Wednesday, 2022-04-27

opendevreviewMerged openstack/horizon stable/train: Fix for "Resize instance" button  https://review.opendev.org/c/openstack/horizon/+/83853308:46
opendevreviewMerged openstack/horizon stable/train: Change to a proper policy for Resume operation  https://review.opendev.org/c/openstack/horizon/+/83678211:23
vishalmanchanda#startmeeting horizon15:00
opendevmeetMeeting started Wed Apr 27 15:00:35 2022 UTC and is due to finish in 60 minutes.  The chair is vishalmanchanda. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'horizon'15:00
tobias-urdino/15:00
vishalmanchandaHello everyone15:01
tmazuro/15:01
rdopierahey15:01
vishalmanchandaok let's start the meeting15:02
vishalmanchandaagenda of meeting can be found here https://etherpad.opendev.org/p/horizon-release-priorities#L3715:02
vishalmanchandaI have no announcement for this week, if anyone want to make any announcement, please go ahead.15:03
vishalmanchandalooks like nothing to announce, moving to next topic15:04
vishalmanchanda#topic Release priorities15:04
vishalmanchandaI am waiting for reviews on deprecation and nodejs template patch.15:05
vishalmanchandahttps://review.opendev.org/c/openstack/horizon/+/83833315:05
vishalmanchandahttps://review.opendev.org/c/openstack/horizon/+/83192915:06
amotokivishalmanchanda: regarding nodejs job template patch, do we want to keep nodejs14 template along with nodejs16 template?15:07
vishalmanchandaamotoki: no.15:07
vishalmanchandaamotoki: I will drop it once, we add nodejs template in horizon plugins.15:07
amotokivishalmanchanda: I see both nodejs14 and 16 jobs defined for horizon. It leads to two extra jobs.15:07
vishalmanchandaamotoki: yes, will remove nodejs14 job once https://review.opendev.org/c/openstack/horizon/+/831929/3/.zuul.d/nodejs-jobs.yaml#81 merged and horizon plugins use that template.15:09
amotokivishalmanchanda: what I mean is L.5 in https://review.opendev.org/c/openstack/horizon/+/831929/3/.zuul.d/project.yaml15:10
amotokivishalmanchanda: it is not related to horizon plugins.15:10
vishalmanchandaamotoki: ok I will remove that in next P.S.15:11
vishalmanchandaSmall update on Xstatic packages, I started investigating XStatic-jQuery(3.5.1.1) issue with horizon.15:13
amotokivishalmanchanda: how about jquery-migrate? IIUC jquery-migrate helps us prepare the upgrade from jquery 1/2 to jquery 3.15:15
amotokivishalmanchanda: of course you can tackle jquery 3 directly but perhaps suggestions from jquery-migrate would be helpful.15:16
vishalmanchandaamotoki: ok, in that case I will look at  jquery-migrate issue first then move to jquery issues.15:17
rdopieraiirc I already upgraded jquery-migrate15:17
vishalmanchandardopiera: but some warning need to fixed, if I remember correctly.15:17
rdopieraeventually15:18
amotokirdopiera: yes, we published jquery-migrate a while ago, but horizon integration job started to fail, so we block the latest version15:18
vishalmanchandayes15:18
vishalmanchandaok nothing more update from my side for release priories topic.15:19
amotokiperhaps we need to check if there is no warning from the current version of jquery-migrate.15:19
amotokiit might cause the job failure with the latest xstatic-jquery-migrate.15:19
vishalmanchandacurrent version you mean we should check with jquery-migrate= 3.4.0 ?15:22
amotokivishalmanchanda: I mean xstatic-jquery-migrate 1.2.1.215:23
amotokivishalmanchanda: I said not jquery-migrate but "xstatic-"jquery-migrate 15:24
vishalmanchandaamotoki: ok.15:24
amotokivishalmanchanda: I am afraid we haven't prepared well for jquery-migrate>=315:24
vishalmanchandaamotoki: ok let's investigate and see.15:27
amotokivishalmanchanda: thanks15:27
vishalmanchandanp.15:27
vishalmanchandaDoes want to share any other updates on release priorities topic?15:28
rdopieranothing from me, still stuck on that scss patch15:28
tmazurI've started to work on angularjs update15:28
tmazurBut still stuck in the very beginning15:29
vishalmanchandardopiera: tmazur ok.15:29
vishalmanchandamoving to next topic.15:30
vishalmanchanda#topic Bug deputy report15:30
vishalmanchandaWe have one new bug reported this week.15:30
vishalmanchanda#link https://bugs.launchpad.net/horizon/+bug/197061915:31
vishalmanchandaIt is related to microversion, please take a look.15:31
vishalmanchandaI will also take a look soon and add my thoughts in the bug summary.15:33
amotokiIn my understanding, we intentionally use a specific API version to avoid breakage. New features do not come automatically (with the latest version)15:34
amotokiOn the other hand, it might be a good time to revisit this policy. For example, we can bump the lowest version periodically, but it is a different topic.15:35
vishalmanchandaack.15:37
rdopieraI think any version bumping should happen explicitly and be followed by testing15:37
amotokirdopiera: +115:37
rdopieraI'm not even sure if the policy of using the latest microversion when microversion is specified is good15:37
vishalmanchandayeah last time I bump some microversion it leads to resize instance feature stops working.15:38
vishalmanchandamoving to the next topic15:39
