#openstack-meeting log

14:00:14 <abhishekk> #startmeeting glance
14:00:15 <openstack> Meeting started Thu Nov 19 14:00:14 2020 UTC and is due to finish in 60 minutes.  The chair is abhishekk. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:15 <abhishekk> #topic roll call
14:00:16 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:18 <openstack> The meeting name has been set to 'glance'
14:00:20 <jokke> o/
14:00:24 <abhishekk> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda
14:00:27 <abhishekk> o/
14:00:33 <abhishekk> Short agenda today
14:01:01 <abhishekk> Might be finished within 15-20 minutes
14:01:35 <abhishekk> waiting couple of minutes for others to join
14:02:59 <abhishekk> Looks like just us :D
14:03:01 <abhishekk> lets start
14:03:07 <jokke> :)
14:03:14 <abhishekk> #topic release/periodic jobs update
14:03:20 <abhishekk> Wallaby milestone 1 - 2 weeks away
14:04:01 <abhishekk> I am going to tag glance-store release next week on Monday to unblcok cinder multistore functional tests
14:04:09 <abhishekk> Periodic jobs 1 failure this week
14:04:21 <abhishekk> Will go through logs after the meeting
14:04:41 <jokke> kk, was jus gonna ask if something we need to be worried about or just glitch
14:04:44 <rosmaita> o/
14:04:50 <jokke> Hi Brian
14:04:56 <abhishekk> o/
14:05:01 <rosmaita> sorry i'm late
14:05:03 <abhishekk> no need to worry at the moment
14:05:10 <abhishekk> no problem rosmaita :D
14:05:23 <abhishekk> #topic Milestone 1 priorities
14:05:32 <abhishekk> Reform cluster awareness specs
14:05:48 <abhishekk> Reform cache-api specs (very less priority)
14:06:00 <abhishekk> Lite spec for task API for general user (mostly just like task show API)
14:06:24 <abhishekk> I will try to put this lite spec by Monday, at the moment working on PoC
14:07:02 <abhishekk> Other than this, kindly go through glance-specs patches, I have asked couple of contributors to file lite specs for their work
14:07:13 <jokke> I will have the cluster awareness spacs up either today or tomorrow, likely today
14:07:20 <abhishekk> cool
14:07:36 <abhishekk> Moving ahead
14:07:44 <abhishekk> #topic RBAC
14:07:58 <rosmaita> everybody's favorite topic!
14:08:04 <abhishekk> :P
14:08:19 <abhishekk> I have attended Open hour meeting this week and cleared some of my doubts
14:08:28 <abhishekk> No need to have policies close to API layer
14:08:48 <abhishekk> At the moment they said there is no need to refactor our policy layer much
14:09:02 <abhishekk> WIP patch - https://review.opendev.org/763208
14:09:32 <abhishekk> I will discuss this patch with lbragstad for the inputs and direction
14:10:10 <abhishekk> Upstream goal wise we are on track and just need to submit one reno saying we are using policy.yaml than policy.json
14:10:40 <abhishekk> This we will address while releasing milestone 1 for glance
14:10:51 <jokke> yeah
14:11:09 <Steap> Is the upstream goal for W to implement the 4 "basic" persona?
14:11:26 <rosmaita> i think there are 5?
14:11:41 <abhishekk> Upstream goal for W is to use policy.yaml instead of policy.json
14:11:46 <rosmaita> 3 project scope, 2 system scope
14:11:50 <lbragstad> o/
14:12:16 <abhishekk> o/
14:12:31 <abhishekk> lbragstad, I have added you as a reviewer to WIP patch
14:12:51 <abhishekk> kindly have a look and let me know your suggestions
14:13:05 <lbragstad> will do - thank you for starting that process abhishekk
14:13:10 <Steap> rosmaita: damn, on Tuesday it was 4, now it's 5
14:13:29 <rosmaita> Steap: it's almost as bad as covid
14:13:32 <lbragstad> the 5th is kind of a noop
14:13:48 <rosmaita> lbragstad: what do you mean?
