Wednesday, 2021-03-03

*** whoami-rajat has quit IRC		00:15
*** johanssone has quit IRC		00:16
*** tosky has quit IRC		00:17
*** johanssone has joined #openstack-glance		00:19
*** felixhuettner[m] has quit IRC		00:19
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	00:24
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	00:24
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: WIP: Lay down system persona test plumbing https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778343	00:24
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Implement API protection testing for images https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	00:26
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	00:26
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: WIP: Lay down system persona test plumbing https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778343	00:26
*** felixhuettner[m] has joined #openstack-glance		00:28
dansmith	lbragstad: just thought of something else..	00:29
dansmith	er, wait, nevermind	00:29
* dansmith needs to dinner		00:30
lbragstad	ack	00:30
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	00:31
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	00:31
openstackgerrit	Lance Bragstad proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	00:31
lbragstad	ok - that should take care of things? assuming the gtp tests still work and i didn't fat-finger something	00:32
dansmith	lbragstad: yeah, on your copy-image comment,	00:35
dansmith	it's fine to default to admin, but I can override to include regular members with what you have there right?	00:35
dansmith	the comment is more "if we want the default to be different" or something right?	00:35
dansmith	okay I think the comment is about you using a simplistic check_str default,	00:38
dansmith	unlike the ADMIN_OR_PROJECT_MEMBER on most of the other rules	00:38
dansmith	also commented on the set_image_location thing	00:40
dansmith	will dig into that tomorrow.. didn't notice it before	00:40
*** Underknowledge has quit IRC		01:08
*** Underknowledge has joined #openstack-glance		01:08
*** gyee has quit IRC		01:17
openstackgerrit	Dan Smith proposed openstack/glance master: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/777012	01:36
*** Underknowledge2 has joined #openstack-glance		01:51
*** Underknowledge has quit IRC		01:54
*** Underknowledge2 is now known as Underknowledge		01:54
*** rcernin has quit IRC		02:00
lbragstad	yeah - you can override copy_image to be "" if you want and your nova job should still work	02:14
lbragstad	with enforce_scope = True	02:14
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: WIP: Lay down system persona test plumbing https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778343	02:29
*** rcernin has joined #openstack-glance		02:29
*** rcernin has quit IRC		02:29
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: WIP: Lay down system persona test plumbing https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778343	02:29
*** felixhuettner[m] has quit IRC		02:29
*** rcernin has joined #openstack-glance		02:30
*** felixhuettner[m] has joined #openstack-glance		02:33
*** Underknowledge has quit IRC		02:38
*** rcernin has quit IRC		02:44
*** rcernin has joined #openstack-glance		03:16
openstackgerrit	Lance Bragstad proposed openstack/glance master: Implement project personas for image actions https://review.opendev.org/c/openstack/glance/+/764754	03:18
openstackgerrit	Lance Bragstad proposed openstack/glance master: Update default policies for task API https://review.opendev.org/c/openstack/glance/+/763208	03:18
openstackgerrit	Lance Bragstad proposed openstack/glance master: Make secure RBAC protection job voting https://review.opendev.org/c/openstack/glance/+/778258	03:18
*** dasp has quit IRC		03:34
*** dasp has joined #openstack-glance		03:45
*** k_mouza has joined #openstack-glance		04:00
*** k_mouza has quit IRC		04:05
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Increase oslo.policy logging for protection tests https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778356	04:14
