Thursday, 2022-03-17

*** hemna7 is now known as hemna11:51
*** pdeore_ is now known as pdeore13:43
pdeore#startmeeting glance14:00
opendevmeetMeeting started Thu Mar 17 14:00:15 2022 UTC and is due to finish in 60 minutes.  The chair is pdeore. Information about MeetBot at
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'glance'14:00
pdeore#topic roll call14:00
pdeorelets wait few minutes for everyone to join14:01
abhishekkjokke_, will not be joining today (holiday in Ireland)14:02
pdeoreyeah, so shall we start?14:02
abhishekknow we can start14:02
pdeoreok, let's start14:02
pdeoreWe have short agenda today as well, with some review reminder again 14:02
pdeore#topic Updates14:03
pdeoreZed PTG planning etherpad is up14:03
pdeoreKindly add your name in the list of attendees and the topics you would like to bring up, if you haven't added yet14:03
abhishekkWe have some interested topics in this PTG14:03
abhishekkPlease go through the planning etherpad and check whether if I missed anything14:04
pdeoreyeah, I would recommend to add yourself as a driver if you are interested in driving any particular session14:05
pdeoremoving to the next topic14:05
pdeore#topic release/periodic jobs14:05
pdeoreglance-tempest-plugin is releasing this week, unfortunately we couldn't make few rbac metadef tests in this cycle14:05
pdeoreCan we still make it in Yoga? by updating the details on
abhishekkI think we can backport those, so no need to worry14:06
abhishekkJust get those reviewed first :D14:07
rosmaitais glance_tempest_plugin branched?14:07
pdeoreyeah, dansmith we need your attention specially for those patches :)14:07
dansmithpdeore: link?14:07
pdeorerosmaita, no 14:07
pdeoreI've removed the lock and updated the namespaces names as per your suggestion14:08
dansmithokay yeah, sorry for letting these get away from me14:08
pdeoreso, that's all, moving to Open discussion14:09
abhishekknah, in that case we can wait for the release I guess14:09
abhishekkpdeore, you can comment on the release patch, saying we need some patches to get in14:09
pdeoreabhishekk, ok I will , do I need to -1 that patch with the comment?14:10
abhishekkand once all the patches merged,you can post a new revision as well14:11
abhishekkI will let you know how to do that14:11
pdeoremoving to Open Discussion  14:11
pdeore#topic Open discussion14:12
abhishekkNothing from me14:12
pdeoreI just had the review reminder for the glance-tempest-plugin patches, which we already discussed :)14:13
abhishekkJust to update, Zed spec is now open, so your pending specs can be resubmitted against Zed repository14:13
pdeoreack 14:13
abhishekkTomorrow is Holiday in India, so we will not be around as well14:13
abhishekkand glad to see dansmith back in the meetings :D14:14
dansmithhalf our government voted to make it permanent in 2023 last week,14:14
dansmithso hopefully this madness will stop eventually :)14:14
abhishekk::D, it should 14:15
dansmithso we're done?14:16
abhishekkalistarle, we are about to wrap up14:16
alistarleOh sorry, I came a little late :/14:16
abhishekkno worries14:16
abhishekkdo you have anything to update?14:17
pdeoreoops I forgot the periodic job update :?14:17
alistarleActually for our spec about glance-download, we are in a good shape, we develop averything you ask14:17
pdeore everything is green, no failure other than retry limit for couple of jobs :)14:17
abhishekkCool, you can submit the spec for review and also add it in PTG etherpad for discussion14:17
alistarleBut we just encounter an issue, is it fine to store potentially a keystone token in the task input, so in the DB and in the task api ?14:18
dansmithit's not a good idea, both for security reasons, but also if the token expires before you get to use it, things will break14:19
dansmithnova has a long history of things that run too long and break at the end because our token runs out of time14:19
abhishekkAlso mention your favorable date/time  for the discussion14:19
alistarleWe actually hesitate to "hack" the import API to remove the token from the input to ensure it is not recoverable from the task-api, or let it like that14:19
abhishekkalistarle, just give a brief idea to dansmith about your PoC14:20
abhishekkso that he will be on same page as well14:20
alistarle(for comparaison, mistral don't really care about that and keep the keystone token in the workflow execution, recoverable from the apiā€¦)14:20
abhishekkack, I guess masakari also does it (or was doing it initially)14:21
alistarledansmith sure, Idea is to add a new "glance-download" import method, like the web-download, but to ask a glance to download the image from another glance, really cool for federation or multi-region stuff14:21
dansmithalistarle: ack, and you pass a token to the import via args?14:22
alistarlein case of a federated keystone, no issue, we rely on the request context to get the token to contact the remote glance, but jokke_ ask us to allow the user to come with an other token from an other keystone, in case it is not federated, and that's where the issue come, how to store that securely14:22
dansmithyeah, that's simple, but it'll be fragile in practice, IMHO.. if the download gets delayed (queued) and happens after the token timeout14:23
dansmithnot to mention the security concern, which is non-trivial, IMHO14:24
alistarletoken are by default 24h, so I think there shouldn't be more issue than nova snapshot or stuff like that14:25
pdeorejust received message from abhishek, he got disconnected due to power failure at his place14:25
dansmithI dunno about that, I think we hit token timeout in CI jobs14:25
dansmithanyway, the thing is,14:26
dansmiththat token gives the downloading glance *way* too much power14:27
dansmithso protecting that token becomes extremely concerning14:27
*** tosky_ is now known as tosky14:27
dansmithit's like logging into your computer for someone and then leaving the room and hoping they will only check their gmail and not *your* gmail, or change your password, or install some malware :)14:27
alistarletrue, but note that in all case this is not an admin token, just a regular user one, it can also be a read-only one if user want14:28
