved? | 13:19 |
| croelandt | If I comment out "import glance.async" it cannot be resolved any more | 13:20 |
| croelandt | is this "clean"? | 13:20 |
| opendevreview | Abhishek Kekane proposed openstack/glance stable/ussuri: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/785552 | 13:53 |
| opendevreview | Cyril Roelandt proposed openstack/glance stable/ussuri: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/785552 | 13:54 |
| abhishekk | dansmith, kindly have a look if this is appropriate approach Deprecate tasks_api_access policy https://review.opendev.org/c/openstack/glance/+/802244 | 14:03 |
| dansmith | abhishekk: you're planning to add fine-grained task policies in place of the blanket tasks_api_access? | 14:05 |
| dansmith | or, | 14:05 |
| dansmith | make the ones like modify_task actually enforced at the api so we don't need the blanket api-specific thing... | 14:06 |
| abhishekk | We don't have any API to update the task | 14:07 |
| abhishekk | so modify_task is useless I guess | 14:07 |
| abhishekk | I am hoping to have task specific policies to be actually enforced at API level | 14:08 |
| dansmith | okay I was just picking the one above | 14:08 |
| dansmith | I don't really know how you would use add_task either | 14:08 |
| dansmith | I'm mostly just asking what you plan to keep | 14:08 |
| abhishekk | I think we should keep task_api_access and deprecate others | 14:09 |
| dansmith | so it sounds like get_task and get_tasks will stay, enforced at the API layer, modify_task is useless, maybe add_task too(?) and then tasks_api_access can go away | 14:09 |
| dansmith | is that right? | 14:09 |
| croelandt | abhishekk: oops I overwrote your latest patchset on https://review.opendev.org/c/openstack/glance/+/785552/, but we had the same change, so it's okay :) | 14:10 |
| abhishekk | there is command task-create which was used earlier to create tasks before image import is introduced | 14:10 |
| croelandt | oh wait no, my import is out ofo rder | 14:10 |
| croelandt | damn | 14:10 |
| abhishekk | croelandt, sorry, I should have checked with you earlier, thought you are not around | 14:10 |
| dansmith | abhishekk: and you can create a task with meaningful work to do? | 14:11 |
| opendevreview | Cyril Roelandt proposed openstack/glance stable/ussuri: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/785552 | 14:11 |
| croelandt | abhishekk: np :) | 14:11 |
| abhishekk | dansmith, anyways tasks API are deprecated since long, so we should keep only one policy for them | 14:11 |
| dansmith | abhishekk: okay well, that's what I'm asking.. why deprecate tasks_api_policy and keep the others? | 14:12 |
| abhishekk | yeah, will change it, initially I thought to keep task specific APIs to be in consistent with other APIs | 14:12 |
| abhishekk | but sounds like those will be just duplicates and doing same things | 14:13 |
| abhishekk | will modify the patch and make changes accordingly | 14:13 |
| abhishekk | croelandt, if you are still around then you can have your closer looks on metadef policy refactor patches | 14:14 |
| dansmith | if the tasks api is deprecated anyway, when will it just be removed? or will it stay deprecated forever? | 14:14 |
| abhishekk | It will stay deprecated forever I guess | 14:15 |
| abhishekk | May be one fine day someone will work on that | 14:15 |
| abhishekk | croelandt, https://review.opendev.org/c/openstack/glance/+/801129/ | 14:15 |
| dansmith | abhishekk: okay well, then a single policy item to access any of it seems like the easiest thing yeah | 14:16 |
| abhishekk | dansmith, ack, will do the changes, kindly comment on the patch | 14:16 |
| dansmith | sure | 14:16 |
| abhishekk | next I will be picking image-members | 14:17 |
| dansmith | okay | 14:19 |
| dansmith | abhishekk: on this: https://review.opendev.org/c/openstack/glance/+/796067/18/glance/api/v2/images.py#560 , I'm going to write a test for the marker thing and fix the Forbidden raise to raise NotFound for the future when policy is actually the thing that checks access, okay? | 14:19 |
| abhishekk | yep | 14:20 |
| *** diablo_rojo is now known as Guest2298 | 14:38 | |
| dansmith | abhishekk: shockingly removing that forbidden handler yielded no test fails :/ | 14:54 |
| abhishekk | ohh | 14:54 |
| dansmith | I mean, probably expected because it's dead code, I'm just saying... | 14:55 |
| abhishekk | yeah, that was I was going to say | 14:56 |
| dansmith | someone reading the glance code and thinking that's where we hit forbidden in the image show path would be confused | 14:56 |
