Tuesday, 2019-01-29

« Monday, 2019-01-28 Index Wednesday, 2019-01-30 »
*** imacdonn has quit IRC00:00
*** imacdonn has joined #openstack-glance00:00
*** itlinux has joined #openstack-glance00:10
*** Sravan has quit IRC00:16
*** Sravan has joined #openstack-glance00:21
*** Sravan has quit IRC00:22
*** Sravan has joined #openstack-glance00:26
*** Sravan has quit IRC00:29
*** Sravan has joined #openstack-glance00:31
*** edmondsw has quit IRC00:38
*** Sravan has quit IRC00:41
*** Sravan has joined #openstack-glance00:48
*** gyee has quit IRC00:51
*** Sravan has quit IRC00:53
*** Sravan has joined #openstack-glance00:54
*** Sravan has quit IRC00:54
*** markvoelker has joined #openstack-glance01:10
*** markvoelker has quit IRC01:15
*** _alastor_ has quit IRC01:38
*** rosmaita has left #openstack-glance02:00
*** _alastor_ has joined #openstack-glance02:39
*** _alastor_ has quit IRC02:44
*** nehaalhat has joined #openstack-glance03:21
*** Sravan has joined #openstack-glance03:35
*** udesale has joined #openstack-glance04:02
*** Sravan has quit IRC04:11
*** abhishekk has joined #openstack-glance04:22
*** nehaalhat has quit IRC04:25
*** nehaalhat has joined #openstack-glance04:38
*** itlinux has quit IRC04:41
*** Sravan has joined #openstack-glance04:42
*** Sravan has quit IRC04:42
*** Sravan has joined #openstack-glance04:43
*** abhishekk has quit IRC05:11
*** _alastor_ has joined #openstack-glance05:12
*** _alastor_ has quit IRC05:17
*** ratailor has joined #openstack-glance05:23
*** udesale has quit IRC05:29
*** nehaalhat has quit IRC05:39
*** udesale has joined #openstack-glance05:51
*** udesale has quit IRC05:59
*** udesale has joined #openstack-glance06:00
*** bhagyashris has joined #openstack-glance06:08
*** edmondsw has joined #openstack-glance06:19
*** markvoelker has joined #openstack-glance06:20
*** markvoelker has quit IRC06:24
*** Sravan has quit IRC06:45
*** mosulica has joined #openstack-glance06:51
*** belmoreira has quit IRC06:53
*** Luzi has joined #openstack-glance06:56
*** udesale has quit IRC07:10
*** udesale has joined #openstack-glance07:18
*** udesale has quit IRC07:22
*** udesale has joined #openstack-glance07:26
*** abhishekk has joined #openstack-glance07:27
*** awalende has joined #openstack-glance08:12
*** markvoelker has joined #openstack-glance08:20
*** tkajinam has quit IRC08:48
*** pcaruana has joined #openstack-glance08:51
*** priteau has joined #openstack-glance08:54
*** markvoelker has quit IRC08:54
*** mvkr has joined #openstack-glance09:33
*** bhagyashris has quit IRC09:39
*** markvoelker has joined #openstack-glance09:51
*** markvoelker has quit IRC10:24
*** abhishekk has quit IRC10:31
*** mvkr has quit IRC10:46
*** belmoreira has joined #openstack-glance10:55
*** mvkr has joined #openstack-glance11:03
*** udesale has quit IRC11:09
*** _alastor_ has joined #openstack-glance11:15
*** _alastor_ has quit IRC11:19
*** markvoelker has joined #openstack-glance11:21
*** markvoelker has quit IRC11:53
*** kukacz has quit IRC12:04
*** kukacz has joined #openstack-glance12:04
*** abhi89 has joined #openstack-glance12:26
jokke_jaypipes: iirc admin can change the owner of the image, owner or other normal users can't12:29
jokke_jaypipes: so if the owner really needs to be changed, that should be the route12:30
abhi89Hi All.. i have a doubt.. while creating image from api we don't mention any project-id, so looks like image is not associated with a project as such.. in the UI, image created in one project cannot be seen when we login via another project (both project have same compute & storage resources).. but we can deploy a vm in a project where this image doesn't exist using the image-id.. both of them kind of contradict..12:30
jokke_this is totally iirc 'though ... never had to do it12:30
*** ratailor has quit IRC12:31
jokke_abhi89: did you create the image by any chance with visibility=community?12:31
abhi89visibility of the image was set to private12:32
abhi89jokke_: what is the expected behavior in this case?12:38
*** pcaruana has quit IRC12:40
jokke_abhi89: Is it same user betwen two different projects?12:42
jokke_between12:42
jokke_as that's the only scenario where it should be accessible, I just have no idea why it's not listed12:45
abhi89jokke_: its not the same user.. different user in different projects12:49
*** pcaruana has joined #openstack-glance12:50
*** markvoelker has joined #openstack-glance12:50
*** mosulica has quit IRC12:59
*** mosulica has joined #openstack-glance13:03
*** priteau has quit IRC13:04
*** priteau has joined #openstack-glance13:04
*** priteau has quit IRC13:12
jokke_abhi89: and you have keystone auth setup and it's not admin user that can boot it?13:14
