14:01:16 #startmeeting glance 14:01:17 Meeting started Thu Nov 5 14:01:16 2020 UTC and is due to finish in 60 minutes. The chair is abhishekk. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:18 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:01:20 The meeting name has been set to 'glance' 14:01:22 #topic roll call 14:01:27 #link https://etherpad.openstack.org/p/glance-team-meeting-agenda 14:01:29 o/ 14:01:37 * smcginnis is sort of here but distracted with other things 14:01:43 ack 14:01:58 waiting for others to join 14:01:58 o/ 14:02:24 lets wait couple of minutes more 14:02:37 o/ 14:03:12 cool, lets start 14:03:33 #topic Updates 14:04:06 PTG concluded and we have discussed various topics and priorities for Wallaby during last week 14:04:31 you can find summary and recordings of the session in the PTG etherpad 14:04:48 #link https://etherpad.opendev.org/p/glance-wallaby-ptg 14:05:17 Same etherpad contains milestone wise priorities for Wallaby cycle 14:05:36 I will propose them to glance-specs repo by this week 14:05:50 moving ahead 14:06:02 #topic release/periodic jobs update 14:06:19 Wallaby milestone 1 4 weeks away 14:06:49 I will start adding priorities of milestone 1 in weekly meeting discussion from next time 14:07:07 Periodic jobs - 3/4 py38 functional jobs were failing 14:07:23 test_copy_public_image_as_non_admin_permitted test is failing with 403 error 14:07:40 sorry 409, Reason is import lock is not busted in time and call returns 409 in this case 14:08:11 I will put some time to understand this and will take help from dansmith as well 14:08:34 any questions? 14:08:59 cool, moving ahead 14:09:07 #topic Glance Tempest plugin 14:09:31 As discussed in PTG, I had discussion with gmann about this yesterday 14:09:55 he has added his suggestion in etherpad, https://etherpad.opendev.org/p/glance-tempest-wallaby-plan 14:10:26 According to him, the plugin should contain only API related tests and not cross project/service tests 14:10:58 For API related testing we already have functional tests, so adding plugin doesn't makes sense to me 14:11:01 hmmm ... all our plugin contains is cross project tests for cinder! 14:11:15 ohh, really? 14:11:20 i mean, that's the whole point, to have some scenario tests 14:11:37 gmann, told me otherwise 14:11:44 yeah, we maintain tests in the barbican devstack plugin to handle image encryption tests 14:11:57 and the cinder-tempest-plugin has other stuff 14:12:37 ack, My idea behind adding plugin was to test barbican and multiple stores at one place 14:13:09 I will still discuss this with him and internal team who is going to contribute towards it before taking any decision 14:13:32 rosmaita, I might need inputs from you as well 14:13:33 https://opendev.org/openstack/barbican-tempest-plugin/src/branch/master/barbican_tempest_plugin/tests/scenario 14:13:54 that's got image signature validation tests and also cinder volume encryption 14:14:24 cool, will have look and check whether it covers our use case 14:14:28 also, talk to tosky 14:14:43 he will know the correct vocabulary to use to discuss this with gmann 14:14:49 ack 14:14:58 yeah he was around yesterday as well 14:15:00 we may just be describing what we want to do incorrectly 14:15:11 +1 14:15:47 thank you rosmaita 14:15:50 moving ahead 14:16:06 #topic Consistent and Secure default policies 14:16:24 I guess gmann has added it to the agenda 14:16:42 #link https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team 14:17:21 This is new community goal which is divided to complete in two cycles 14:18:21 This cycle we need to deprecate default policies in code and next cycle need to implement RBAC 14:19:02 rosmaita, could you please share more insight around this as you had this topic for PTG discussion 14:19:16 yeah, it's not deprecate the default policies in code 14:19:30 the issue is that to see the default policies, you need to generate a file 14:19:41 you can generate (currently) in either JSON or YAML 14:19:48 yaml has comments 14:19:58 right 14:20:04 the problem is that the default policy file is still json 14:20:28 and in order to deprecate policies (or something, i didn't quite follow) the comments need