14:14:07 <abhishekk> lbragstad, no worries, there is lot to do :D
14:14:14 <lbragstad> so - we have system admin, system member, system reader, project member, and project reader
14:14:37 <rosmaita> lbragstad: so system-member is useless, but project admin is ++
14:14:44 <abhishekk> no project admin?
14:15:05 <lbragstad> based on feedback from the groups we've talked to so far, project admin is something we can do later
14:15:22 <lbragstad> rosmaita and yes, system-member is essentially another name for system-reader since member implies reader
14:15:47 <lbragstad> but - it is useful if a deployment wants to offload some administrative functionality from system admin to system member (all they have to do is supply the override)
14:15:59 <rosmaita> well, and test the heck out of it
14:16:12 <lbragstad> ++
14:16:17 <rosmaita> ok, but the key issue is what personas are "required"?
14:16:34 <lbragstad> system admin, system reader, project member, and project reader
14:16:50 <rosmaita> ok, cool
14:17:07 <lbragstad> everything that "project admins" do today should get refactored into system admin
14:17:26 <jokke> rosmaita: abhishekk: didn't we remove the "tenant_is_owner" config option and made it default? And IIUC project == tenant so we we should not have anything different between project member and project admin, the reader is going to bitch and a half to ensure
14:17:57 <rosmaita> jokke: we deprecated it, now sure if it was actually removed
14:18:19 <abhishekk> Need to check whether we have removed it or not
14:18:41 <jokke> ^^ and od we have migration in place for those who did use user as owner :|
14:18:47 <lbragstad> jokke can you elaborate on the concerns for reader?
14:18:54 <rosmaita> no, we were not going to do a migration
14:19:01 <rosmaita> i think we said so in the deprecation notice
14:21:15 <jokke> lbragstad: our policies are all over the place between API and actual db calls. To actually ensure that there is no changes to happen for what ever gets scoped as reader is not just looking the API call type. Specially as we have lazy store converts in a place that would cause even normal listing by reader to be denied
14:21:41 <lbragstad> ok - interesting...
14:21:54 <rosmaita> jokke: just checked, deprecation specified no migration path : https://review.opendev.org/#/c/552642/
14:22:33 <lbragstad> i need to take a harder look at glance - but i'll see if i can scrub up an example
14:22:38 <jokke> rosmaita: hmm-m ok was it just deprecated as signalling "please, don't use" or were we actually planning to remove that?
14:22:45 <rosmaita> well, actually the deprecation release note doesn't say that, but the warning in the log does
14:22:51 <abhishekk> and as usual, its not removed yet :D
14:22:53 <rosmaita> who was the dumbass who wrote that release note
14:23:08 <rosmaita> actually, i blame the reviewers
14:23:17 <jokke> rosmaita: was it me or you?
14:23:22 <rosmaita> it was me
14:23:25 <jokke> :P
14:23:36 <rosmaita> but you +2d it!
14:24:27 <rosmaita> i'm pretty sure we took an operator survey about it, so there was definitely notice that we did not plan a DB migration
14:24:53 <abhishekk> lbragstad, thank you, that will be much helpful
14:25:17 <rosmaita> jokke: we were definitely planning to remove
14:25:24 <jokke> cause if we do not remove that and stop supporting user owned images, the reader will become even more difficult
14:25:25 <rosmaita> i think we should do it now
14:25:29 <lbragstad> abhishekk if i don't followup with you later today - i'll make a note to sync up with glance early next week
14:25:41 <abhishekk> lbragstad, great
14:25:42 <rosmaita> jokke: ++
14:26:04 <rosmaita> abhishekk: i suggest prioritizing removing owner_is_tenant
14:26:06 <abhishekk> some one should put a patch to remove it
14:26:13 <rosmaita> Steap: ^^ how are you set on time?
