#openstack-meeting log

14:00:04 <mrjoshi> #startmeeting glance
14:00:04 <opendevmeet> Meeting started Thu Feb  1 14:00:04 2024 UTC and is due to finish in 60 minutes.  The chair is mrjoshi. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:04 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:04 <opendevmeet> The meeting name has been set to 'glance'
14:00:04 <mrjoshi> #topic roll call
14:00:04 <mrjoshi> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda
14:00:09 <mrjoshi> o/
14:01:07 <abhishekk> o/
14:01:49 <rosmaita> o/
14:02:11 <mrjoshi> PTL is not around today
14:02:46 <croelandt> o/
14:03:09 <mrjoshi> shall we start?
14:03:42 <croelandt> let's go!
14:03:59 <mrjoshi> #topic release/periodic jobs updates
14:04:11 <mrjoshi> M3 4 weeks from now
14:04:39 <mrjoshi> Periodic jobs are all green
14:05:34 <mrjoshi> moving ahead
14:05:42 <mrjoshi> #topic Ceph capabilities settings for RBD glance_store driver
14:06:47 <abhishekk> rosmaita, ^^
14:07:02 <rosmaita> hi
14:07:23 <abhishekk> I think since we have rbd trash support now we don't need read only permission for volume pool
14:07:26 <rosmaita> just want to point out that email/bug for anyone who wants to answer
14:08:28 <rosmaita> i'm not so sure about that, but i don't know a lot about ceph
14:09:27 <abhishekk> ack, thank you, Same goes with me, I have some supportive knowledge only
14:09:42 <abhishekk> I will check and respond accordingly
14:10:41 <mrjoshi> shall we move ahead?
14:11:02 <abhishekk> yep
14:11:04 <rosmaita> nothing more from me
14:11:23 <mrjoshi> cool, moving ahead
14:11:25 <mrjoshi> #topic What is the purpose of 'metadata_encryption_key' config option
14:11:33 <mrjoshi> abhishekk, ^^
14:11:34 <abhishekk> that is me
14:11:44 <abhishekk> I found it while testing location API work
14:12:21 <abhishekk> I am wondering what is the use case behind this since it is just used while image upload and show case
14:12:33 <abhishekk> location is not encrypted when location add api is used
14:12:49 <abhishekk> So either we should enhance it or remove it
14:13:02 <abhishekk> I will add this topic in upcoming PTG for more discussion
14:13:20 <abhishekk> rosmaita, thank you for some inputs about it
14:13:30 <rosmaita> np
14:13:39 <rosmaita> it doesn't seem to be a useful capability
14:13:45 <croelandt> The scrubber seems to be using it to decrypt the location
14:13:51 <croelandt> but we're removing that so :)
14:14:12 <rosmaita> well, i think the idea was there were some ancient backends where you had username/password in the location
14:14:26 <rosmaita> and people didn't want that stuff sitting around in the database
14:14:44 <rosmaita> but then they were perfectly ok with exposing it on image-show
14:14:54 <croelandt> I see calls to crypt.urlsafe_encrypt, so are we not encrypting the location metadata in some circumstances?
14:14:59 <rosmaita> which seems kind of ... sub-optimal
14:15:07 <croelandt> oooh
14:15:27 <rosmaita> yeah, i think by default we do not do it
14:15:42 <abhishekk> and also threat-modeling is hovering over us, it is not advisable to store the key in config file
14:16:22 <rosmaita> i agree
14:16:28 <abhishekk> So either we remove it or we should enhance it to help us to overcome sec issue
14:16:32 <rosmaita> i think the thing to do is just remove the capability
14:16:56 <rosmaita> because to overcome the sec issue, we'd have to hand out the key to specific users who RBAC said are ok
14:17:15 <rosmaita> i think it would be better to just use RBAC on the locations api directly
14:17:17 <abhishekk> we can use barbican to store the key
14:18:01 <rosmaita> that's true
14:18:17 <abhishekk> for removing it, we need to follow deprecation life cycle
14:18:19 <rosmaita> so i guess the question is whether there's any point keeping the data encrypted in the DB
14:18:51 <abhishekk> we already store some encrypted data for image signature verification
14:19:00 <abhishekk> if i am not wrong
14:19:29 <abhishekk> I guess its more easy to remove it :D
14:19:41 <abhishekk> less code to maintain
14:20:22 <abhishekk> there is also 'digest_algorithm' option which is not used anywhere in glance
14:21:48 <abhishekk> I think I am done, lets decide about it in PTG
14:21:54 <abhishekk> mrjoshi, we can move ahead
14:22:03 <mrjoshi> ok
14:22:08 <mrjoshi> #topic Important Reviews
14:22:29 <mrjoshi> Centralized cache DB - #link https://review.opendev.org/q/topic:%22centralized-cache-db%22
14:22:42 <abhishekk> please  review it
14:23:01 <rosmaita> :D
14:23:08 <abhishekk> documentation part is pending, but end to end code is ready
14:23:24 <mrjoshi> Remove incorrect validation for glance-download import method - #link https://review.opendev.org/c/openstack/python-glanceclient/+/907290 - (Required Backport till Antelope )
14:23:25 <mrjoshi> S3: Do not log access Key - #link https://review.opendev.org/q/I8dc564bed33d6fc71965f4f573ae9109b410b1d4 - (Required Backport till Zed/Yoga )
14:23:25 <mrjoshi> #link https://review.opendev.org/c/openstack/glance_store/+/906484
14:23:27 <abhishekk> from code to tempest to grenade it is there
14:23:43 <rosmaita> nice work
14:24:50 <abhishekk> thank you ;)
14:25:12 <croelandt> ^ There are two patches for that access key security issue in the S3 driver
14:25:15 <abhishekk> I am learning from dansmith :D
14:26:20 <abhishekk> croelandt, I think you can approve them
14:27:25 <mrjoshi> shall we move to open discussion?
14:27:28 <abhishekk> yes
14:27:45 <mrjoshi> moving ahead
14:27:50 <croelandt> abhishekk: yes, apparently we also want to backport them to Z & Y
14:27:59 <abhishekk> rosmaita, thank you for mail, lets wait for couple of weeks
14:28:11 <rosmaita> yes, let's see what happens
14:28:11 <abhishekk> croelandt, we can once these merges
14:28:20 <mrjoshi> #topic Open Discussion
14:28:27 <abhishekk> I need to drop for another meeting
14:28:32 <abhishekk> Thank you!!
14:28:50 <rosmaita> abhishekk: i thought you wanted to talk about launchpad maintenance?
14:28:53 <mrjoshi> launchpad maintainance - https://launchpad.net/glance, https://launchpad.net/glance-store, https://launchpad.net/python-glanceclient
14:28:59 <abhishekk> we can revisit this next week
14:29:08 <rosmaita> works for me!
14:29:11 <abhishekk> thanks
14:29:24 <rosmaita> mrjoshi: thanks for running the meeting
14:29:51 <mrjoshi> shall we wrap up then?
14:30:02 <mrjoshi> rosmaita, thanks!
14:30:11 <rosmaita> i don't have anything more
14:30:23 <mrjoshi> croelandt, ^^
14:31:18 <croelandt> Nothing :)
14:31:22 <mrjoshi> cool, let's wrap up then
14:31:23 <croelandt> thanks for taking care of this meeting
14:31:34 <mrjoshi> no problem :)
14:31:47 <mrjoshi> Thanks everyone for Joining!!!
14:32:12 <mrjoshi> #endmeeting