Wednesday, 2021-08-04

opendevreview	Rajat Dhasmana proposed openstack/glance master: DNM: check grenade gate fix https://review.opendev.org/c/openstack/glance/+/803325	06:19
opendevreview	Merged openstack/glance master: Refactor gateway get_repo auth layer https://review.opendev.org/c/openstack/glance/+/789913	07:10
*** mabrams is now known as Guest3279		08:58
*** mabrams1 is now known as mabrams		08:58
opendevreview	Josephine Seifert proposed openstack/glance-specs master: Spec-Lite to implement Image Encryption with delayed Secret Consumers https://review.opendev.org/c/openstack/glance-specs/+/792134	09:56
opendevreview	Dan Smith proposed openstack/glance master: Make image update check policy at API layer https://review.opendev.org/c/openstack/glance/+/789915	13:54
opendevreview	Dan Smith proposed openstack/glance master: Check get_image(s) in the API https://review.opendev.org/c/openstack/glance/+/796067	13:54
opendevreview	Dan Smith proposed openstack/glance master: Add a member field to Image when appropriate https://review.opendev.org/c/openstack/glance/+/796066	13:54
opendevreview	Dan Smith proposed openstack/glance master: Check delete_image policy in the API https://review.opendev.org/c/openstack/glance/+/798073	13:54
dansmith	abhishekk: what about those requirements changes do you think impacts our use of enabled_backends?	14:00
dansmith	since networkx is bumped in that patch and that is also in the trace, I imagine it has something to do with it,	14:01
dansmith	but I don't know why it would have worked before and not now, and the only change needed is our enabled_backends	14:01
abhishekk	dansmith, same thing	14:01
abhishekk	I was not able to understand so I added you there	14:02
abhishekk	is this something like earlier mock was working for load_plugin and now its not ?	14:03
dansmith	I don't know, but apparently taskflow uses something in networkx and that seems like it must have changed	14:03
dansmith	maybe we were never able to load_plugin, but taskflow didn't choke on a task step of None?	14:03
abhishekk	I think so	14:04
abhishekk	may be I should try it locally	14:06
dansmith	I've repro'd it locally	14:07
dansmith	I really don't understand some of the multistore config stuff.. config options that are totally not present sometimes but are others	14:07
dansmith	it's very confusing	14:07
dansmith	like why setting enabled_backends gives me this: oslo_config.cfg.NoSuchOptError: no such option os_glance_staging_store in group [DEFAULT]	14:07
abhishekk	:D	14:08
abhishekk	when you set config option, while store loading in glance-store it adds reserved stores to those options	14:09
abhishekk	may be related to that	14:09
dansmith	but tests above mine don't seem to do anything different, but they work	14:10
abhishekk	looking	14:11
abhishekk	between delete image patch of yours unit and functional is failing	14:12
dansmith	yup	14:13
opendevreview	Dan Smith proposed openstack/glance master: Fix failing copy_image flow init https://review.opendev.org/c/openstack/glance/+/803484	14:17
abhishekk	\o/	14:18
abhishekk	may be we should add this patch as depends on to the requirements patch	14:21
dansmith	it has to be the other way around I think	14:21
dansmith	well, we can for testing I guess, but they won't be able to merge until this lands, so we'd have to depends-on and then remove	14:22
abhishekk	hmm	14:22
dansmith	prometheanfire: the above is a potential fix for the glance fail on your requirements bump, do you want to depends-on it and try again?	14:34
opendevreview	Dan Smith proposed openstack/glance master: Check delete_image policy in the API https://review.opendev.org/c/openstack/glance/+/798073	14:34
dansmith	abhishekk: I dunno why this wasn't failing before, because it was mocking the auth layer, which is gone ^	14:34
prometheanfire	dansmith: sure	14:34
prometheanfire	thanks for looking at it	14:34
dansmith	prometheanfire: tbc, it's this: https://review.opendev.org/c/openstack/glance/+/803484	14:35