14:26:19 <abhishekk> rosmaita, ack
14:26:37 <jokke> or not difficult per se, we just can't do project reader and grand read access to all project members as that would be quite horrific security violation
14:26:54 <rosmaita> no, we don't want to mess with it at all
14:27:01 <rosmaita> let's remove it and not worry
14:27:07 <abhishekk> +1
14:29:17 <jokke> rosmaita: abhishekk: just note on the removal. Specially as there is no migration path we need to make sure we don't accept user as owner after that config option is removed and basically render all images still in that state unusable unles the owner is changed
14:29:44 <Steap> rosmaita: I'm not sure I understand what you're asking
14:30:19 <abhishekk> jokke, ack
14:30:32 <jokke> Steap: I think he means, "Want to take nice lil upstream task on?" very easy and simple, you just gotta remove one config option :P
14:30:50 <rosmaita> Steap: i am asking you to do the work for https://review.opendev.org/#/c/550096/2/specs/rocky/approved/glance/spec-lite-deprecate-owner_is_tenant.rst
14:31:09 <rosmaita> it's probably checked like 500 places in the code, though
14:31:36 <Steap> haha
14:31:37 <rosmaita> (did i say that out loud?)
14:31:42 <Steap> ok I'll take a look at it
14:31:46 <Steap> (have I doomed myself?)
14:32:10 <rosmaita> it shouldn't be too bad code-wise, there will be a lot of tests to remove/refactor, i suspect
14:32:40 <abhishekk> Steap, I will be around
14:33:07 <Steap> $ git grep owner_is_tenant |wc -l
14:33:07 <Steap> 21
14:33:11 <Steap> seems < 500
14:33:22 <jokke> not too bad then
14:33:25 <abhishekk> awesome, all the best :D
14:33:32 <rosmaita> cool, i look forward to seeing your patch tomorrow
14:33:55 <abhishekk> that's it for today
14:34:02 <abhishekk> Moving to open discussion
14:34:08 <Steap> rosmaita: sure thing, boss
14:34:08 <abhishekk> #topic Open discussion
14:34:19 <abhishekk> anything else ??
14:34:29 <jokke> yes
14:34:57 <jokke> #link https://review.opendev.org/#/c/762498/ Stable backport question
14:35:25 <jokke> We'd like to have this downstream in OSP 16 and least work would be if we can backport it to Train
14:35:48 <abhishekk> Yes
14:35:54 <jokke> Question is, how is the new backport rules with all the old stable branches around etc. Can we actually do it?
14:36:32 <abhishekk> IMO we can backport upto two stable branches
14:36:53 <abhishekk> as this was done in victoria we can backport it upto Train
14:37:13 <rosmaita> i think you can backport it as far as you want
14:37:56 <rosmaita> small change, low risk, only affects one glance_store driver
14:38:13 <abhishekk> +1
14:38:15 <rosmaita> plus, Sean already +2d the ussuri backport
14:39:03 <abhishekk> that means you can +2 it :D
14:39:11 <jokke> Cool, I thought it should be fine, but wanted to make sure
14:39:36 <abhishekk> cool
14:39:42 <jokke> and makes Steap's life lot easier if we get it all the way to train :P
14:39:53 <abhishekk> :D
14:40:57 <Steap> jokke: you can also not open a downstream bug :)
14:41:38 <abhishekk> anything else, before closing
14:41:44 <jokke> but that's all from me
14:41:48 <Steap> yeah
14:41:54 <jokke> apart from lets get that done :P
14:42:00 <abhishekk> :P
14:42:15 <abhishekk> Steap, anything else?
14:43:15 <lbragstad> abhishekk do you mind if i update the topic on your patch to secure-rbac?
14:43:24 <abhishekk> lbragstad, no problem
14:43:48 <abhishekk> thank you all
14:43:59 <abhishekk> see you next week, have a nice weekend
14:44:03 <jokke> thanks everyone
14:44:19 <rosmaita> bye!
14:44:25 <abhishekk> #endmeeting