*** zzzeek has quit IRC		04:17
*** zzzeek has joined #openstack-glance		04:17
*** zzzeek has quit IRC		04:22
*** zzzeek has joined #openstack-glance		04:23
*** udesale has joined #openstack-glance		04:35
*** ratailor has joined #openstack-glance		04:54
*** whoami-rajat has joined #openstack-glance		04:58
*** ratailor_ has joined #openstack-glance		05:26
*** ratailor has quit IRC		05:29
*** ratailor__ has joined #openstack-glance		05:34
*** m75abrams has joined #openstack-glance		05:35
*** ratailor_ has quit IRC		05:37
*** ajitha has joined #openstack-glance		05:48
*** zzzeek has quit IRC		06:06
*** zzzeek has joined #openstack-glance		06:41
*** ralonsoh has joined #openstack-glance		07:37
*** rcernin has quit IRC		07:44
*** tosky has joined #openstack-glance		08:34
*** jdillaman has quit IRC		08:44
*** jdillaman has joined #openstack-glance		08:45
*** Underknowledge has joined #openstack-glance		09:11
openstackgerrit	Merged openstack/python-glanceclient master: Add Python3 wallaby unit tests https://review.opendev.org/c/openstack/python-glanceclient/+/750701	09:37
*** lpetrut has joined #openstack-glance		10:22
*** k_mouza has joined #openstack-glance		10:36
*** bhagyashris is now known as bhagyashris\|rove		11:30
*** bhagyashris\|rove is now known as bhagyashri\|rover		11:30
*** udesale_ has joined #openstack-glance		11:57
*** udesale has quit IRC		12:00
*** legochen_ has joined #openstack-glance		12:42
*** legochen_ is now known as legochen		12:43
*** ratailor__ has quit IRC		13:19
*** dirtwash has joined #openstack-glance		13:40
dirtwash	so I just setup a fresh ceph nautilus cluster with a fresh victoria openstanck and again snapshost fail, this is related to https://bugs.launchpad.net/glance/+bug/1916482	13:42
openstack	Launchpad bug 1916482 in Glance "rbd.IncompleteWriteError: RBD incomplete write (Wrote only 8388608 out of 8394566 bytes) since Victoria Upgrade, ceph v nautilus" [Undecided,New]	13:42
dirtwash	seems defo incompatiblity issue with Victoria glance release and ceph v14/nautilus	13:42
jokke	dirtwash: thanks, will try to look into the details today	13:50
*** jv_ has quit IRC		13:55
*** jv_ has joined #openstack-glance		14:00
dirtwash	kinda important because most big ceph users dont run latset stable (octoupus) because of early issues, all major clusters I know are still Nautilus, mine included	14:07
*** takamatsu has joined #openstack-glance		14:17
*** jdillaman has quit IRC		14:18
*** jdillaman has joined #openstack-glance		14:18
*** jv_ has quit IRC		14:33
*** jv_ has joined #openstack-glance		14:34
openstackgerrit	Dan Smith proposed openstack/glance master: Add administrator docs for distributed-import https://review.opendev.org/c/openstack/glance/+/778072	14:38
openstackgerrit	Dan Smith proposed openstack/glance master: Enable second glance worker for import testing https://review.opendev.org/c/openstack/glance/+/770629	14:38
*** jv_ has quit IRC		14:59
*** jdillaman has quit IRC		15:00
*** jv_ has joined #openstack-glance		15:07
*** lpetrut has quit IRC		15:09
*** happyhemant has joined #openstack-glance		15:13
dansmith	abhishekk: this is majorly cut down to just the important stuff and looks good to me: https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568	15:19
dansmith	do you think we're ready to go ahead and get that merged to help keep the number of pending patches down?	15:19
jokke	dansmith: you around?	15:33
dansmith	yup	15:33
tosky	there is a small cleanup (almost typo fix) you can merge before anything else: https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773562	15:34
jokke	dansmith: about the cleanup. Did you test that without moving the create pool out of the if clause? If I'm reading the code flow correctly in multi worker environment that pool gets actually never utilized and it would exists when called if it was still within the condition	15:35
dansmith	tosky: got it :)	15:35
dansmith	jokke: yeah, I moved it because of the way we start functional workers I think... move it back and run those and I think you'll see a NameError when we go to use self.pool	15:36
dansmith	jokke: if I'm mistaken, then I can move it back (although having instance variables sometimes missing is confusing anyway)	15:36
dansmith	I also really really don't think it's something we need to worry much about in terms of the overhead it may bring	15:37
jokke	dansmith: sure I'll give it a try. I thought each of the workers actually set their pool as self.pool as part of their spawn process. So the self.pool should be pointing to the last worker and then all the pools are in the async pool list	15:37
jokke	dansmith: true, just thinking we might be actually creating extra pool that gets never used unless workers == 0	15:38
dansmith	I understand, I just don't think that's a huge deal.. if it pre-allocated a thousand threads then maybe, but .. :)	15:39