abhishekk	dansmith, need to check	14:36
prometheanfire	updated the commit	14:38
dansmith	prometheanfire: I shall remain perched upon the extreme edge of my seating surface	14:38
prometheanfire	don't fall off	14:39
prometheanfire	think there might be a merge conflict with virtualenv, going to preempt a rebase	14:40
opendevreview	Erno Kuvaja proposed openstack/glance master: Cache API endpoints https://review.opendev.org/c/openstack/glance/+/792022	14:50
jokke_	abhishekk: ^^	14:51
abhishekk	jokke_, ack, will have a look soon	14:51
abhishekk	dansmith, there are other tests in that file which are using authorization for mocking as well, e.g. this test_image_import_proxies_error	15:15
dansmith	this is really weird, because I ran all these yesterday locally and I swear they passed, but I repro'd that fail this morning	15:16
dansmith	but yeah makes sense	15:17
abhishekk	yeah, I know because I also ran those locally :/	15:17
dansmith	I need to finish something else and then will circle back to this delete patch.. I haven't really spent much time on it (as you can tell)	15:17
abhishekk	ack	15:17
abhishekk	but others down the line looks solid and good to go	15:18
*** whoami-rajat__ is now known as whoami-rajat		15:37
opendevreview	Abhishek Kekane proposed openstack/glance master: Refactor gateway auth layer for metadef APIs https://review.opendev.org/c/openstack/glance/+/799632	15:39
opendevreview	Abhishek Kekane proposed openstack/glance master: Move metadef namespace policy checks in the API https://review.opendev.org/c/openstack/glance/+/799633	15:39
opendevreview	Abhishek Kekane proposed openstack/glance master: Move metadef object policy checks in the API https://review.opendev.org/c/openstack/glance/+/799634	15:39
opendevreview	Abhishek Kekane proposed openstack/glance master: Move metadef resource type association policy checks in the API https://review.opendev.org/c/openstack/glance/+/799637	15:39
opendevreview	Abhishek Kekane proposed openstack/glance master: Move metadef property policy checks in the API https://review.opendev.org/c/openstack/glance/+/799635	15:39
opendevreview	Abhishek Kekane proposed openstack/glance master: Move metadef tag policy checks in the API https://review.opendev.org/c/openstack/glance/+/799636	15:39
lbragstad	i'm spinning up a new environment atm and i'm going to start looking at the glance changes here soon	15:55
lbragstad	sorry it's taken me a bit to get around to those - but they're at the top of my list for today	15:56
lbragstad	i take it this is where i should start? https://review.opendev.org/q/topic:%22policy-refactor%22+(status:open%20OR%20status:merged)	15:56
lbragstad	https://review.opendev.org/q/topic:%2522policy-refactor%2522+status:open *	15:57
abhishekk	looking	15:58
abhishekk	lbragstad, this sheet will give you all the overview	15:59
abhishekk	https://docs.google.com/spreadsheets/d/1SWBq0CsHw8jofHxmOG8QeZEX6veDE4eU0QHItOu8uQs/edit?pli=1#gid=0	15:59
abhishekk	this includes spec as well	15:59
lbragstad	sweet	15:59
lbragstad	i'll familiarize myself with that and then pester if i have questions	15:59
lbragstad	thanks abhishekk	16:00
abhishekk	lbragstad, sounds good	16:00
abhishekk	happy to have you back :D	16:00
lbragstad	:) i'm glad to see some patches and the refactor happening, that's awesome	16:01
abhishekk	:D	16:03
abhishekk	I will be back shortly from dinner break	16:04
lbragstad	ok - biab	16:04
dansmith	abhishekk: prometheanfire blessed this: https://review.opendev.org/c/openstack/glance/+/803484	16:18
abhishekk	dansmith, ack, will approve as soon as it passes the job	16:23
dansmith	cool	16:23
opendevreview	Abhishek Kekane proposed openstack/glance master: Refactor gateway auth layer for task APIs https://review.opendev.org/c/openstack/glance/+/802243	16:26
opendevreview	Abhishek Kekane proposed openstack/glance master: Deprecate task specific policies https://review.opendev.org/c/openstack/glance/+/802244	16:26
