| opendevreview | Cyril Roelandt proposed openstack/glance master: Drop redundant check of sqlite3 module availability https://review.opendev.org/c/openstack/glance/+/952361 | 01:57 |
|---|---|---|
| opendevreview | Abhishek Kekane proposed openstack/glance_store master: Refactor unit tests for filesystem driver https://review.opendev.org/c/openstack/glance_store/+/954566 | 08:01 |
| opendevreview | Abhishek Kekane proposed openstack/glance_store master: Refactor unit tests for s3 driver https://review.opendev.org/c/openstack/glance_store/+/954588 | 10:13 |
| croelandt | #startmeeting glance | 14:01 |
| opendevmeet | Meeting started Thu Jul 10 14:01:35 2025 UTC and is due to finish in 60 minutes. The chair is croelandt. Information about MeetBot at http://wiki.debian.org/MeetBot. | 14:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 14:01 |
| opendevmeet | The meeting name has been set to 'glance' | 14:01 |
| croelandt | #topic roll call | 14:01 |
| croelandt | o/ | 14:01 |
| mhen | o/ | 14:01 |
| rajiv | hi | 14:02 |
| Luzi | o/ | 14:03 |
| croelandt | abhishekk: around? :) | 14:03 |
| abhishekk | o/ | 14:03 |
| croelandt | I think dansmith is out today | 14:03 |
| croelandt | #topic Release/periodic job updates | 14:03 |
| croelandt | So we have support for Centos 10 now | 14:03 |
| croelandt | #link https://review.opendev.org/c/openstack/devstack/+/937251 | 14:04 |
| croelandt | ^ this patch needs to be updated and reviewed | 14:04 |
| croelandt | I have just talked to the author, and they are not working on this anymore, so I'll take over the patch | 14:04 |
| croelandt | I wonder if we could not just use PYTHON3_VERSION like they do at https://github.com/openstack/devstack/blob/master/.zuul.yaml#L733 | 14:04 |
| croelandt | #link https://github.com/openstack/devstack/blob/master/.zuul.yaml#L733 | 14:04 |
| croelandt | which would have been simpler :) But I guess soon we'll want to migrate to CentOS 10 anyway | 14:04 |
| croelandt | #topic Encryption | 14:05 |
| croelandt | so the main thing for this week is image encryption | 14:05 |
| croelandt | mhen: we've reviewed your patch and it looks pretty good | 14:06 |
| mhen | thanks for reviewing! | 14:06 |
| croelandt | I think my main concern is that dansmith had some things to discuss, I'll make sure to remind him on Monday when he is back | 14:06 |
| mhen | understood | 14:06 |
| croelandt | oh and there was my point about the tests still using cinder_encryption_* | 14:06 |
| croelandt | not sure if that is intentional | 14:06 |
| mhen | I answered this some minutes ago | 14:06 |
| mhen | it is intentional, I think we want to make sure those attributes still work for some potential edge cases during the deprecation timeframe | 14:07 |
| croelandt | ok | 14:07 |
| croelandt | I wonder if we could refactor some tests though | 14:08 |
| croelandt | def test_something(self, key): for instance | 14:08 |
| croelandt | but maybe that is going to overcomplicate things | 14:08 |
| mhen | as the patchset is currently done, all test methods concerning the old names are suffixed wiht "_deprecated" | 14:09 |
| mhen | they are easy to spot (and remove, in the future) | 14:09 |
| croelandt | oh ok | 14:10 |
| croelandt | let's not change anything then :) | 14:10 |
| croelandt | Anything to add on this topic? | 14:11 |
| mhen | not from my side | 14:12 |
| croelandt | #topic Open Discussion | 14:12 |
| croelandt | abhishekk: anything else? | 14:12 |
| rajiv | hi, i wanted to follow up on https://review.opendev.org/c/openstack/glance-specs/+/953435 | 14:12 |
| abhishekk | Nope, I have nothing this week | 14:12 |
| rajiv | looks like glance is project scoped service and not domain scoped token | 14:13 |
| croelandt | ok | 14:13 |
| rajiv | hence the get_image doesnt have a domain_id | 14:13 |
| rajiv | any suggestions on how to proced ? | 14:14 |
| abhishekk | I don't think we are ready to move at domain scope, that will be huge chnage | 14:14 |
| croelandt | have other projects done that? | 14:14 |
| rajiv | i had no luck with https://github.com/sapcc/glance/commit/ed9817df7ba9fb6d9bbd4b51adfcb4c3bcc28fe5 | 14:14 |