jokke	yeah thankfully afaik the eventlet pools are not preallocating anything but the thread tracker. I think that's why we default like 1000 threads on them	15:39
dansmith	yeah	15:41
abhishekk	dansmith, So this https://review.opendev.org/c/openstack/glance-tempest-plugin/+/773568 is the patch which will verify that legacy rbac is working correctly and secure-rbac will fail until we adopt to new changes	15:55
dansmith	abhishekk: yep	15:56
abhishekk	cool	15:56
abhishekk	will have a look soon enough	15:57
openstackgerrit	Dan Smith proposed openstack/glance master: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/777012	16:02
openstackgerrit	Dan Smith proposed openstack/glance master: Add a check on startup for staging directory https://review.opendev.org/c/openstack/glance/+/778493	16:02
*** takamatsu has quit IRC		16:11
*** smcginnis has quit IRC		16:25
*** smcginnis has joined #openstack-glance		16:34
*** m75abrams has quit IRC		16:48
*** udesale_ has quit IRC		16:52
*** jv_ has quit IRC		17:01
*** ralonsoh has quit IRC		17:01
*** hoonetorg has quit IRC		17:01
*** stand has quit IRC		17:01
*** lifeless_ has quit IRC		17:01
dansmith	lbragstad: I'm really struggling with these: https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	17:01
dansmith	I started by offering to comment them for you as I went through figuring them out, but ... I was stopped at like the second one	17:01
*** openstackgerrit has quit IRC		17:02
lbragstad	dansmith ack - i'll take a look here soon	17:03
dansmith	ack, sorry, I'm not very smart	17:04
*** ralonsoh has joined #openstack-glance		17:05
*** stand has joined #openstack-glance		17:05
lbragstad	i can understand the confusion - it's a lot to keep straight when you start dealing with multiple projects and clients	17:05
dansmith	yeah, it's more than I have fingers and toes :)	17:06
*** jv_ has joined #openstack-glance		17:07
*** hoonetorg has joined #openstack-glance		17:07
*** lifeless_ has joined #openstack-glance		17:07
abhishekk	rosmaita, when you get time, please have a look at https://review.opendev.org/c/openstack/glance/+/775860 and https://review.opendev.org/c/openstack/python-glanceclient/+/776403	17:23
rosmaita	abhishekk: ack	17:23
abhishekk	both are good to go and will reduce our M3 review list	17:23
abhishekk	thank you	17:23
dansmith	abhishekk: in order to test the cleanup of the conversion files in the functional test, I need to have them in the database	17:46
dansmith	abhishekk: is it okay to just use the existing uuids.stale as the base, and create several more files for it like .raw and .uc and make sure those get hit?	17:47
dansmith	I can create another image for those too, but it'll just make that test longer	17:47
abhishekk	I think it will be ok to use uuids.stale as base	17:47
dansmith	er, not uuids. stale, but the image I create/stage above	17:47
dansmith	okay, I think it's close enough too, just wanted to make sure	17:48
abhishekk	ack	17:48
dansmith	actually, nevermind all that I'm being stupid	17:49
dansmith	not a great day for me today :)	17:50
abhishekk	:D	17:50
dansmith	abhishekk: ^	18:00
dansmith	er, where is the bot? :)	18:00
abhishekk	I think bot is also not having good day :D	18:01
dansmith	haha	18:01
abhishekk	I got email update though, thank you	18:01
dansmith	cool	18:01
abhishekk	dansmith, could you please verify glance-store hash	18:08
abhishekk	https://review.opendev.org/c/openstack/releases/+/777970	18:09
abhishekk	I think it has +2 from zuul, but not merged yet	18:09
dansmith	abhishekk: done	18:11
abhishekk	thank you	18:11
dansmith	maybe those are manual merges? it completed the gate	18:13
abhishekk	I think it will revisit gate once +w hits	18:15
abhishekk	smcginnis, ^^	18:15
dansmith	ah, I see he dropped it, gotcha	18:16
abhishekk	me signing out for the day, will revisit rbac patches tomorrow	18:17
dansmith	o/	18:17
abhishekk	o/~	18:17
jokke	night	18:18
*** ralonsoh has quit IRC		18:23
jokke	lbragstad: quick follow up about the community/public etc. all that.	18:28
dansmith	lbragstad: and while fixing whatever jokke just found, remove your non-voting job from the gate queue :) https://review.opendev.org/c/openstack/glance/+/778079	18:29
* lbragstad nods		18:30
lbragstad	dansmith quick spot check	18:30
dansmith	I can ninja that patch when you fix	18:31
jokke	lbragstad: so yeah I saw your comment now on the add_image policy and how it kind of never hits in that specific case due to the other policy being on the way. Is it just perception thing (as in the string looks bad and like it could allow such) or is it as scary as it looks like and we need to be super careful?	18:31