dansmiththis random first google hit I found says it's 1h by default:
dansmithalistarle: I know it's not admin.. how can it be read-only? not sure where that would be honored14:29
alistarlebut I understand yeah, so you prefer to tweak a little bit the task creation code to forcefully remove the token from the task input ? Before it is saved into the db ? 14:29
dansmithwell, I would definitely say writing it to the DB is a bad idea, but I also say it would be a lot better to try to do something where a raw token isn't required14:30
dansmithlike implement an app download sort of thing in glance where you can generate a short-term URL for an image with a randomly-generated app password-based url, and pass *that* to the remote glance14:31
dansmithso that only that one image can be downloaded, no changes made, and no other images14:31
dansmithbecause the token means I could download *all* your images not just the one you want me to14:31
dansmithI assume the import process wants to pull the image metadata in addition to the image data, which is why you couldn't use ^ with web-download as it is14:32
* abhishekk facing power fluctuations14:33
alistarleIndeed, or we can decide this only work when using federated keystone, with glance in multi-region, and in that case no token is required, we only rely on the context on the import request14:33
dansmithalistarle: so think of this example.. let's say your employer has a cloud, and you want to take some not-very-sensitive image out to vexxhost14:33
dansmithin order to do this, you'd need to generate a token for your employer's very secure and sensitive cloud, give it to vexxhost for 1h (or 24h) and they'd be able to see everything in your account for that time.. images, instances, volumes, etc14:34
abhishekkI will say mention all possible ways in the spec and lets decide the primary solution then14:35
dansmithI definitely think it's a cool feature.. I dunno how often this is required, but if it's something we want to implement that's totally cool. But I think it should not violate (nor encourage users to violate) the security of the sending cloud :)14:35
abhishekkalso can't we have a policy similar to copy-image for this ?14:35
dansmithmeaning what? off/admin by default?14:36
dansmiththe problem with that is, the policy is set on the receiving cloud, which is not the one you're violating the security of :)14:37
alistarleFor me it is acceptable to require a federated keystone, it is actually our use-case, and it doesn't violate any security policy, at least for a first version, what do you think about that ?14:37
dansmithso vexxhost can enable that, and the fact that it's enabled and documented encourages users to generate basically passwords and given them to vexxhost to try to do the import :)14:37
dansmithalso, you need more than just the token, you need the glance or keystone endpoint of the sending cloud right?14:37
dansmithif you do the app-share url thing, you can just provide a single url to the remote side, which is enough for them to find the image info and data without much else14:38
alistarledansmith we can also decide to revoke the token after downloading the image in the local store right ? 14:38
dansmithalistarle: we being who, the target cloud? we already don't trust the target cloud in this scenario, but even if it's the user doing it... you're giving someone FULL access for a shorter period of time14:39
dansmithit's the "full access" that is the problem14:39
dansmithit's like saying "I'll leave my house door open while I make a *quick* trip to the store.. should be fine" :)14:40
abhishekkhmm, so its user of the target cloud who is under suspicion here14:40
dansmithnot necessarily under suspicion, just not the same level of trust14:41
dansmithsee my employer cloud -> vexxhost example above14:41
dansmithyou don't distrust vexxhost, you just can't give them your redhat creds :)14:41
alistarleIndeed, so it is easy only when we are talking about multiple region in the same cloud14:42
dansmithalistarle: right federated services have a relationship, so it's cool14:42
alistarleWhich is still a cool use-case to migrate images from regions to other regions14:42
dansmithfor sure14:42
abhishekkalistarle, I would recommend to submit a spec to get better idea about design and then we can discuss the best possible solution14:42
abhishekkdansmith, just curious, how can we verify this in tempest?14:43
dansmiththe federated case?14:43
dansmiththat's similar to g-api-r but we just need a different glance db for that one right?14:44
dansmithsimilar because it's a different endpoint in the catalog14:44
abhishekkyep, that means we need devstack change as well14:44
dansmithso we could add a g-api-remoterrr (name TBD)14:44
abhishekkgot it14:44
alistarleCool, we'll write the spec for that then14:45
abhishekkthank you :D14:45
alistarleis there already some schedule for the PTG ?14:45
dansmithalistarle: the devstack bit will be pretty simple because the g-api-r thing is almost what you need, I can help14:45
abhishekkthis is the planning etherpad at the moment14:45
abhishekkyou can add your topic, suitable date and time for the discussion14:46
abhishekkwe are gathering between 1400 UTC to 1700 UTC14:46
abhishekk4 to 8 April 202214:46
abhishekkOut of which 4 is reserved for TC discussions (so it will be 5 to 8 April)14:46
alistarleOk that's cool, we'll add the spec and the topic here also :) 14:47
alistarleI'm gonna leave to check if I well close my door, I left it open just for this *quick meeting* ;)14:48
abhishekkthank you alistarle 14:49
abhishekkI guess we are done now14:49
dansmithgood talk though :)14:49
alistarleyes, thanks for your advice :)14:50
pdeoreThank you :) do we have anything else to discuss, or we can wrap up?14:50
abhishekknothing from me14:51
pdeoreok, let's wrap up then :)14:52
pdeoreThanks everyone :)14:52
opendevmeetMeeting ended Thu Mar 17 14:52:28 2022 UTC.  Information about MeetBot at . (v 0.1.4)14:52
opendevmeetMinutes (text):
*** dasm is now known as dasm|21:21
*** dasm| is now known as dasm|off21:21

Generated by 2.17.3 by Marius Gedminas - find it at!