| opendevreview | Pranali Deore proposed openstack/glance master: WIP Implement secure rbac for metadef namespaces https://review.opendev.org/c/openstack/glance/+/798700 | 05:36 |
|---|---|---|
| abhishekk | dansmith, around? | 14:18 |
| dansmith | abhishekk: yeah | 14:29 |
| abhishekk | dansmith, I added this question in commit message also, how we are going to flip authorization flag ? | 14:32 |
| dansmith | well, | 14:32 |
| dansmith | I was thinking we'd do it like I currently do, which is underneath a stack of code that has been converted | 14:32 |
| abhishekk | I am thinking of writing separate litespec for this change | 14:33 |
| dansmith | okay | 14:33 |
| dansmith | I'm not sure why your patch to flip all the tests to defaults doesn't fail a bunch of tests | 14:33 |
| dansmith | because I would expect a lot of the tests I had to fix for the new defaults to potentially be broken with the old ones | 14:34 |
| abhishekk | hmm, I think I have fixed around 32 tests which were failing | 14:35 |
| abhishekk | for example, publicize_image is admin only action and in yaml file it was open for all | 14:36 |
| dansmith | yeah, I saw you fixed some, but I expected more | 14:36 |
| dansmith | maybe more default to admin or something | 14:36 |
| dansmith | I guess a lot of the fails were around member/reader changes so maybe that's why I was thinking there would be more | 14:36 |
| abhishekk | hmm, I haven't made any changes related to reader role | 14:37 |
| abhishekk | and all our tests still refers to legacy policies and not rbac | 14:37 |
| dansmith | right I mean _my_ patches were doing the member->reader thing | 14:38 |
| abhishekk | hmm and my patch is not on top of your patches | 14:38 |
| dansmith | right, I'm not saying something is wrong, I'm saying I think that's why I was expecting more fail than you had to fix | 14:39 |
| abhishekk | yeah, me too | 14:39 |
| dansmith | okay :) | 14:39 |
| dansmith | so what is the plan to be testing the new defaults? we kinda need a new glance-functional job that runs with the default flipped to rbac or something | 14:39 |
| abhishekk | earlier I was thinking of removing .yaml from repo which resulted in failing around 70% tests | 14:39 |
| abhishekk | so I took this shortcut | 14:40 |
| dansmith | like the rbac tempest job | 14:40 |
| abhishekk | I think that will be much better | 14:40 |
| dansmith | okay, so non-voting, and iterate until both functional jobs pass? | 14:40 |
| abhishekk | correct | 14:40 |
| dansmith | okay, let me play with that on top of this patch of yours | 14:41 |
| abhishekk | great | 14:41 |
| abhishekk | I will ping you if I have any questions while writing lite spec | 14:42 |
| abhishekk | I will do it mostly tomorrow after meeting though | 14:42 |
| dansmith | okay | 14:42 |
| abhishekk | cool, thank you | 14:43 |
| dansmith | okay, 50% of test_images fails in that mode | 15:04 |
| abhishekk | :D | 15:06 |
| dansmith | gmann: can I set an envar in a zuul job def, or do I need to create a new tox env with setenv? | 15:08 |
| gmann | dansmith: abhishekk yeah that is what I am also planning in Temepst side. during migrating the tempest tests to new rbac add a n-v job with new rbac enable on service side | 15:23 |
| dansmith | gmann: cool | 15:23 |
| gmann | dansmith: we can add that in job definition only. I have few patches up for those but need to merge those, let me check | 15:23 |
| abhishekk | ack | 15:23 |
| gmann | dansmith: abhishekk this is what i started https://review.opendev.org/c/openstack/devstack/+/778945 | 15:24 |
| gmann | other services https://review.opendev.org/q/topic:%2522secure-rbac%2522+(status:open+OR+status:merged)+project:openstack/devstack+owner:gmann%2540ghanshyammann.com | 15:24 |
| dansmith | gmann: okay but I'm asking about functional, where I just need to set an envar in a jobdef | 15:25 |
| gmann | I need to debug on keystone patch first and then we can merge the service side things | 15:25 |