lbragstad	https://review.opendev.org/c/openstack/glance-tempest-plugin/+/778538 is this the type of clarification you're asking for dansmith?	18:32
lbragstad	jokke well - it could be scary if something changes the order of operations as far as policy is concerned	18:33
dansmith	lbragstad: in general yeah, I'll go look, but... can't we have those comments in the patch where you're adding the tests to make it easier to review?	18:33
lbragstad	or if glance decides to not nest policy enforcement checks	18:33
lbragstad	dansmith yeah - i'm planning on proposing that in the review you had comments on	18:34
jokke	lbragstad: so the policy actually works like I described in my comment and we're pretty much relying something else catching it first to avoid horrible things? :P	18:34
lbragstad	i just threw that up as a wip so you could easily see the different	18:34
lbragstad	difference*	18:34
dansmith	lbragstad: ack cool	18:34
lbragstad	jokke well - yeah.. kind of	18:36
lbragstad	just about every layer of glance wants at least some responsibility for authorization	18:36
jokke	lbragstad: for example my delete question below was very related for that exact reason. AFAIK there is no other policy to safeguard it	18:36
lbragstad	so - if we don't trip on the twig, we'll trip on the branch in the next step	18:37
jokke	lbragstad: I know :(	18:37
lbragstad	but - i understand what you're saying	18:37
lbragstad	i think to address that	18:37
jokke	we have loads of authorization that is 100% not relying the policies to check if action is ok or not.	18:37
jokke	which is sad	18:38
lbragstad	agreed - but.. i think the goal today should be	18:38
lbragstad	write a policy check string that encompasses the ideal use case	18:38
lbragstad	and make sure the behavior doesn't break	18:38
*** lpetrut has joined #openstack-glance		18:38
lbragstad	then we at least know the policy check isn't too restrictive	18:39
lbragstad	and as we sweep the authorization bits out of the database/authorization/controllers and into the policy layer	18:39
lbragstad	the policy check string will naturally take on more authorization responsibility	18:39
lbragstad	and do what it's supposed to do	18:39
lbragstad	for example	18:39
lbragstad	right now "get_image" has something like this for a check string	18:40
lbragstad	"role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))"	18:40
lbragstad	but the community and public parts of that check string aren't fully tested by the policy integration tests because that enforcement still lives in the database (from what I can understand and test)	18:41
lbragstad	but - at least we have a check string that's relatively realistic and should hopefully act as a safeguard if/when we do start refactoring the database bits	18:42
jokke	lbragstad: also added clarification to https://accountantonline.ie/accountancy-fees/	18:47
jokke	sorry	18:48
jokke	https://review.opendev.org/c/openstack/glance/+/764754/23/glance/policies/image.py#307	18:48
jokke	^^ right link :D	18:48
*** lpetrut has quit IRC		18:49
lbragstad	ok - maybe i'm confused	18:49
lbragstad	i wasn't sure if we were talking about the add_image policy or the reactivate policy	18:49
jokke	lbragstad: ok that makes bit more sense in general. Not less scary looking 'though	18:50
jokke	lbragstad: oh I was going through your responses.	18:50
lbragstad	ok - so end users are allowed to deactivate images, but only administrators can reactivate them?	18:51
lbragstad	s/end users/project-members/	18:51
jokke	the discussion here was mainly the impact of that check string, cause that looks in general scary AF. But lots of those thing you said makes more sense when you take the db restrictions and all that in to account	18:51
jokke	lbragstad: correct. as long as they are part of the owner tenant	18:52
lbragstad	so - if i decide to deactivate all images before i get fired, my manager has to contact the openstack operators to re-enable all of them after i've been escorted out?	18:53
lbragstad	s/all images/all images in my project/	18:53
* dansmith takes note		18:53
jokke	lbragstad: that's how it was designed ... which would explain why you got fired :P	18:54
dansmith	hah	18:54
jokke	it's still less pain in the bollox than you deleting them which you would have permissions to do as well	18:55
jokke	and would likely got you fired too	18:55
