#openstack-meeting-4 log

14:00:08 <nikhil> #startmeeting glance
14:00:09 <openstack> Meeting started Thu Jun 23 14:00:08 2016 UTC and is due to finish in 60 minutes.  The chair is nikhil. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:13 <openstack> The meeting name has been set to 'glance'
14:00:15 <nikhil> #topic agenda
14:00:20 <nikhil> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda
14:00:49 <mfedosin> o/
14:00:57 <sigmavirus24> o/
14:00:58 <tsymanczyk> \o
14:01:13 <rosmaita> o/
14:01:23 <abhishek> o/
14:01:24 <nikhil> let's get started
14:01:33 <bunting> o/
14:01:35 <nikhil> #topic Updates
14:01:39 <vkmc> o/
14:01:41 <nikhil> #info Glare updates
14:01:46 <nikhil> mfedosin: ^
14:01:58 <dshakhray> o/
14:02:20 <mfedosin> hey :) pls, review the spec!
14:02:45 <mfedosin> #link https://review.openstack.org/#/c/283136/
14:03:02 <mfedosin> jokke_ added good comments
14:03:08 <kairat> o/
14:03:22 <mfedosin> I almost agree with him
14:03:43 <mfedosin> about the code - code is on review as well
14:04:17 <mfedosin> #link https://review.openstack.org/#/c/330459/3
14:04:30 <mfedosin> it's the top commit
14:04:46 <mfedosin> now I'm working on sqlalchemy db api for glare v1
14:05:13 <mfedosin> kairat added microversions support and did a small refactoring of our engine
14:05:43 <mfedosin> dshakhray is implementing json schema generation
14:06:53 <mfedosin> btw Darja defended her degree work today!
14:07:02 <rosmaita> go Darja!
14:07:09 <tsymanczyk> woo!
14:07:16 <mfedosin> and got excellent mark
14:07:36 <jokke_> :)
14:08:01 <mfedosin> The work was about the distinction layer in Glance
14:08:05 <mfedosin> #link https://review.openstack.org/#/c/331000/
14:08:13 <mfedosin> so, congratulations
14:08:24 <nikhil> congrats!
14:08:27 <mfedosin> sorry for offtop :)
14:08:41 <sigmavirus24> Would give dshakhray a round of applause but IRC isn't conducive to that
14:08:43 <mfedosin> so, we're waiting for reviews from community
14:08:52 <vkmc> \o/
14:09:28 <nikhil> o/\
14:10:01 <nikhil> should we move on to next?
14:10:27 <mfedosin> I think yes
14:10:30 <nikhil> #info Nova v1, v2 ( mfedosin )
14:10:34 <mfedosin> nothing
14:10:54 <kairat> can we remove this item?
14:11:13 <nikhil> do we know if Nova is happy with v2 testing?
14:11:13 <mfedosin> yes
14:11:29 <mfedosin> I know, we found a small issue there
14:11:34 <mfedosin> but it was fixed
14:11:50 <nikhil> kairat: I think we can bring this up once in a few weeks but not needed for all meetings anymore.
14:11:52 <mfedosin> nova could create kernel_id as empty string
14:12:07 <mfedosin> but v2 schema rejects it
14:12:17 <kairat> nikhil, agree
14:12:20 <mfedosin> so now we convert '' to None
14:12:30 <mfedosin> but I want to add another item here
14:12:59 <mfedosin> as you may know Murano, Horizon and Heat haven't supported v2 yet
14:13:15 <rosmaita> :(
14:13:23 <mfedosin> I work with all these team to help them adopt v2 in Newton
14:13:37 <mfedosin> so I may tell you about the progress
14:14:08 <nikhil> good idea
14:14:18 <nikhil> I've added it for next meeting.
14:14:27 <mfedosin> in short everyone wants copy-from
14:15:04 <mfedosin> Horizon team started to implement their own copy-from
14:15:15 <mfedosin> the same story for Murano
14:15:47 <mfedosin> if you give me 30 seconds I'll find this code for Horizon
14:16:08 <nikhil> while I empathize those teams calling it copy-from, it's not technically copy-from as far as glance is considered because that sort of implementation doesn't support the use cases of copy-from, particularly of large clouds.
14:17:39 <nikhil> should we move on for now?
14:17:49 <mfedosin> unfortunately I couldn't find this commit
14:17:57 <mfedosin> but I will next week
14:18:03 <nikhil> ok, thanks.
14:18:05 <mfedosin> okay, move on
14:18:35 <nikhil> #info Nikhil is travelling/limited online next week. rosmaita has graciously accepted to conduct the next thur's weekly meeting.