| dansmith | because glance enforces these things inconsistently in like eight places | 14:56 |
| dansmith | so you have to guess which one is the right one :/ | 14:56 |
| abhishekk | don't call it inconsistency, its standard :D | 14:57 |
| abhishekk | Even I am getting confused when we suppose to have 403 and 404 based on our policies | 14:58 |
| dansmith | "consistently inconsistent".. got it :) | 14:58 |
| abhishekk | that's the word | 14:58 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Deprecate task specific policies https://review.opendev.org/c/openstack/glance/+/802244 | 15:19 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Move Tasks policy checks in the API https://review.opendev.org/c/openstack/glance/+/802245 | 15:19 |
| dansmith | abhishekk: the rbac test failure on my get_images patch is because this was now missing: https://review.opendev.org/c/openstack/glance/+/796067/1/glance/tests/etc/policy.yaml | 15:48 |
| dansmith | because you removed that and I rebased, | 15:49 |
| dansmith | but it's good because I needed to fix the actual default anyway, | 15:49 |
| dansmith | which I'm doing in the next rev | 15:49 |
| dansmith | just FYI | 15:49 |
| abhishekk | ack | 15:49 |
| abhishekk | the rules which you added in policy.yaml, got it | 15:50 |
| dansmith | right | 15:50 |
| dansmith | I just overrode it for the test to make it pass in that original rev and never went back to fix the actual defaults | 15:50 |
| abhishekk | ack | 15:53 |
| dansmith | ugh, | 16:40 |
| abhishekk | dansmith, I think I need to wait for member APIs as it is depending on images | 16:40 |
| dansmith | that change seems to be breaking tons of stuff for reasons I don't understand | 16:40 |
| dansmith | and I have another call coming up | 16:41 |
| abhishekk | do you want me to have a look ? | 16:41 |
| dansmith | no, I'll keep going on it for a while longer, but will punt to you if I get stuck :) | 16:41 |
| abhishekk | ack, I will be around for next couple of hours | 16:42 |
| opendevreview | Merged openstack/glance master: Add base policy check module https://review.opendev.org/c/openstack/glance/+/801129 | 16:48 |
| abhishekk | image member policies are more confusing :P | 17:53 |
| abhishekk | glance client don't have support for /v2/images/{image-id/members/{member-id} API | 18:19 |
| dansmith | lol | 18:29 |
| dansmith | phew, figured out my problem | 19:08 |
| dansmith | stupid f-strings | 19:08 |
| abhishekk | :D | 19:16 |
| dansmith | but rebased on your api policy base and now more fails | 19:23 |
| dansmith | ohh | 19:28 |
| dansmith | abhishekk: just noticed you removed self._target = ImageTarget(image) from the base | 19:29 |
| dansmith | why was that? | 19:29 |
| abhishekk | dansmith, metadef don't use image at all | 19:29 |
| dansmith | ah okay | 19:29 |
| abhishekk | in order to set target for metadef we need namespace | 19:30 |
| dansmith | yeah | 19:30 |
| opendevreview | Dan Smith proposed openstack/glance master: Remove dead 403->404 code https://review.opendev.org/c/openstack/glance/+/799699 | 19:49 |
| opendevreview | Dan Smith proposed openstack/glance master: Refactor gateway get_repo auth layer https://review.opendev.org/c/openstack/glance/+/789913 | 19:49 |
| opendevreview | Dan Smith proposed openstack/glance master: Add api_patch() to SynchronousAPIBase https://review.opendev.org/c/openstack/glance/+/801119 | 19:49 |
| opendevreview | Dan Smith proposed openstack/glance master: Make image update check policy at API layer https://review.opendev.org/c/openstack/glance/+/789915 | 19:49 |
| opendevreview | Dan Smith proposed openstack/glance master: Check get_image(s) in the API https://review.opendev.org/c/openstack/glance/+/796067 | 19:49 |
| opendevreview | Dan Smith proposed openstack/glance master: POC: Add a member field to Image when appropriate https://review.opendev.org/c/openstack/glance/+/796066 | 19:49 |
| opendevreview | Dan Smith proposed openstack/glance master: POC: Check delete_image policy in the API https://review.opendev.org/c/openstack/glance/+/798073 | 19:49 |
| opendevreview | Dan Smith proposed openstack/glance master: POC: Check deactivate, reactivate policy in the API https://review.opendev.org/c/openstack/glance/+/798266 | 19:49 |
| * abhishekk signing out for the day | 19:50 | |
| abhishekk | dansmith, will look at the patches tomorrow | 19:50 |
| dansmith | ack | 19:50 |
| *** ChanServ changes topic to "OpenStack Glance | This channel is recorded logs at http://eavesdrop.openstack.org/irclogs/%23openstack-glance/" | 22:55 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!