| gmann | dansmith: ohk | 15:25 |
| dansmith | what I started is a job def with new tox env, which does setenv= in tox.ini.. is that the way? | 15:25 |
| gmann | you can create the separate tox env which can help to run locally also. | 15:25 |
| gmann | yeah, like we do for api-ref env in nova | 15:26 |
| gmann | api-sample i think | 15:26 |
| dansmith | ack | 15:26 |
| gmann | https://github.com/openstack/nova/blob/master/tox.ini#L140 | 15:26 |
| dansmith | yeah was just hoping I could use passenv instead of setenv and a new target, but no worries, almost done | 15:28 |
| opendevreview | Dan Smith proposed openstack/glance master: Add a nonvoting functional job with RBAC defaults https://review.opendev.org/c/openstack/glance/+/798922 | 15:40 |
| dansmith | abhishekk: ^ | 15:40 |
| abhishekk | dansmith, ack, will have a look | 15:40 |
| abhishekk | perfect | 15:50 |
| dansmith | abhishekk: so we should probably get that merged so we can iterate on separate tests | 16:03 |
| abhishekk | So I need to modify my test patch 1st | 16:04 |
| dansmith | yup | 16:04 |
| abhishekk | Ack, will do it after dinner break | 16:04 |
| abhishekk | wait, there is just spelling mistake, right? | 16:05 |
| dansmith | there are two, one in the commit message and one in the policy file | 16:06 |
| abhishekk | yeah, will just do it online before going for dinner | 16:06 |
| dansmith | okay | 16:06 |
| abhishekk | could you please create this blueprint in LP, policy-tests-refactoring ? | 16:07 |
| dansmith | abhishekk: I thought that was the name of yours | 16:09 |
| dansmith | because of the topic of your patch underneath | 16:09 |
| dansmith | I don't think we need a bp for it, I just thought this was supposed to line up with your lite spec and topic :) | 16:10 |
| abhishekk | Ack, I guess we link it to policy-refactor BP then | 16:10 |
| dansmith | yeah, was just going to say | 16:10 |
| dansmith | can you fix when you update the patch below? else I will after you do | 16:10 |
| abhishekk | will do it, hopefully it will work from browser editing | 16:11 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Use default policies in our tests https://review.opendev.org/c/openstack/glance/+/798381 | 16:12 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Add a nonvoting functional job with RBAC defaults https://review.opendev.org/c/openstack/glance/+/798922 | 16:13 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Add a nonvoting functional job with RBAC defaults https://review.opendev.org/c/openstack/glance/+/798922 | 16:14 |
| dansmith | will wait for the test run on yours before voting | 16:14 |
| opendevreview | Abhishek Kekane proposed openstack/glance master: Add a nonvoting functional job with RBAC defaults https://review.opendev.org/c/openstack/glance/+/798922 | 16:14 |
| abhishekk | dansmith, ack | 16:14 |
| * abhishekk going for dinner | 16:14 | |
| opendevreview | Dan Smith proposed openstack/glance master: Add a nonvoting functional job with RBAC defaults https://review.opendev.org/c/openstack/glance/+/798922 | 17:47 |
| abhishekk | we need to pursue someone to approve test refactor patch | 17:53 |
| dansmith | how come steap is never in upstream irc? | 17:55 |
| abhishekk | He use to be there, but don't know what happens lately | 17:55 |
| abhishekk | jokke_, rosmaita when you have some time, kindly have a look https://review.opendev.org/c/openstack/glance/+/798381 | 18:27 |
| rosmaita | ack | 18:27 |
| dansmith | rosmaita: and when budgeting time, know that it's just a test refactor which is pretty quick to review | 18:29 |
| dansmith | along with the job def patch above it | 18:29 |
| rosmaita | ok, thanks | 18:29 |
| * abhishekk signing out for the day | 18:46 | |
| opendevreview | Merged openstack/glance master: Enforce keystone limits for image upload https://review.opendev.org/c/openstack/glance/+/788055 | 21:34 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!