14:18:50 * rosmaita blushes
14:19:14 <nikhil> #topic better policy control on default policies and security issues (rosmaita , bunting )
14:19:36 <nikhil> #link https://review.openstack.org/#/c/309346/
14:19:49 <nikhil> #link https://review.openstack.org/#/c/330443/
14:20:04 <rosmaita> the basic problem is that bunting proposed adding some policies so that someone other than the glance admin ...
14:20:10 <rosmaita> a security team, say ...
14:20:17 <rosmaita> could download a deactivated image
14:20:21 <rosmaita> but the problem is
14:20:37 <rosmaita> if we add the policy download_deactivated_image
14:20:50 <rosmaita> the old policy files have default:"" in them
14:21:06 <rosmaita> so, unless the operator knows to specifically override the new policy
14:21:12 <rosmaita> everyone can do it
14:21:20 <rosmaita> which of course is bad
14:21:25 <bunting> This was on the mailing lint as well: http://lists.openstack.org/pipermail/openstack-operators/2016-June/010791.html
14:21:33 <bunting> Removing the need for a default role
14:21:54 <rosmaita> so we are wondering what's the best way to change this
14:22:17 <rosmaita> also, should the default role be "!" or "admin" or something
14:22:25 <rosmaita> because "" seems way too permissive
14:22:55 <jokke_> rosmaita: I don't see that in our current policy.json
14:23:31 <rosmaita> hmmm ... would've sworn it was in there
14:23:44 <jokke_> oh it's coming via "default": ""
14:23:50 <rosmaita> right
14:24:05 <tsymanczyk> fwiw the first thing i did when rewriting the keystone policy (locally) was default:"!"
14:24:15 <rosmaita> yes, so any policies not specifically mentioned in the file will do whatever default says
14:24:19 <nikhil> rosmaita: default just for deactivated images or every change like this?
14:24:29 <jokke_> so personally I think we need to overwrite that default on the rules we expect to defaulting to admin in the code and document that well
14:24:51 <rosmaita> tsymanczyk: ++ jokke_: ++
14:24:59 <rosmaita> my worry is how about upgrades?
14:25:18 <rosmaita> an old policy file based on our default will have default:"" in it
14:25:35 <rosmaita> is a strongly-worded release note sufficient?
14:25:36 <jokke_> rosmaita: that's why I'm saying in code, not in the example json
14:25:49 <bunting> What I think is that we go with !, and then move to using the new way of doing things in that mailing list reply
14:26:07 <bunting> Which is "It works by having every rule that a project
14:26:08 <bunting> uses register a default policy for that rule"
14:26:12 <jokke_> if we go with default "!" that blows all our tempest tests
14:26:48 <rosmaita> jokke_: good point
14:27:15 <nikhil> yes, default rule for all policy changes is breaking change
14:27:18 <sigmavirus24> (which probably also breaks defcore)
14:27:26 <jokke_> sigmavirus24: absolutely
14:27:28 <rosmaita> arrrgh
14:27:30 <hemanthm> jokke_: if we override the default in code, is that going to create confusion? (maybe it doesn't matter in the upgrade case here)
14:27:34 <nikhil> if we want to scrutinize changes, we can introduce a stringent role
14:27:44 <hemanthm> because it's sorta implicit
14:27:45 <rosmaita> hemanthm: ++
14:28:01 <jokke_> hemanthm: absolutely is, that's why we need to document it well and think really really carefully where it's appropriate
14:28:05 <sigmavirus24> rosmaita: I'm wondering if operators really never update their policy.json
14:28:27 <nikhil> I don't quite get what overriding means here. we may make the policy control redundant?
14:28:48 <jokke_> but if we want to move some of our hardcoded admin actions to policy, that's the _only_ way to go without exposing during upgrades
14:29:12 <rosmaita> nikhil: i think the idea (for Ocata) is that we have a hardcoded per-policy default that can be overridden
14:29:16 <jokke_> and/or breaking everybody in the action
14:29:22 <rosmaita> by the operator setting a specific policy
14:29:37 <bunting> rosmaita: ++
14:29:39 <rosmaita> but since the default is per-policy, we don;'t have to have the same default for all actions
14:29:51 <nikhil> I like that
14:30:31 <nikhil> it fits with the reasoning of obscuring secuirty issues with feature-wise policy support
14:30:59 <rosmaita> ok, so for now, what do we do? i guess leave default:"" for tempest?
14:31:06 <rosmaita> and strongly worded release note?
14:31:21 <nikhil> rosmaita: my question only was if we were going to override in source code or some way in the policy file?
14:31:56 <hemanthm> rosmaita: +1
14:32:01 <bunting> Why don't we move it upto admin at least?