amotokiperhaps it is better to narrow the range of possible API versions. it would help us understand what will happen15:39
amotokigo ahead15:40
vishalmanchandaamotoki: +1, on narrowing the rage of api version.15:41
vishalmanchanda#topic On-Demand Agenda15:41
vishalmanchandahttps://review.opendev.org/q/topic:horizon-keystoneauth-original_ip15:41
vishalmanchandatobias-urdin: that's you, please go ahead.15:42
tobias-urdinI can give some context15:42
tobias-urdinso I'm working from a security/compliance angle15:42
tobias-urdinwe wan't to make sure every request to Keystone is identifiable on who made the request, and thankfully keystoneauth1 has support for this by just setting original_ip parameter when creating a Session object15:42
tobias-urdinthat will send the RFC 7239 "Forwarder" header (keystoneauth1 will set it) when talking to Keystone15:43
tobias-urdinthis makes it possible to log every single client IP making a request, even for proxied auth requests, like from Horizon15:43
tobias-urdinso I have two patches up now, one is simply changing an existing place we already set original_ip to use get_client_ip so it honors secure auth headers from config, like X-Forwarded-For if that is used when Horizon is behind a load balancer15:44
tobias-urdinthe other simply updates all Session objects to pass original_ip with the IP of the client from the request (again by using get_client_ip)15:44
tobias-urdinIIRC there are 1-2 places more that should be updates, but we are currently running those two patches in production by the request of a customer15:45
tobias-urdinso please give feedback on what you think and I'll look through for more places to update, the second patch https://review.opendev.org/c/openstack/horizon/+/839161 has more details and example in commit msg15:45
amotokiI have questions15:46
tobias-urdinTLDR; Horizon should pass real client IP to original_ip parameter for keystoneauth1.Session15:46
tobias-urdinamotoki: sure15:47
amotokiin case of horiizon, tokens are issued by horizon. This means a request comes from a client directly from keystone log. Is it what we want?15:47
amotokiactually horizon issues a token and a user does not.15:48
amotokiI would like to say "After this patch it looks like a request comes from ...." 15:49
amotokianother question is whether we would like to do the similar thing for API requests to other services like nova.15:49
tobias-urdinToken is issued by Horizon yes, in the sense that is proxies the credentials from let's say the login form, but there is no way to trace the login back to the client who performed it.15:50
tobias-urdinexcept for correlationing dates and possible request IDs in log files15:51
tobias-urdinwhat we are doing is reading that header:15:51
tobias-urdinForwarded: for=100.64.10.1;by=openstack_auth keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.6.815:51
amotokitobias-urdin: I see. sounds reasonable.15:51
tobias-urdinand logging the authentication (for compliance purposes here) request as being made by 100.64.10.115:51
tobias-urdinthe request itself is still being seen as coming from the Horizon application itself ofcourse, this makes it possible for us to log both and is already present in keystoneauth1 which was very nice15:52
tobias-urdinit's pretty lightweight IMO since it's essentially just another HTTP header that Horizon (through it's usage of keystoneauth1) just sends to Keystone15:54
tobias-urdinbut yeah, let me know what you think on the patches and I'll proceed from there, just wanted to bring it up :)15:54
amotokitobias-urdin: thanks. it is interesting15:55
vishalmanchandatobias-urdin: thanks for bringing it here.15:55
tobias-urdinno worries, thanks for your time and sorry for the wall of text :)15:56
vishalmanchandareviewers please take a look at patches and add your thoughts.15:56
vishalmanchandaDoes anyone wants to discuss any other topic?15:57
vishalmanchandaamotoki: in case you missed, I am waiting for your reply on patch https://review.opendev.org/c/openstack/horizon/+/83093615:58
amotokivishalmanchanda: thanks for reminding it. I did not notice it. thanks15:59
vishalmanchandaIf nothing more to discuss, let's end this meeting.15:59
vishalmanchandaThanks everyone for joining and your contributions!16:00
opendevreviewTobias Urdin proposed openstack/horizon master: Pass client IP to keystoneauth1 session  https://review.opendev.org/c/openstack/horizon/+/83916116:00
vishalmanchandaSee you next week.16:00
vishalmanchanda#endmeeting16:00
opendevmeetMeeting ended Wed Apr 27 16:00:29 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:00
opendevmeetMinutes:        https://meetings.opendev.org/meetings/horizon/2022/horizon.2022-04-27-15.00.html16:00
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/horizon/2022/horizon.2022-04-27-15.00.txt16:00
opendevmeetLog:            https://meetings.opendev.org/meetings/horizon/2022/horizon.2022-04-27-15.00.log.html16:00
amotokio/16:01
tobias-urdinthanks!16:03
opendevreviewAkihiro Motoki proposed openstack/horizon master: Add UT coverage for attach_interface by port  https://review.opendev.org/c/openstack/horizon/+/83093623:20

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!