*** mosulica has quit IRC13:15
abhi89jokke_: i have tried all this with admin user role for both users in different projects13:15
jokke_ah yes, admin indeed has access to all images and image records13:16
*** rosmaita has joined #openstack-glance13:17
*** mosulica has joined #openstack-glance13:18
abhi89jokke_: but he is the admin to just one project, not both of them.. one admin for one project13:18
abhi89so technically admin of one project shouldn't be able to access images of another project.. isnt it?13:19
*** markvoelker has quit IRC13:20
jokke_what version of openstack you're operating? There was a bug at some point where admin was treated as adming regardless13:22
rosmaitaabhi89: when you say "admin of one project", do you mean "admin of glance vs. admin of cinder", or do you mean "admin of tenant 123456 vs admin of tenant 456789"?13:27
abhi89our's is a customised IaaS product with openstack as base. here we have just one admin role (say for a project).. user with this admin role is an admin for all (glance, cinder ...)13:30
abhi89jokke_: we are at queens13:30
*** Sravan has joined #openstack-glance13:31
jokke_rosmaita: do you remember when that bug was where project(tenant) admin was treated as global admin? I think it was before queens13:32
rosmaitanot sure that we ever had that bug ... it's been filed, but i think was always misconfiguration ... there's a setting in glance-api.conf that says what role glance will recognize as being an admin, this is in addition to whatever you have defining context_is_admin in the policy file ... maybe that's what's going on13:34
jokke_rosmaita: ahh that might have been it13:35
*** Sravan has quit IRC13:36
jokke_and might be it now as well, if the config is something like role:"admin" and the project admin role is also called "admin"13:36
rosmaitaalso, reading the scrollback, an image with null owner can be used by anyone ... doesn't show up in anyone's image-list, but anyone who knows the image_id can do an image-show on it or use it to boot a VM13:36
rosmaitaabhi89: ^^13:36
rosmaitai should clarify, that's with visibility==private13:37
jokke_rosmaita: but it needs to be nulled intentionally, if you just don't specify it it will be owned by the creator13:37
rosmaitaright13:37
*** zul has quit IRC13:38
abhi89rosmaita, jokke_: do you by any chance remember that setting in glance-api.conf?13:40
rosmaitahttp://git.openstack.org/cgit/openstack/glance/tree/etc/glance-api.conf?h=stable/queens#n2813:40
rosmaitacleverly named "admin_role" :)13:40
rosmaitajokke_: i think that pre-dates policy files ... we should probably deprecate that setting13:41
jokke_yeah don't we have the admin-role thingie in policy.json as well?13:42
abhi89we have admin role name as "admin" itslef..13:44
rosmaitayes, and last time i looked at our context.py, it processes the policy file, and then last thing it does is see if the user has this role, and if so, makes is_admin true on the context ... so that person will be an admin even if the policy file rules them out, i think13:44
abhi89 "context_is_admin":  "role:admin", -> this is our policy.json setting for admin role13:44
rosmaitaabhi89: yes, so with the default setting, any user you give the role 'admin' to will be recognized by Glance as a *glance admin*13:44
jokke_yup13:44
jokke_indeed as serivce admin, not just project(tenant) admin13:45
abhi89so if he is a glance admin, he can view images from all projects?13:46
rosmaitayep13:46
jokke_yes13:46
abhi89oh ok13:46
jokke_and do lot more than just view13:46
rosmaitayeah, modify, delete, everything13:46
abhi89ohk13:46
jokke_like delete, change owner, reactivate deactivated images, overwrite almost any metadata etc.13:46
rosmaitaabhi89: you might want to take a look at this, it's aimed at cinder, but it pretty much applies to glance too: https://review.openstack.org/#/c/624424/13:46
jokke_ok, need to run. back in few13:49
abhi89rosmaita: thanks.. will go through the link.. we just want the admin to behave as an admin at the project level, not glance admin..13:49
rosmaitaone difference though is that glance still has a json policy file that sets the defaults ... but the explanation of what context_is_admin is still applies13:50
abhi89jokke_: sure..thanks13:50
rosmaitaabhi89: well, i think just a regular tenant is a project-level admin13:50