lbragstad	well - i was probably fired for other reasons, but as a disgruntled employee i could hose images for my immediate project members and know it requires a ticket-based workflow somewhere	18:55
dansmith	yeah, it seems odd to me	18:56
lbragstad	just playing devils advocate as someone really looking to stick it to the man before they get booted out the door :)	18:58
jokke	IIRC the motivation for that was somewhere around these lines. Employee X finds weird behaviour on one of their images, deactivates it so no-one boots more instances from it before it's deemed safe. Now Employee Z who actually uploaded that malicious image, would obviously notice that his image got jammed so all he had to do was to either reactivate it or delete and recreate to play little more	18:59
jokke	time for it.	18:59
jokke	Specially if you use osc and rely image names that would be super effective	19:00
lbragstad	ok - so that's assuming X and Z are both users within the same project	19:00
lbragstad	right?	19:00
jokke	so the image literally gets locked before admin gives it a pass as default policy	19:00
jokke	lbragstad: yeah part of same tenant/project/<inject string what they are called today here>	19:01
lbragstad	enemy in the wire kind of thing?	19:01
jokke	most of the time attacks comes from inside	19:01
jokke	also admin could deactivate weirdly behaving image in their cloud instead of just deleting it for investigation	19:02
lbragstad	yeah - i think the admin case makes sense	19:02
jokke	so it's really quarantine operation	19:02
lbragstad	i think it's certainly within their rights to activate and deactivate whatever they want	19:02
lbragstad	i guess i really wanted to understand the reason why project members didn't have the ability to reactivate images and require operator intervention	19:04
dansmith	jokke: is there any user doc material that describes it like that?	19:04
jokke	I think it makes more sense maybe some day if we get these scopes little bit more in place. I could see reactivation being system or project admin etc.	19:04
lbragstad	mmm - exposing reactivate/deactivate to project-admins seems reasonable	19:05
jokke	lbragstad: it was really if anyone including operator did deactivate it, so the malicious user couldn't destroy the evidence and/or drop it back into use	19:05
jokke	dansmith: the original spec for example https://wiki.openstack.org/wiki/Glance-deactivate-image	19:08
jokke	dansmith: FAQ at the very end	19:08
lbragstad	so - from an operator perspective, of which i'm not ;)	19:09
dansmith	this describes the opposite doesn't it?	19:09
dansmith	where a user can reactivate but an admin may only be able to deactivate?	19:09
lbragstad	if i notice someone is uploading malicious images within a paritcular project, i'm likely going to disable their entire project	19:09
dansmith	or have I been flipping this conversation? I thought you were saying a user could deactivate but then needs a ticket to reactivate	19:10
jokke	I think this was the actual spec the implementation was based off https://specs.openstack.org/openstack/glance-specs/specs/kilo/deactivate-image.html	19:10
lbragstad	"If an image is deemed suspicious, an admin should be able to put the image “on hold” preventing instances from being built with it until it has be properly examined and determined to be safe or found dangerous and deleted. All image properties will remain accessible and editable, but the image will not be downloadable by non-admin users."	19:11
lbragstad	i think we have that part covered - yeah?	19:11
jokke	no you're not. That original spec assumed the deactivate/reactivate was treated as single operation and described the problem exposing that flip state to the user	19:12
jokke	why it was later on split like proposed on that same statement to be behind two different policies so they can be controlled individually	19:13
jokke	lbragstad: I think it's one of those things where it's hardcoded to be admin operation only rather than utilixing policies to lock the data down when the image is deactivated	19:14
lbragstad	ok - so we have a few options	19:15
lbragstad	1.) make deactivate/reactivate admin-only	19:15
jokke	it was just the reactivation policy we should have admin by default as I think it has been so far	19:15
lbragstad	2.) expose deactivate to project-members and keep reactivate admin-only	19:15
lbragstad	3.) expose deactivate and reactivate to project-members	19:16
dansmith	jokke: was that "no you're not" aimed at my wondering about having this backwards?	19:16
