#openstack-meeting log

14:01:16 <abhishekk> #startmeeting glance
14:01:17 <openstack> Meeting started Thu Nov  5 14:01:16 2020 UTC and is due to finish in 60 minutes.  The chair is abhishekk. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:18 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:01:20 <openstack> The meeting name has been set to 'glance'
14:01:22 <abhishekk> #topic roll call
14:01:27 <abhishekk> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda
14:01:29 <abhishekk> o/
14:01:37 * smcginnis is sort of here but distracted with other things
14:01:43 <abhishekk> ack
14:01:58 <abhishekk> waiting for others to join
14:01:58 <jokke> o/
14:02:24 <abhishekk> lets wait couple of minutes more
14:02:37 <rosmaita> o/
14:03:12 <abhishekk> cool, lets start
14:03:33 <abhishekk> #topic Updates
14:04:06 <abhishekk> PTG concluded and we have discussed various topics and priorities for Wallaby during last week
14:04:31 <abhishekk> you can find summary and recordings of the session in the PTG etherpad
14:04:48 <abhishekk> #link https://etherpad.opendev.org/p/glance-wallaby-ptg
14:05:17 <abhishekk> Same etherpad contains milestone wise priorities for Wallaby cycle
14:05:36 <abhishekk> I will propose them to glance-specs repo by this week
14:05:50 <abhishekk> moving ahead
14:06:02 <abhishekk> #topic release/periodic jobs update
14:06:19 <abhishekk> Wallaby milestone 1 4 weeks away
14:06:49 <abhishekk> I will start adding priorities of milestone 1 in weekly meeting discussion from next time
14:07:07 <abhishekk> Periodic jobs - 3/4 py38 functional jobs were failing
14:07:23 <abhishekk> test_copy_public_image_as_non_admin_permitted test is failing with 403 error
14:07:40 <abhishekk> sorry 409, Reason is import lock is not busted in time and call returns 409 in this case
14:08:11 <abhishekk> I will put some time to understand this and will take help from dansmith as well
14:08:34 <abhishekk> any questions?
14:08:59 <abhishekk> cool, moving ahead
14:09:07 <abhishekk> #topic Glance Tempest plugin
14:09:31 <abhishekk> As discussed in PTG, I had discussion with gmann about this yesterday
14:09:55 <abhishekk> he has added his suggestion in etherpad, https://etherpad.opendev.org/p/glance-tempest-wallaby-plan
14:10:26 <abhishekk> According to him, the plugin should contain only API related tests and not cross project/service tests
14:10:58 <abhishekk> For API related testing we already have functional tests, so adding plugin doesn't makes sense to me
14:11:01 <rosmaita> hmmm ... all our plugin contains is cross project tests for cinder!
14:11:15 <abhishekk> ohh, really?
14:11:20 <rosmaita> i mean, that's the whole point, to have some scenario tests
14:11:37 <abhishekk> gmann, told me otherwise
14:11:44 <rosmaita> yeah, we maintain tests in the barbican devstack plugin to handle image encryption tests
14:11:57 <rosmaita> and the cinder-tempest-plugin has other stuff
14:12:37 <abhishekk> ack, My idea behind adding plugin was to test barbican and multiple stores at one place
14:13:09 <abhishekk> I will still discuss this with him and internal team who is going to contribute towards it before taking any decision
14:13:32 <abhishekk> rosmaita, I might need inputs from you as well
14:13:33 <rosmaita> https://opendev.org/openstack/barbican-tempest-plugin/src/branch/master/barbican_tempest_plugin/tests/scenario
14:13:54 <rosmaita> that's got image signature validation tests and also cinder volume encryption
14:14:24 <abhishekk> cool, will have look and check whether it covers our use case
14:14:28 <rosmaita> also, talk to tosky
14:14:43 <rosmaita> he will know the correct vocabulary to use to discuss this with gmann
14:14:49 <abhishekk> ack
14:14:58 <abhishekk> yeah he was around yesterday as well
14:15:00 <rosmaita> we may just be describing what we want to do incorrectly
14:15:11 <abhishekk> +1
14:15:47 <abhishekk> thank you rosmaita
14:15:50 <abhishekk> moving ahead
14:16:06 <abhishekk> #topic Consistent and Secure default policies
14:16:24 <abhishekk> I guess gmann has added it to the agenda
14:16:42 <abhishekk> #link https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team
14:17:21 <abhishekk> This is new community goal which is divided to complete in two cycles
14:18:21 <abhishekk> This cycle we need to deprecate default policies in code and next cycle need to implement RBAC
14:19:02 <abhishekk> rosmaita, could you please share more insight around this as you had this topic for PTG discussion
14:19:16 <rosmaita> yeah, it's not deprecate the default policies in code
14:19:30 <rosmaita> the issue is that to see the default policies, you need to generate a file
14:19:41 <rosmaita> you can generate (currently) in either JSON or YAML
14:19:48 <rosmaita> yaml has comments
14:19:58 <abhishekk> right
14:20:04 <rosmaita> the problem is that the default policy file is still json
14:20:28 <rosmaita> and in order to deprecate policies (or something, i didn't quite follow) the comments need to show up
14:20:39 <rosmaita> so the community goal is to make YAML the default
14:20:53 <rosmaita> so that when all the policies are changed to use the groovy new scoping stuff
14:21:09 <rosmaita> the correct sample will be generated
14:21:12 <rosmaita> something like that
14:21:18 <abhishekk> I guess we glance do have default yaml (need to confirm)
14:21:23 <rosmaita> oslo.policy is going to remove the ability to generate json
14:21:53 <abhishekk> ack
14:21:54 <rosmaita> well, everyone defaulted to generating a yaml sample
14:22:16 <rosmaita> i had to put up patches to cinder (back in stein i think) to look for the yaml instead of json
14:22:26 <rosmaita> i thought that was what we were supposed to do
14:22:42 <abhishekk> Ok, I guess popup team will help us if needed
14:22:45 <rosmaita> right
14:23:08 <rosmaita> i don't think i did it for glance beacuse at that point we weren't using policy in code yet
14:23:08 <abhishekk> cool, will sync with them and get it cleared as well
14:23:25 <abhishekk> yes, we have done it Ussuri
14:23:32 <jokke> but IIUC the RBAC part expects the policies being 1:1 mapping with the API calls
14:23:34 <abhishekk> * in Ussuri
14:23:39 <jokke> which of we're far from
14:23:53 <rosmaita> yeah, that's still an issue
14:24:03 <rosmaita> this is not going to be a clean transition for anyone, i don't think
14:24:24 <rosmaita> but they already did nova ...