| rajiv | my intent is to restrict public images to a particular domain, last option is to filter via project_id (which is like 300+ projects) | 14:15 |
| abhishekk | Certainly we can discuss this next PTG | 14:15 |
| rajiv | --tags, --hidden isnt an option | 14:15 |
| rajiv | okay, isnt there any other option ? | 14:16 |
| croelandt | rajiv: have other projects done that? | 14:16 |
| rajiv | code enhancements wouldnt work since domain_id isnt there in get_image, the transformer uses owner info as project_id | 14:17 |
| rajiv | croelandt: i looked around but found none | 14:17 |
| rajiv | there are few custom projects which use oslo | 14:17 |
| rajiv | how can i use https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L165 ? | 14:18 |
| croelandt | "As OpenStack evolves toward better domain-scoped operations and identity management" <- what is your source for this? | 14:18 |
| mhen | Keystone recently added the "manager" persona for domains: https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html | 14:18 |
| rosmaita | rajiv: so is your goal that a user U in domain D does a image-list, they should only see images that are owned by entities that are also in domain D? | 14:18 |
| rajiv | rosmaita: user U cannot list public images in a particular domain but works in other domains | 14:19 |
| rajiv | shouldnt* | 14:20 |
| rajiv | but can list private or shared images | 14:20 |
| rajiv | in other words, implement public image visibility to users in a particular domain | 14:20 |
| abhishekk | rajiv, private image of domain d should be listed by user in domain U? | 14:21 |
| rajiv | abhishekk: yes, only restrict public image view | 14:21 |
| rosmaita | so at least part of the problem is that this is completely different from the glance image ownership model | 14:22 |
| rosmaita | images are owned by projects, but images are not "in" a domain | 14:22 |
| abhishekk | yes, I would say opposite as well | 14:22 |
| rajiv | i couldnt find a way to fetch domain id info into glance | 14:23 |
| rajiv | if there was a way, i could map project id to domain id to solve this request | 14:24 |
| rosmaita | glance doesn't have any domain info, that is kept in keystone, because domains are a way of grouping users | 14:25 |
| rajiv | or are there suggestions to fetch domain info into glance ? | 14:25 |
| rajiv | true, i am also open on how to implement restrictions for public images. | 14:25 |
| rajiv | any comments on the approach of this commit ? or it makes no sense since domain is not supported at all ? | 14:27 |
| rajiv | https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L165 | 14:27 |
| rosmaita | well, you could just not have any public images, and instead have a special user per domain that owns the "public" images for that domain, and that special user would share the images with all the projects in that domain | 14:27 |
| rajiv | rosmaita: could you please elaborate ? | 14:28 |
| rosmaita | i will try :D | 14:28 |
| rajiv | :) | 14:29 |
| rosmaita | ok, so let's say there is user A in domain AA, and user B in domain BB | 14:29 |
| rosmaita | we don't want A to see public images for BB | 14:29 |
| rosmaita | so, we don't make any glance images public | 14:29 |
| rosmaita | instead, we create a special user in keystone, UA in domain AA | 14:30 |
| rajiv | all users AA shouldnt view public images, but can view private, shared, etc. Its not cross domains | 14:30 |
| rosmaita | then UA uploads all the images to glance that should be "public" in AA | 14:30 |
| rosmaita | then UA shares these images with user A | 14:30 |
| rosmaita | now, user A can see the AA images | 14:31 |
| rosmaita | but user B cannot | 14:31 |
| rosmaita | and you do the same thing for domain BB | 14:31 |
| rosmaita | the problem is that you have to manage the image sharing, but that could be automated, i think | 14:31 |
| rosmaita | (automated by the operator, not by glance) | 14:31 |
| rajiv | thanks, to clarify Domains AA, BB, CC | 14:32 |
| rajiv | users in Domain AA cannot view public images | 14:32 |