dansmith	sounds like the current state is opposite from what that original spec proposed,	19:16
jokke	dansmith: yeah	19:17
dansmith	although not sure if that changed along the way, or just in the implementation	19:17
dansmith	okay	19:17
jokke	dansmith: the original spec did present it backwards because it assumed it being single toggle opertion	19:17
jokke	instead of two different operations	19:17
lbragstad	i guess the case i'd like to avoid is #2	19:18
dansmith	but the original spec described admin having perms to deactivate, and user having activate... so still split now?	19:18
dansmith	*no	19:18
jokke	it is still split and currently the default behaviour should be the option 2 lbragstad described	19:18
lbragstad	that should be the default (#2)?	19:19
dansmith	okay, like lbragstad that seems not very useful to me, but it sounds like that makes it "like it is today" - for better or worse	19:19
jokke	so as part of this work, I'd say lets keep it like that and if there is wish to change it, that should be it's own piece of work	19:19
lbragstad	as in that's how it should work today prior to any of the secure rbac changes?	19:19
jokke	correct ;)	19:20
dansmith	I'd like to know who is actually using this, and how...	19:20
jokke	dansmith: I've stumbled upon pretty creative use cases for the feature	19:20
lbragstad	umm	19:20
lbragstad	https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742/11/glance_tempest_plugin/tests/rbac/v2/test_images.py@1431	19:20
lbragstad	that ^ test passes with legacy rbac... as in no new project personas	19:20
dansmith	lbragstad: meaning a regular user can reactivate yeah?	19:21
lbragstad	https://1e03df7e49d16b52a381-065293745cdcc6ecb6052ade0199e5ba.ssl.cf2.rackcdn.com/775742/11/check/glance-legacy-rbac-protection-functional/fe5e8a6/testr_results.html	19:21
lbragstad	yes	19:22
dansmith	lbragstad: see why I wanted the tests to land first? :)	19:22
dansmith	lbragstad: we get a 204 there, I wonder if it's just not actually reactivated even though it told us it was?	19:22
jokke	hmm-m that's likely due to something that has slipped when we stopped shipping default policy file, as that was one of the rare default overwrites we did ship from the permissive policy	19:23
jokke	which would be super easy to check if we still had our policy files	19:25
dansmith	jokke: https://github.com/openstack/glance/blob/stable/stein/etc/policy.json#L36	19:26
dansmith	looks unrestricted to me	19:26
dansmith	all the way back to ocata	19:26
dansmith	(unless I'm looking at the wrong thing)	19:28
jokke	yup, looks like I did remember that wrong	19:28
jokke	now I'm wondering how we are shipping that from OoO etc.	19:28
dansmith	so, maybe the default was the intent,	19:28
dansmith	but the shipped policy didn't match	19:28
dansmith	well, no the default was default for both right?	19:29
dansmith	heh, default was "rule:default" I mean	19:29
dansmith	which is "anyone that can see the image" ?	19:29
jokke	yeah our default policy has been pretty permissive about everything for testing	19:30
jokke	like many things that we document should be admin only or restricted, are in repo with empty string so we can test it	19:30
dansmith	the tests override the policy to be unrestricted, AFAIK, so I don't think this file affects them that I know of	19:31
jokke	nowadays yes	19:31
jokke	iirc even tempest used to be like default policies and tempest tests only user functions, if it needed admin credentials it was out of scope ofr tempest	19:32
jokke	but indeed looks like this is yet another of those things that we've been shipping opposite what we expect in the docs :(	19:33
dansmith	well, that's the point of the defaults-in-code work, so ... good? :)	19:33
jokke	well no, now when it's hidden all over the place in code it's even mre difficult to chec vs. when it was one clean file ;)	19:34
dansmith	well, disagree on that, but the point is to not be shipping two copies of things that can (and clearly do) get out of sync	19:35
lbragstad	well - just because it was in the file doesn't mean what was in the file was true with what is in the rest of glance that does authorization stuff	19:35
dansmith	well, that's a whole other thing	19:36
jokke	lbragstad: well the policies being in the code does not change the out of the policies auth either ;D	19:36
lbragstad	i think i understand that bit, but i don't think having a policy file necessarily makes this better	19:37