rosmaitaa regular tenant can do all the normal stuff -- create, read, update, delete within their own project (tenant)13:51
rosmaitaso what you need to do is to come up with some new roles if you want to restrict some users to say read-only within a project13:51
rosmaitaand then adjust the policy file13:51
rosmaitawhen i say "regular tenant" i mean "a regular user within a tenant (project)"13:52
rosmaita(i really wish we had better vocabulary for this!)13:52
abhi89rosmaita: thanks for the info.. will need sometime to digest all this & try out few things.. will get back tomorrow on this to share how it went..13:53
rosmaitagood luck!  and it will definitely take a bit of time ... policy config is tricky and it is easy to get results different from what you expectg13:54
rosmaitai proposed a session on this at the Denver summit -- look for it at voting time! :)13:55
abhi89rosmaita: sure :)13:56
*** jdillaman has joined #openstack-glance14:02
*** udesale has joined #openstack-glance14:24
*** pcaruana has quit IRC14:45
*** pcaruana has joined #openstack-glance14:53
*** mosulica has quit IRC14:53
*** Luzi has quit IRC15:05
*** udesale has quit IRC15:18
*** awalende has quit IRC15:33
*** awalende has joined #openstack-glance15:33
*** awalende has quit IRC15:37
*** _alastor_ has joined #openstack-glance16:01
*** tstrul has joined #openstack-glance16:37
*** tstrul has quit IRC16:38
*** samc-bbc has joined #openstack-glance16:39
*** abhi89 has quit IRC16:40
*** mosulica has joined #openstack-glance16:53
*** pcaruana has quit IRC17:01
*** mosulica has quit IRC17:02
*** gyee has joined #openstack-glance17:03
*** Sravan has joined #openstack-glance17:53
*** Sravan has quit IRC17:59
*** Sravan has joined #openstack-glance18:17
*** Sravan has quit IRC18:27
*** Sravan has joined #openstack-glance18:28
*** Sravan has quit IRC18:30
*** Sravan has joined #openstack-glance18:30
*** Sravan has quit IRC18:32
*** mosulica has joined #openstack-glance18:33
*** mosulica has quit IRC18:38
*** awalende has joined #openstack-glance18:45
*** awalende has quit IRC18:49
*** Sravan has joined #openstack-glance18:50
*** mvkr has quit IRC19:06
*** Sravan has quit IRC19:12
*** Sravan has joined #openstack-glance19:14
*** Sravan has quit IRC19:28
*** Sravan has joined #openstack-glance19:29
*** cfriesen has joined #openstack-glance19:54
cfriesenHi all...just alerting people to the fact that https://review.openstack.org/#/c/633256 is available for review.  Should be straightforward, just adding some new definitions for use in nova.20:01
*** mriedem has joined #openstack-glance20:03
rosmaitacfriesen: you might want to hit the rebase button on it and let it run through zuul check again, people tend to ignore stuff until zuul gives +120:06
cfriesencan do20:06
rosmaitacfriesen: and you raised all the right questions on that patch20:06
*** Sravan has quit IRC20:07
*** openstackgerrit has joined #openstack-glance20:07
openstackgerritChris Friesen proposed openstack/glance master: Add flavor options to select emulated virtual tpm  https://review.openstack.org/63325620:07
*** mriedem has left #openstack-glance20:10
*** Sravan has joined #openstack-glance20:31
*** Sravan has quit IRC20:36
*** Sravan has joined #openstack-glance20:41
*** Sravan has quit IRC20:46
*** Sravan has joined #openstack-glance21:20
*** Sravan has quit IRC21:25
*** Sravan has joined #openstack-glance21:55
*** Sravan has quit IRC21:58
*** Sravan has joined #openstack-glance21:58
*** Sravan has quit IRC22:08
*** Sravan has joined #openstack-glance22:16
*** Sravan has quit IRC22:18
*** Sravan has joined #openstack-glance22:21
*** jdillaman has quit IRC22:32
*** Sravan has quit IRC22:33
*** Sravan has joined #openstack-glance22:33
*** gyee has quit IRC22:35
*** Sravan has quit IRC22:38
*** Sravan has joined #openstack-glance22:47
*** MattMan has quit IRC22:51
*** Sravan has quit IRC22:51
*** MattMan has joined #openstack-glance22:51
*** Sravan has joined #openstack-glance22:53
*** tkajinam has joined #openstack-glance22:55
-openstackstatus- NOTICE: http://zuul.openstack.org is not working. https://zuul.openstack.org does work. Please use that while we investigate.23:13
*** Sravan has quit IRC23:16
*** Sravan has joined #openstack-glance23:16
*** Sravan has quit IRC23:19
*** Sravan has joined #openstack-glance23:20
*** Sravan has quit IRC23:35
*** Sravan has joined #openstack-glance23:39
*** rcernin has quit IRC23:53
« Monday, 2019-01-28 Index Wednesday, 2019-01-30 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!