14:32:07 <jokke_> nikhil: so problem with doing that in the policy file is that that demands ops catching that in upgrade and remember to upgrade their policy files
14:32:12 <rosmaita> nikhil: haven't thought this through, but i think we would eliminate "default" as a thing in the policy file
14:32:30 <rosmaita> instead, there would be a hard-coded default (in code, but also documented)
14:32:40 <nikhil> my opinion is that, this is a operator issue for which a hack is not worth
14:32:46 <rosmaita> and if the policy is mentioned in policy.json, we go with that instead
14:33:14 <nikhil> hmm, a good point worth discussion
14:33:18 <nikhil> worth a lite-spec I'd say
14:33:19 <rosmaita> well, we could do what nikhil says
14:33:32 <rosmaita> just tell operators to be careful with their policy files
14:33:32 <jokke_> nikhil: I would love to think that way as well, but client defaulting to API v2 proved that to absolutely not being the case
14:33:43 <nikhil> yeah, I find that upgrade notes would do a really good job at what is expected
14:33:47 <bunting> Looking at the operator mailing list, they are in broad favour of at least using admin
14:33:54 <nikhil> this sort of thing is the best candidate for highlights
14:34:39 <tsymanczyk> domany other projects have a hard coded default that overrides the policy.json default?
14:34:43 <nikhil> sigmavirus24: is this worth a backport?
14:35:05 <nikhil> if yes, we can introduce a new policy rule and use that for deactivated images
14:35:26 <nikhil> (not sure, if we need it for mitaka since the feature will be in newton)
14:35:28 <jokke_> nikhil, sigmavirus24: it's backwards incompatible change we really can't backport
14:35:43 <sigmavirus24> (Was catching up) I agree with jokke_
14:35:59 <rosmaita> i agree with jokke_ and sigmavirus24
14:37:46 <nikhil> I would love a review discussion on this, I can't seem to fit all the pieces together atm.
14:37:50 <sigmavirus24> Also not sure we can just switch this on in Newton without a deprecation/warning cycle
14:38:06 <rosmaita> sigmavirus24: that's what i was wondering
14:38:22 * sigmavirus24 had tried to make the policy.json more explicit over a year ago but never got the time to finish it up
14:38:36 <jokke_> sigmavirus24, rosmaita: if we overwrite the default in code to reflect the current behavior, I think we can do it without deprecation
14:38:42 <sigmavirus24> It was also partially worthless because most of our policy is written in Python near the db layer
14:39:12 <sigmavirus24> (because when we added oslo.policy, we basically just added it as a dependency and did almost nothing else with it :()
14:39:56 <rosmaita> sigmavirus24: great ... so this is looking like a bigger and bigger project
14:40:02 <rosmaita> spec time!
14:40:08 <jokke_> :)
14:40:18 <nikhil> rosmaita: thanks
14:40:41 <nikhil> we can start with a lite-spec and if needed go to a full spec
14:40:55 <nikhil> moving on for now
14:41:03 <sigmavirus24> rosmaita: that's just historical griping
14:41:10 <sigmavirus24> But yeah, it's spec worthy
14:41:18 <tsymanczyk> i'm not disagreeing with the idea, but it's going to be confusing to debug from an op perspective with 3 possible sources of policy, one non-standard
14:41:29 <rosmaita> tsymanczyk: ++
14:41:36 <rosmaita> it needs some more thought
14:41:39 <hemanthm> tsymanczyk: ++
14:42:09 <nikhil> yes, overrides need to be carefully introduced
14:42:20 <nikhil> I will come back to abhishek's request later as we've said in the past that meetings should not be used for asking reviews.
14:42:32 <nikhil> #topic Policy concerning changes to "old" db migration scripts. (rosmaita)
14:42:43 <nikhil> #link https://review.openstack.org/#/c/330009/
14:42:53 <rosmaita> ok, there's a bit of disagreement on this topic
14:43:11 <rosmaita> i had thought in the past we didn't modify database scripts unless there was a bug in them
14:43:33 <rosmaita> primarily so that operators don't get confused
14:43:45 <rosmaita> and think there's a bug when it's just a spelling correction
14:44:03 <nikhil> ok, is that the only issue?
14:44:13 <rosmaita> yes, what is our policy about this?
14:44:44 <rosmaita> it's a simple change and i don't mean to hold it up pointlessly
14:44:53 <nikhil> I'd say operator awareness takes precedence over spell correct. so, let's avoid trivial changes on DB scripts and ask people to fix such things as a part of stronger bugs.
14:45:01 <jokke_> I'm with rosmaita on this. I think we should treat those migration scripts with utmost care and not just poke them for comment spelling mistakes
14:45:25 <tsymanczyk> agreed
14:45:33 <hemanthm> rosmaita: I'm not sure what the policy is but I agree with you
14:45:38 <rosmaita> ok, so everyone break out your spell-checker when you review db scripts
14:45:45 <nikhil> :)
14:45:47 <rosmaita> because you only get one chance to get them right!