opendevreview	Abhishek Kekane proposed openstack/glance master: Move Tasks policy checks in the API https://review.opendev.org/c/openstack/glance/+/802245	16:26
opendevreview	Dan Smith proposed openstack/glance master: Check delete_image policy in the API https://review.opendev.org/c/openstack/glance/+/798073	17:01
abhishekk	dansmith, if I am correct, then the visibility checks like, publicize_image and communitize_image are part of modify (update) image policy patch	17:15
dansmith	meaning the other ones that patch out auth layer.get?	17:16
abhishekk	no, wait	17:18
dansmith	the others I saw in there were all import,	17:18
dansmith	which is not converted	17:18
dansmith	did I miss some?	17:18
abhishekk	https://review.opendev.org/c/openstack/glance/+/789915/12/glance/api/v2/policy.py	17:19
abhishekk	there is visibility check but I think those are for update only	17:19
abhishekk	we need to perform those while creation as well	17:19
dansmith	okay you're just saying that we need to convert create, publicize, etc, right?	17:21
abhishekk	yes	17:21
dansmith	but update is good as it is, no?	17:21
abhishekk	yeah	17:21
abhishekk	I was just updating the excel sheet, so thought we have it partially covered	17:21
dansmith	okay	17:23
opendevreview	Merged openstack/glance master: Make image update check policy at API layer https://review.opendev.org/c/openstack/glance/+/789915	17:25
abhishekk	\o/ first one got in	17:26
dansmith	hah, pretty quick on the draw marking that one complete on the spreadsheet :)	17:29
abhishekk	lbragstad, when I clone glance-tempest-plugin manually and run tempest it does not work	17:29
abhishekk	:D	17:29
abhishekk	any reason why?	17:29
abhishekk	fails with oslo_config.cfg.NoSuchOptError: no such option enforce_scope in group [image-feature-enabled]	17:29
lbragstad	no idea - sounds like a tempest issue?	17:29
abhishekk	I do have tempest.conf under glance-tempest-plugin/etc directory	17:30
abhishekk	might be	17:30
opendevreview	Merged openstack/glance master: Fix failing copy_image flow init https://review.opendev.org/c/openstack/glance/+/803484	17:39
abhishekk	cool	17:41
*** ricolin_ is now known as ricolin		18:02
ade_lee	rosmaita, hey - I responded to your question in https://review.opendev.org/c/openstack/glance/+/790536 with a question of my own	18:19
rosmaita	ade_lee: i don't remember, will have to look more closely	18:20
ade_lee	rosmaita, ok thanks -- I've been on pto for the last month, so I'm just getting back to things	18:21
rosmaita	ade_lee: left a response for you on https://review.opendev.org/c/openstack/glance/+/790536	18:37
rosmaita	also, when you have time, i left a question on a patch that merged already: https://review.opendev.org/c/openstack/glance_store/+/756157/3/glance_store/_drivers/cinder.py#832	18:38
rosmaita	no rush, though	18:38
opendevreview	Abhishek Kekane proposed openstack/glance master: Refactor gateway auth layer for task APIs https://review.opendev.org/c/openstack/glance/+/802243	18:39
opendevreview	Abhishek Kekane proposed openstack/glance master: Deprecate task specific policies https://review.opendev.org/c/openstack/glance/+/802244	18:39
opendevreview	Abhishek Kekane proposed openstack/glance master: Move Tasks policy checks in the API https://review.opendev.org/c/openstack/glance/+/802245	18:39
abhishekk	Resolved merged conflicts ^^^	18:39
ade_lee	rosmaita, the point of the patch was to run through whatever functional or other tests that glance runs through on a system where fips is enabled and make sure things still pass.	18:40
ade_lee	rosmaita, if that means we need to run a different test job under fips - then thats fine -- please add comments indicating which tests we should run	18:41
ade_lee	rosmaita, I would guess given that we annotated out the md5 references, that things will likely pass - but you never know what else shows up and this makes sure we stay fips compliant	18:43
