| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Implement API protection testing for metadef objects https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802793 | 05:27 |
|---|---|---|
| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Implement API protection testing for metadef resource types https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802792 | 05:27 |
| opendevreview | Abhishek Kekane proposed openstack/glance-tempest-plugin master: [DNM] Refactored - Add protection testing for metadef namespaces https://review.opendev.org/c/openstack/glance-tempest-plugin/+/806849 | 07:00 |
| *** yoctozepto1 is now known as yoctozepto | 07:49 | |
| opendevreview | Mridula Joshi proposed openstack/glance master: Add doc support for delete-from-store API https://review.opendev.org/c/openstack/glance/+/806180 | 10:30 |
| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Add protection testing for metadef namespaces https://review.opendev.org/c/openstack/glance-tempest-plugin/+/800902 | 13:09 |
| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Implement API protection testing for metadef objects https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802793 | 13:09 |
| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Implement API protection testing for metadef resource types https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802792 | 13:09 |
| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Implement API protection testing for metadef properties https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802794 | 13:09 |
| opendevreview | Pranali Deore proposed openstack/glance-tempest-plugin master: Implement API protection testing for metadef tags https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802795 | 13:09 |
| abhishekk | @all cores, I am giving nod for python-glanceclient Xena release, | 14:57 |
| abhishekk | #link https://review.opendev.org/c/openstack/releases/+/806586 | 14:57 |
| abhishekk | I will not be around tonight due to some medical urgency, signing out for the day, reachable via e-mail | 15:03 |
| *** erbot_ is now known as erbot__ | 15:09 | |
| *** erbot__ is now known as erbot___ | 15:09 | |
| *** erbot___ is now known as erbot____ | 15:09 | |
| *** erbot____ is now known as erbot_____ | 15:09 | |
| *** erbot_____ is now known as erbot______ | 15:09 | |
| opendevreview | Merged openstack/glance master: Check policies for Image Cache in API https://review.opendev.org/c/openstack/glance/+/805797 | 16:20 |
| dansmith | lbragstad: is there any reason not to make all these metadef persona things system scope only? | 16:47 |
| lbragstad | seems reasonable to me | 16:47 |
| lbragstad | since they seem admin-only | 16:47 |
| dansmith | we've been saying admin-only for the change interfaces, and I'm not sure we need a project affiliation for those to create namespaces for project | 16:47 |
| dansmith | and we only enforce the scope if some flag is set, right? | 16:47 |
| lbragstad | depending on how the check string is written | 16:48 |
| lbragstad | if the check str is role:admin and system_scope:all then scope will ultimately enforced or checked regardless of the enforce_scope option | 16:49 |
| dansmith | oh I thought the scope was not a check string thing | 16:49 |
| dansmith | I thought it was based on scope_types | 16:49 |
| lbragstad | yes - it can be | 16:49 |
| lbragstad | if you do role:admin | 16:49 |
| lbragstad | and scope_types = ['system', 'project'] | 16:50 |
| lbragstad | then project-admin and system-admin can access that API | 16:50 |
| lbragstad | if enforce_scope = False | 16:50 |
| dansmith | ...right, what I meant was.. remove project from that list | 16:51 |
| lbragstad | oh - yeah | 16:51 |
| dansmith | scope_types=system only | 16:51 |
| lbragstad | i think that would allow project-admin to access it until enforce_scope=True | 16:51 |
| dansmith | then if enforce_scope is on, it's only system admins. .right | 16:52 |
| lbragstad | yes | 16:52 |
| dansmith | what does role:admin mean if enforce_scope=True and scope_types=system? | 16:52 |
| dansmith | I was thinking maybe this would let us massively simplify our rules and our tests | 16:52 |
| lbragstad | scope_types = ['system'] means that the context object must be system-scoped | 16:53 |
| lbragstad | or derived from a system-scoped token | 16:53 |
| dansmith | right | 16:53 |
| dansmith | but do all system scope people have role:admin ? | 16:53 |
| lbragstad | no | 16:53 |
| dansmith | I guess not, but probably in practice they would right? | 16:53 |
| lbragstad | initially, yes | 16:54 |
| lbragstad | $ openstack role add --user dansmith --system all admin | 16:54 |
| dansmith | later you could have scope=system,role:metadefadminguy | 16:54 |
| lbragstad | would mean you could do metadef things | 16:54 |
| dansmith | I guess we're still doing rule:metadef_admin and most of the test complexity is around the user view stuff so I guess just restricting to system scope doesn't do much for us | 16:55 |
| dansmith | but seems like having project scope in scope_types is probably not really what we want | 16:56 |
| lbragstad | yeah - i think we'd need to make sure glance can hanlde a system scoped token | 16:59 |
| lbragstad | and then see if we can move metadef_admin -> system-admin | 16:59 |
| opendevreview | Merged openstack/glance master: Add release note about policy-refactor https://review.opendev.org/c/openstack/glance/+/806017 | 17:05 |
| dansmith | ack | 17:07 |
| pdeore | dansmith, test_reload is still failing on rbac metadef namespaces patch and passing on all dependent patches.. | 19:34 |
| pdeore | any idea why this is so? rush in gate ? | 19:35 |
| dansmith | pdeore: okay I hadn't noticed.. surely it's not related though right? | 19:35 |
| pdeore | yeah | 19:36 |
| dansmith | yeah, not sure.. could be load related although surprisingly the gate doesn't seem super busy at the moment | 19:37 |
| dansmith | and obviously I wouldn't expect your patch to be related, although it does seem to reload some policy on restart, but I would think all the above patches would be hit as well | 19:38 |
| dansmith | I'll run it locally a bunch and see if I can poke it to fail; | 19:41 |
| pdeore | dansmith, yeah the above patches would have hit too, not getting whta exactly happening.. | 19:44 |
| dansmith | I think it's luck.. what do you do in india for good luck? :) | 19:44 |
| pdeore | dansmith, :D don't know .. because my luck is not good always :P | 19:46 |
| dansmith | hah | 19:46 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!