lbragstad	theoretically - we would have hit these issues 4 or 8 cycles ago if we wrote the same tests then, no?	19:38
jokke	but at least the new definitions under /glance/policies are much more undestandable than the old policy.json or the intermediate one we're moving away now	19:38
jokke	I really liked the old file based policies. It was so clear and all package managers knew how to deal with/warn if there was changes coming from upstream on upgrade.	19:41
lbragstad	we have deprecation signaling for that now	19:41
lbragstad	the file-based approach didn't really give us a way to handle things gracefully for operators on upgrade	19:42
dansmith	yeah	19:42
dansmith	but regardless, here we are, not much point in discussing that here and now	19:43
jokke	well at least it won't change anytihng	19:43
dansmith	sounds like to be the most compatible, we should keep both operations open to everyone and maybe have a reno to alert operators if they for some reason find that surprising?	19:44
lbragstad	so approach #3?	19:44
dansmith	not really sure it should be surprising to anyone, I guess, given all the defaults were open/open AFAICT	19:44
dansmith	yeah	19:44
lbragstad	ok - so i don't think i need to update that specific policy in question then	19:45
jokke	dansmith: not _all_ :P	19:45
jokke	"publicize_image": "role:admin",	19:45
jokke	"manage_image_cache": "role:admin",	19:45
jokke	"tasks_api_access": "role:admin",	19:45
dansmith	where is that?	19:46
jokke	that's from stable/train policy.json we shipped	19:46
dansmith	changed in stable? but aren't we talking about (re)activate ?	19:47
jokke	all the defaults	19:47
dansmith	https://github.com/openstack/glance/blob/stable/train/etc/policy.json#L36	19:48
dansmith	are you talking about downstream?	19:48
jokke	dansmith: all the defaults not that specific one ...	19:48
jokke	I was pointing out that I managed to find 3 from the whole bloody thing that were not wide open :P	19:49
dansmith	oh,, I see.. I meant s/all/both/ above, in "all the places"	19:49
jokke	'though I'm not sure if that file has all possible policies mapped ... the default was admin, so anyhing not listed should be pointing to admin	19:50
*** whoami-rajat has quit IRC		19:50
jokke	but yeah, I don't think this is the right place to lock the specific one down lbragstad go with #3, sorry for confusion and derailing the convo for past 2 hours or so	19:51
jokke	my comment was based on how it was supposed to be, not how it has been shipping	19:52
lbragstad	ok - but we're good with exposing this at the project-level is what i'm hearing	19:52
jokke	well t least we know it's policy controlled. Not that it gets blocked somewhere else due to being hardcoded	19:54
*** lifeless_ is now known as lifeless		19:56
lbragstad	well - kind of	19:56
lbragstad	https://opendev.org/openstack/glance/src/branch/master/glance/api/authorization.py#L369-L371	19:57
lbragstad	^ i have no idea how or where that gets invoked	19:57
lbragstad	it doesn't appear to be in the code paths i'm testing	19:57
lbragstad	but that's the code equivalent of "!" deny all	19:58
jokke	uuh, that's immutable proxy	19:58
lbragstad	i'm not sure if you have to do something special to hit that?	19:58
jokke	yeah, that's literally read-only image object	19:58
lbragstad	ah	19:58
jokke	I think that might be the mecanism which prevets lots of things happening if you're not the owner	19:59
lbragstad	so - that could be something like "False:%(protected)s" if we were to convert that	19:59
dansmith	it's very effective, and also very frustrating from a testing perspective :)	20:00
dansmith	it's a very brute-force way to make sure you don't accidentally mutate anything in the image, like metadata or the many linked structures you get back with an image	20:01
dansmith	there's magic that happens when you save an image, so it seems to aim to generate an exception when you even touch your "image" object before you get a chance to save() it and maybe have some unintended things get changed	20:02
jokke	dansmith: yeah	20:02
jokke	like you said it's crude but effective	20:02
lbragstad	ok - sounds like the publicize image policy check and how that's invoked before add_image	20:03
dansmith	yeah, I can see places where it would allow a leak, thinking that it was airtight, and also where it would prevent us from allowing certain operations we want to grant, without granting control over the image itself	20:03
jokke	it's also very frustrating combo with the domain model and all possible proxies	20:04