ade_lee	I'll take a look at your comment on the merged patch though too.	18:43
rosmaita	ade_lee: i thought you had already added a fips job?	18:44
ade_lee	rosmaita, yup -- openstack-tox-functional-py36-fips -- this patch just runs it on the glance repo	18:45
ade_lee	(makes it run on the glance repo)	18:46
ade_lee	given that it passes - I can set it as voting if you like	18:47
rosmaita	we should probably discuss at the weekly meeting ... i think we'd want to run a fips-mode job that excercised image import	18:47
rosmaita	probably some kind of tempest/devstack based job	18:48
rosmaita	(not that you have to put it together)	18:48
ade_lee	rosmaita, is there one that already does this?	18:48
rosmaita	not sure, probably best to ask dansmith or abhishekk, i think they've been working on the glance-tempest-plugin recently	18:49
ade_lee	rosmaita, when is your weekly meeting?	18:50
abhishekk	ade_lee, its tomorrow at 1400 UTC	18:50
dansmith	the tempest plugin won't get you much in the way of import stuff, if that's what you want, IIRC	18:50
dansmith	just copy our import devstack job and enable the other stuff	18:51
rosmaita	dansmith: i think that might be the job most likely to encounter fips difficulties?	18:51
dansmith	because of import? not sure why that would be, but..sure?	18:52
ade_lee	dansmith, is that job defined in the devstack repo?	18:53
dansmith	no, in glance	18:53
dansmith	ade_lee: https://github.com/openstack/glance/blob/master/.zuul.yaml#L228	18:53
ade_lee	dansmith, rosmaita abhishekk ok - that should be easy enough to fipsify	18:55
ade_lee	I'll do that today and maybe we'll have a result by tomorrow	18:55
rosmaita	cool	18:55
abhishekk	ack	18:55
ade_lee	I won't be able to make the meeting tomorrow, but I'll see if I can get dmendiza to join	18:56
abhishekk	ok	18:57
abhishekk	Kindly add the topic to agenda, https://etherpad.opendev.org/p/glance-team-meeting-agenda	18:57
ade_lee	will do	18:57
abhishekk	thanks	18:58
ade_lee	thanks all!	18:58
abhishekk	lbragstad, https://bugs.launchpad.net/glance-tempest-plugin/+bug/1938939	18:58
abhishekk	may be if you are busy then I will have a look and add you as a reviewe	18:59
lbragstad	abhishekk ack	19:10
abhishekk	dansmith, added one question at https://review.opendev.org/c/openstack/glance/+/799633	19:22
abhishekk	this is my patch :D	19:22
abhishekk	lbragstad, for metadefs we haven't implemented RBAC yet that is the reason we are not testing it in functional testing	19:30
abhishekk	also for other cases we have added new job in glance 'glance-tox-functional-py38-rbac-defaults' which will run all existing functional tests with secure rbac enabled	19:32
lbragstad	abhishekk ok - cool, that sounds good	19:41
lbragstad	i see the glance-secure-rbac-protection-functional job is still running and green	19:42
abhishekk	yep	19:42
lbragstad	but - i imagine we will continue adding tests to that after the functional stuff lands?	19:42
abhishekk	you mean additional tests to support these policy refactoring ?	19:43
abhishekk	lbragstad, I am signing out for the day (its almost 1:30 AM here)	19:46
abhishekk	please add your suggestions on remaining metadef patches	19:46
abhishekk	glad to see that finally we are making progress	19:47
* abhishekk signing out for the day		19:57
lbragstad	abhishekk thanks - catch up with you tomorrow	19:58
abhishekk	yep, good day	19:59
abhishekk	lbragstad, I think I should discuss the object case with you and then leave	20:07
abhishekk	https://review.opendev.org/c/openstack/glance/+/799634/13/glance/tests/unit/v2/test_metadef_resources.py	20:07
abhishekk	I guess I do see your point and try to fix it tomorrow	20:10
abhishekk	yep, will fix it tomorrow	20:24
*** timburke_ is now known as timburke		20:57
opendevreview	Ade Lee proposed openstack/glance master: Add fips check job https://review.opendev.org/c/openstack/glance/+/790536	22:22

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!