| rajiv | Domain BB,CC works like default | 14:32 |
| rosmaita | only because there are no public images at all for any domain | 14:32 |
| rajiv | restriction of public image view is only on Domain AA | 14:32 |
| rosmaita | no, we are not restricting public image view at all ... what we are doing is not having *any* public images | 14:33 |
| rajiv | public image view is mandatory in other domains :) | 14:34 |
| rosmaita | not sure what you mean | 14:34 |
| mhen | I think they want an isolated domain that has its own images but cannot see public images (which all other domains do)? | 14:34 |
| rajiv | to clarify Domains AA, BB, CC ; users in Domain AA cannot view public images; | 14:34 |
| rajiv | Domain BB,CC works like default | 14:35 |
| rajiv | mhen: correct | 14:35 |
| abhishekk | means they can view public images | 14:35 |
| rosmaita | well, sounds like you need a dedicated glance or something | 14:36 |
| rajiv | okay, glance per isolated domain ? | 14:38 |
| rosmaita | i guess ... isolated glance in an isolated domain | 14:39 |
| rajiv | oh, thats more complicated than i imagined :( | 14:40 |
| abhishekk | your requirement is also complicated :D | 14:40 |
| rajiv | haha true! | 14:41 |
| rajiv | lastly, there is no way to import domain_id into glance, right ? | 14:41 |
| abhishekk | not sure, need to check | 14:42 |
| rajiv | any clue how owner info is populated ? | 14:44 |
| rosmaita | probably by oslo.context | 14:44 |
| rosmaita | i mean, there's some glance code, but it uses oslo.context | 14:45 |
| rajiv | okay, in this case, domain_id should also be possible ? since oslo.context has domain_id https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L165 | 14:45 |
| rajiv | https://opendev.org/openstack/glance/src/branch/stable/2024.2/glance/context.py#L80-L83 ? | 14:46 |
| abhishekk | rajiv: https://github.com/openstack/glance/blob/master/glance/api/middleware/context.py#L125 | 14:47 |
| abhishekk | IF you print req.environ here before line 148, you will see domain information there | 14:48 |
| rajiv | okay sure, i can look into this direction | 14:49 |
| rosmaita | the problem is going to be that images do not have a domain_id | 14:50 |
| rosmaita | and aren't keystone domains fluid, that is, projects can be added and removed to domains? | 14:50 |
| rajiv | yep, i fear the same | 14:51 |
| abhishekk | exactly, I told him, but not sure what he has in mind | 14:51 |
| rosmaita | yeah, my understanding is that keystone domains group users/projects, but not resources | 14:51 |
| rajiv | if i am able to fetch domain_id, then i can introduce another logic to validate the project & domain_id mapping > then maybe in get_image | 14:52 |
| rajiv | restriction via policies is the cleanest way right ? | 14:53 |
| abhishekk | you need lot of tweaks for this to happen | 14:53 |
| rajiv | true | 14:54 |
| rajiv | enhance alembic as well, the list goes on! | 14:55 |
| abhishekk | that's why I said, gather requirements and come back in PTG with detailed information | 14:56 |
| rajiv | roger :) | 14:56 |
| abhishekk | over and out :D | 14:56 |
| rajiv | this is the requirement though :) | 14:56 |
| rajiv | thanks for your time! | 14:56 |
| abhishekk | np! | 14:57 |
| croelandt | right in time \o/ | 14:57 |
| croelandt | #endmeeting | 14:57 |
| opendevmeet | Meeting ended Thu Jul 10 14:57:15 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 14:57 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/glance/2025/glance.2025-07-10-14.01.html | 14:57 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/glance/2025/glance.2025-07-10-14.01.txt | 14:57 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/glance/2025/glance.2025-07-10-14.01.log.html | 14:57 |
| tkajinam | croelandt, just fyi. I've replied to your comment in https://review.opendev.org/c/openstack/glance/+/954191 . | 15:14 |
| opendevreview | Merged openstack/glance master: Drop redundant check of sqlite3 module availability https://review.opendev.org/c/openstack/glance/+/952361 | 15:27 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!