to show up 14:20:39 so the community goal is to make YAML the default 14:20:53 so that when all the policies are changed to use the groovy new scoping stuff 14:21:09 the correct sample will be generated 14:21:12 something like that 14:21:18 I guess we glance do have default yaml (need to confirm) 14:21:23 oslo.policy is going to remove the ability to generate json 14:21:53 ack 14:21:54 well, everyone defaulted to generating a yaml sample 14:22:16 i had to put up patches to cinder (back in stein i think) to look for the yaml instead of json 14:22:26 i thought that was what we were supposed to do 14:22:42 Ok, I guess popup team will help us if needed 14:22:45 right 14:23:08 i don't think i did it for glance beacuse at that point we weren't using policy in code yet 14:23:08 cool, will sync with them and get it cleared as well 14:23:25 yes, we have done it Ussuri 14:23:32 but IIUC the RBAC part expects the policies being 1:1 mapping with the API calls 14:23:34 * in Ussuri 14:23:39 which of we're far from 14:23:53 yeah, that's still an issue 14:24:03 this is not going to be a clean transition for anyone, i don't think 14:24:24 but they already did nova ... 14:24:37 so i guess everything is fine 14:24:37 yes 14:24:57 I guess cinder has also one API which uses it, right? 14:25:18 * dansmith sneaks in 14:25:28 abhishekk: "it" == ?? 14:25:40 it == RBAC ? 14:25:58 rosmaita: well the issue I see there is that this requires full rewrite of Glance policies, and not only full rewrite but proper deprecation of the old ones too 14:26:08 oh, yeah, we have > 75 policies at this point for the block storage API 14:26:23 jokke: us too, we have policy checks in the db layer 14:26:34 my concern is cross-project data leakage 14:26:52 because the model seems to be configure everything in the policy file 14:27:15 which i guess is ok if you know what you are doing and have good tests 14:27:23 but nobody does 14:27:28 rosmaita: mhm 14:27:33 that's just my opinion, though 14:27:37 I'm not sure what ya'll are talking about 14:27:39 yes 14:27:56 Consistent and Secure default policies 14:27:57 the community goal is purely about converting the default policy file format from json to yaml 14:28:10 we are talking about part 2 14:28:27 right 14:28:44 ah okay 14:28:46 policy rewrite to use scoped tokens, support reader role, etc 14:29:02 ack yeah, okay 14:29:39 heavy work to pull policy layer out of Onion 14:30:24 I can imagine 14:30:31 at least there's one you don't have to de-onionify :) 14:30:31 :D 14:30:35 yeah, theoretically it seemed to be a great idea for separation of concerns 14:30:58 that's why no one likes theorists 14:31:00 nova has moved all its policy out of the db layer at this point, AFAIK, 14:31:16 but the token change will be some work I think 14:31:29 we haven't done it in cinder yet (move policy checks out of DB) 14:31:36 we need much more thorough tests first 14:31:41 I thought nova has already done it (token change) 14:31:46 and that's even before adding the new stuff 14:32:34 abhishekk: I think there's still something outstanding 14:33:03 ok, so the action plan is I will sync with pop-up team and discuss what is needed from glance this cycle and then will start doing it side by side 14:33:07 dansmith, ack 14:33:37 Moving to open discussion unless anything more for this topic 14:34:15 #topic Open discussion 14:34:49 So as per discussed in PTG, I have flagged removal of single store configuration to openstack-discuss ML 14:35:05 #link http://lists.openstack.org/pipermail/openstack-discuss/2020-November/018546.html 14:35:33 Will start working on converting unit and functional tests soon 14:35:59 that's it from me for today 14:36:26 email looks nice and clear 14:36:54 thank you 14:37:14 yeah looked good 14:37:35 it will be nice to get all that stuff cleared out 14:37:41 ++ 14:38:49 as discussed during PTG I am also working on combinations of different stores using devstack for CI improvements 14:40:27 lets wrap up early if nothing more to discuss 14:40:53 works for me! 14:41:05 jokke, dansmith ? 14:41:17 I have nothing for now 14:41:24 for sure 14:41:36 cool, thank you all 14:41:44 have a nice weekend 14:42:02 #endmeeting