14:24:37 <rosmaita> so i guess everything is fine
14:24:37 <abhishekk> yes
14:24:57 <abhishekk> I guess cinder has also one API which uses it, right?
14:25:18 * dansmith sneaks in
14:25:28 <rosmaita> abhishekk: "it" == ??
14:25:40 <abhishekk> it == RBAC ?
14:25:58 <jokke> rosmaita: well the issue I see there is that this requires full rewrite of Glance policies, and not only full rewrite but proper deprecation of the old ones too
14:26:08 <rosmaita> oh, yeah, we have > 75 policies at this point for the block storage API
14:26:23 <rosmaita> jokke: us too, we have policy checks in the db layer
14:26:34 <rosmaita> my concern is cross-project data leakage
14:26:52 <rosmaita> because the model seems to be configure everything in the policy file
14:27:15 <rosmaita> which i guess is ok if you know what you are doing and have good tests
14:27:23 <rosmaita> but nobody does
14:27:28 <jokke> rosmaita: mhm
14:27:33 <rosmaita> that's just my opinion, though
14:27:37 <dansmith> I'm not sure what ya'll are talking about
14:27:39 <abhishekk> yes
14:27:56 <abhishekk> Consistent and Secure default policies
14:27:57 <dansmith> the community goal is purely about converting the default policy file format from json to yaml
14:28:10 <rosmaita> we are talking about part 2
14:28:27 <abhishekk> right
14:28:44 <dansmith> ah okay
14:28:46 <rosmaita> policy rewrite to use scoped tokens, support reader role, etc
14:29:02 <dansmith> ack yeah, okay
14:29:39 <abhishekk> heavy work to pull policy layer out of Onion
14:30:24 <dansmith> I can imagine
14:30:31 <dansmith> at least there's one you don't have to de-onionify :)
14:30:31 <abhishekk> :D
14:30:35 <rosmaita> yeah, theoretically it seemed to be a great idea for separation of concerns
14:30:58 <rosmaita> that's why no one likes theorists
14:31:00 <dansmith> nova has moved all its policy out of the db layer at this point, AFAIK,
14:31:16 <dansmith> but the token change will be some work I think
14:31:29 <rosmaita> we haven't done it in cinder yet (move policy checks out of DB)
14:31:36 <rosmaita> we need much more thorough tests first
14:31:41 <abhishekk> I thought nova has already done it (token change)
14:31:46 <rosmaita> and that's even before adding the new stuff
14:32:34 <dansmith> abhishekk: I think there's still something outstanding
14:33:03 <abhishekk> ok, so the action plan is I will sync with pop-up team and discuss what is needed from glance this cycle and then will start doing it side by side
14:33:07 <abhishekk> dansmith, ack
14:33:37 <abhishekk> Moving to open discussion unless anything more for this topic
14:34:15 <abhishekk> #topic Open discussion
14:34:49 <abhishekk> So as per discussed in PTG, I have flagged removal of single store configuration to openstack-discuss ML
14:35:05 <abhishekk> #link http://lists.openstack.org/pipermail/openstack-discuss/2020-November/018546.html
14:35:33 <abhishekk> Will start working on converting unit and functional tests soon
14:35:59 <abhishekk> that's it from me for today
14:36:26 <rosmaita> email looks nice and clear
14:36:54 <abhishekk> thank you
14:37:14 <jokke> yeah looked good
14:37:35 <rosmaita> it will be nice to get all that stuff cleared out
14:37:41 <abhishekk> ++
14:38:49 <abhishekk> as discussed during PTG I am also working on combinations of different stores using devstack for CI improvements
14:40:27 <abhishekk> lets wrap up early if nothing more to discuss
14:40:53 <rosmaita> works for me!
14:41:05 <abhishekk> jokke, dansmith ?
14:41:17 <jokke> I have nothing for now
14:41:24 <dansmith> for sure
14:41:36 <abhishekk> cool, thank you all
14:41:44 <abhishekk> have a nice weekend
14:42:02 <abhishekk> #endmeeting