14:45:52 <jokke_> ++
14:45:53 <tsymanczyk> misspell doesn't hurt anyone
14:46:09 <jokke_> specially when it's in the comments
14:46:26 <jokke_> would be different story if it was spelling mistake on table or column name :P
14:46:31 <rosmaita> ok, i will put up a patch for the contrib docs or somewhere appropriate mentioning this
14:46:36 <nikhil> rosmaita: you can link ref to this meeting note saying that -2 is worthy and okay with other glancers.
14:46:47 <rosmaita> ok, thanks
14:46:53 <hemanthm> it hurts people's OCD sometimes :P
14:47:04 <nikhil> #topic open discussion
14:47:06 <jokke_> nikhil: perhaps agreed tl;dr for the meeting records
14:47:16 <tsymanczyk> exposure therapy
14:47:24 <rosmaita> tsymanczyk: :)
14:47:40 <nikhil> jokke_: sure, ty for reminding
14:48:55 <nikhil> #agreed spell-corrections on DB scripts are forbidden unless you are fixing them as a part of another stronger bug on the migration script itself. Changing migration scripts confuses ops/admins and their preference will be taking precedence over fixing spell errors.
14:49:10 <jokke_> thnx
14:49:24 <sigmavirus24> nikhil: I would augment that with "if the script has not been part of a release yet, they're fair game"
14:49:37 <nikhil> sigmavirus24: totally
14:49:38 <jokke_> sigmavirus24: +
14:49:48 <sigmavirus24> I don't think we should lock down migrations that operators haven't had the chance to use yet
14:49:56 <rosmaita> sigmavirus24: ++
14:50:05 <nikhil> rosmaita: worth adding to contribe doc you if plan to add (or I can).
14:50:27 <nikhil> (all the gotchas to this project-policy)
14:50:36 <rosmaita> nikhil: i'll do it since i stirred up this problem
14:50:41 <nikhil> thanks!
14:51:47 <jokke_> The talk submission page is open for Barcelona
14:51:53 <nikhil> abhishek: for just once, I will let you propose you review request as it's been sitting for a while (this is case by case exclusion to our simple-review-requests-not-in-meeting rule)
14:52:08 <abhishek> hi, sorry for bringing this up in meeting, I was not aware about this
14:52:15 <jokke_> so people lets start planning and sharing ideas for Glane related topics
14:52:56 <rosmaita> jokke_: how about you & me do a "how to work in a cross-cultural environment; or, there's no word for 'please' in Finnish"
14:53:02 <nikhil> abhishek: please take a look at relatively recently added best practices for meeting in the agenda etherpad (near top)
14:53:09 <jokke_> rosmaita: ++ ;)
14:53:18 <hemanthm> rosmaita: lol, is there a culture track?
14:53:26 <rosmaita> i think we should start one!
14:53:26 <nikhil> BoF
14:53:27 <abhishek> nihil: sure,
14:53:52 <rosmaita> jokke_: i am only partially kidding, i think it's worth a thought
14:54:16 <hemanthm> rosmaita: maybe you can also talk about how -1s shouldn't offend people
14:54:18 <jokke_> rosmaita: just sent you a ping around same feeling :D
14:54:30 <rosmaita> hemanthm: ++
14:54:31 <jokke_> hemanthm: nor -2s
14:54:32 <nikhil> just don't have that tied to glance
14:54:39 <rosmaita> nikhil: ++
14:55:17 <nikhil> Return request-id to caller
14:55:31 <nikhil> https://review.openstack.org/#/c/261288/
14:55:32 <nikhil> https://review.openstack.org/#/c/316052/
14:55:48 <hemanthm> jokke_: totally! But getting people to take -1s on their face value is a big win to start with.
14:55:52 <abhishek> need review on these patches
14:55:53 <abhishek> Both are against the same blueprint suggested by different members.
14:55:53 <abhishek> Please review and let me know your opinions about the same
14:56:03 <abhishek> thank you for considering this time
14:57:03 <jokke_> hemanthm: yeap!
14:57:34 <nikhil> Thanks all for joining!
14:57:37 <jokke_> abhishek: those are the logging stuff I commented earlier?
14:58:00 <abhishek> jokke_: no that is different
14:58:19 <abhishek> this solution is suggested by Stuart to use hooks
14:58:20 <jokke_> ah, k
14:58:32 <jokke_> will tryto have a look
14:58:40 <abhishek> jokke_: thank you
14:59:06 <jokke_> thanks all!
14:59:36 <nikhil> #endmeeting