jokke	where you really never know which object you actually got back. it might look right but only way to be sure is to check the type	20:05
jokke	specially when there is stuff like properties which might be some proxy object depending where you got the image object from, and which layer happened to swap it between proxy object that behaves bit like a list or dict vs actual list or dict	20:06
jokke	which is what I assume was happening on that locations list you had to remove. It should be just list of dicts, but some layers gives you proxy	20:07
jokke	but it's past 8PM. Dinner, movie or something and sleep.	20:12
*** happyhemant has quit IRC		20:13
lbragstad	ok - i'm following up on the whole 204/actual deactivation thing	20:20
lbragstad	the status when a project-member deactivates an image is 'deactivate'	20:21
dansmith	lbragstad: don't leave us hanging bro	20:46
lbragstad	that's it - that's the news	20:46
*** rcernin has joined #openstack-glance		20:46
dansmith	I thought you were going to try reactivate as a user and see if it actually recovers	20:46
lbragstad	oh - yeah, i think we have a test for that	20:48
*** k_mouza has quit IRC		20:49
*** openstackgerrit has joined #openstack-glance		20:49
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	20:49
lbragstad	ok - i loaded ^ with a bunch of comments	20:50
lbragstad	to hopefully make the tests a little more clear	20:50
*** gyee has joined #openstack-glance		21:01
*** rcernin has quit IRC		21:17
dansmith	lbragstad: definitely helpful, and seems like your comment density went up as you got further in the file :)	21:17
dansmith	still have some questions, which I just left in there	21:17
dansmith	they're probably more like "glance will let you do whaa?" than actually policy-related, but.. since you're asserting that things are this way, you get to shoulder that burden I guess :)	21:18
dansmith	actually, nevermind, I should have just looked it up myself first	21:27
*** irclogbot_0 has quit IRC		21:33
*** ianw has quit IRC		21:33
*** lyr has quit IRC		21:33
*** freerunner has quit IRC		21:33
*** irclogbot_0 has joined #openstack-glance		21:34
*** ianw has joined #openstack-glance		21:34
*** lyr has joined #openstack-glance		21:34
*** freerunner has joined #openstack-glance		21:34
*** zzzeek has quit IRC		21:44
*** zzzeek has joined #openstack-glance		21:45
*** rcernin has joined #openstack-glance		22:05
*** rcernin has quit IRC		22:11
*** rcernin has joined #openstack-glance		22:11
*** ajitha has quit IRC		22:23
openstackgerrit	Dan Smith proposed openstack/glance master: Add housekeeping module and staging cleaner https://review.opendev.org/c/openstack/glance/+/777012	22:43
openstackgerrit	Dan Smith proposed openstack/glance master: Add a check on startup for staging directory https://review.opendev.org/c/openstack/glance/+/778493	22:43
*** k_mouza has joined #openstack-glance		22:49
*** k_mouza has quit IRC		22:54
*** rcernin has quit IRC		22:56
*** rcernin has joined #openstack-glance		23:01
*** k_mouza has joined #openstack-glance		23:17
openstackgerrit	Dan Smith proposed openstack/glance master: Enable second glance worker for import testing https://review.opendev.org/c/openstack/glance/+/770629	23:18
*** k_mouza has quit IRC		23:22
*** rcernin has quit IRC		23:26
*** k_mouza has joined #openstack-glance		23:27
*** k_mouza has quit IRC		23:31
*** k_mouza has joined #openstack-glance		23:36
openstackgerrit	Lance Bragstad proposed openstack/glance-tempest-plugin master: Add tests for image membership, deactivation, and reactivation https://review.opendev.org/c/openstack/glance-tempest-plugin/+/775742	23:39
lbragstad	dansmith ok - i pulled some of your subtext comments into ps13	23:40
lbragstad	but i wasn't sure if you meant for some of those to be added or not?	23:40
*** zzzeek has quit IRC		23:40
lbragstad	if i misinterpreted that - let me know and i can re-add them	23:40
lbragstad	er - add them*	23:40
*** k_mouza has quit IRC		23:41
*** zzzeek has joined #openstack-glance		23:42
openstackgerrit	Lance Bragstad proposed openstack/glance master: Add glance functional protection tests to check and gate https://review.opendev.org/c/openstack/glance/+/778079	23:42
dansmith	lbragstad: yeah, happy to have them in there	23:46
dansmith	lbragstad: ninja'd the test job patch	23:47
lbragstad	sweet	23:47
openstackgerrit	Merged openstack/glance master: Distributed image import https://review.opendev.org/c/openstack/glance/+/769976	23:59

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!