14:01:35 <croelandt> #startmeeting glance 14:01:35 <opendevmeet> Meeting started Thu Jul 10 14:01:35 2025 UTC and is due to finish in 60 minutes. The chair is croelandt. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:35 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:01:35 <opendevmeet> The meeting name has been set to 'glance' 14:01:39 <croelandt> #topic roll call 14:01:40 <croelandt> o/ 14:01:54 <mhen> o/ 14:02:32 <rajiv> hi 14:03:18 <Luzi> o/ 14:03:27 <croelandt> abhishekk: around? :) 14:03:33 <abhishekk> o/ 14:03:34 <croelandt> I think dansmith is out today 14:03:45 <croelandt> #topic Release/periodic job updates 14:03:53 <croelandt> So we have support for Centos 10 now 14:04:03 <croelandt> #link https://review.opendev.org/c/openstack/devstack/+/937251 14:04:08 <croelandt> ^ this patch needs to be updated and reviewed 14:04:20 <croelandt> I have just talked to the author, and they are not working on this anymore, so I'll take over the patch 14:04:36 <croelandt> I wonder if we could not just use PYTHON3_VERSION like they do at https://github.com/openstack/devstack/blob/master/.zuul.yaml#L733 14:04:42 <croelandt> #link https://github.com/openstack/devstack/blob/master/.zuul.yaml#L733 14:04:57 <croelandt> which would have been simpler :) But I guess soon we'll want to migrate to CentOS 10 anyway 14:05:51 <croelandt> #topic Encryption 14:05:59 <croelandt> so the main thing for this week is image encryption 14:06:05 <croelandt> mhen: we've reviewed your patch and it looks pretty good 14:06:14 <mhen> thanks for reviewing! 14:06:20 <croelandt> I think my main concern is that dansmith had some things to discuss, I'll make sure to remind him on Monday when he is back 14:06:32 <mhen> understood 14:06:36 <croelandt> oh and there was my point about the tests still using cinder_encryption_* 14:06:40 <croelandt> not sure if that is intentional 14:06:47 <mhen> I answered this some minutes ago 14:07:33 <mhen> it is intentional, I think we want to make sure those attributes still work for some potential edge cases during the deprecation timeframe 14:07:56 <croelandt> ok 14:08:05 <croelandt> I wonder if we could refactor some tests though 14:08:20 <croelandt> def test_something(self, key): for instance 14:08:27 <croelandt> but maybe that is going to overcomplicate things 14:09:47 <mhen> as the patchset is currently done, all test methods concerning the old names are suffixed wiht "_deprecated" 14:09:56 <mhen> they are easy to spot (and remove, in the future) 14:10:31 <croelandt> oh ok 14:10:36 <croelandt> let's not change anything then :) 14:11:43 <croelandt> Anything to add on this topic? 14:12:10 <mhen> not from my side 14:12:24 <croelandt> #topic Open Discussion 14:12:28 <croelandt> abhishekk: anything else? 14:12:48 <rajiv> hi, i wanted to follow up on https://review.opendev.org/c/openstack/glance-specs/+/953435 14:12:55 <abhishekk> Nope, I have nothing this week 14:13:20 <rajiv> looks like glance is project scoped service and not domain scoped token 14:13:45 <croelandt> ok 14:13:59 <rajiv> hence the get_image doesnt have a domain_id 14:14:12 <rajiv> any suggestions on how to proced ? 14:14:39 <abhishekk> I don't think we are ready to move at domain scope, that will be huge chnage 14:14:49 <croelandt> have other projects done that? 14:14:58 <rajiv> i had no luck with https://github.com/sapcc/glance/commit/ed9817df7ba9fb6d9bbd4b51adfcb4c3bcc28fe5 14:15:38 <rajiv> my intent is to restrict public images to a particular domain, last option is to filter via project_id (which is like 300+ projects) 14:15:39 <abhishekk> Certainly we can discuss this next PTG 14:15:49 <rajiv> --tags, --hidden isnt an option 14:16:19 <rajiv> okay, isnt there any other option ? 14:16:33 <croelandt> rajiv: have other projects done that? 14:17:05 <rajiv> code enhancements wouldnt work since domain_id isnt there in get_image, the transformer uses owner info as project_id 14:17:15 <rajiv> croelandt: i looked around but found none 14:17:32 <rajiv> there are few custom projects which use oslo 14:18:02 <rajiv> how can i use https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L165 ? 14:18:02 <croelandt> "As OpenStack evolves toward better domain-scoped operations and identity management" <- what is your source for this? 14:18:43 <mhen> Keystone recently added the "manager" persona for domains: https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html 14:18:53 <rosmaita> rajiv: so is your goal that a user U in domain D does a image-list, they should only see images that are owned by entities that are also in domain D? 14:19:58 <rajiv> rosmaita: user U cannot list public images in a particular domain but works in other domains 14:20:07 <rajiv> shouldnt* 14:20:17 <rajiv> but can list private or shared images 14:20:41 <rajiv> in other words, implement public image visibility to users in a particular domain 14:21:18 <abhishekk> rajiv, private image of domain d should be listed by user in domain U? 14:21:39 <rajiv> abhishekk: yes, only restrict public image view 14:22:08 <rosmaita> so at least part of the problem is that this is completely different from the glance image ownership model 14:22:34 <rosmaita> images are owned by projects, but images are not "in" a domain 14:22:34 <abhishekk> yes, I would say opposite as well 14:23:47 <rajiv> i couldnt find a way to fetch domain id info into glance 14:24:08 <rajiv> if there was a way, i could map project id to domain id to solve this request 14:25:07 <rosmaita> glance doesn't have any domain info, that is kept in keystone, because domains are a way of grouping users 14:25:15 <rajiv> or are there suggestions to fetch domain info into glance ? 14:25:47 <rajiv> true, i am also open on how to implement restrictions for public images. 14:27:24 <rajiv> any comments on the approach of this commit ? or it makes no sense since domain is not supported at all ? 14:27:25 <rajiv> https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L165 14:27:31 <rosmaita> well, you could just not have any public images, and instead have a special user per domain that owns the "public" images for that domain, and that special user would share the images with all the projects in that domain 14:28:40 <rajiv> rosmaita: could you please elaborate ? 14:28:54 <rosmaita> i will try :D 14:29:02 <rajiv> :) 14:29:22 <rosmaita> ok, so let's say there is user A in domain AA, and user B in domain BB 14:29:33 <rosmaita> we don't want A to see public images for BB 14:29:45 <rosmaita> so, we don't make any glance images public 14:30:12 <rosmaita> instead, we create a special user in keystone, UA in domain AA 14:30:26 <rajiv> all users AA shouldnt view public images, but can view private, shared, etc. Its not cross domains 14:30:42 <rosmaita> then UA uploads all the images to glance that should be "public" in AA 14:30:53 <rosmaita> then UA shares these images with user A 14:31:00 <rosmaita> now, user A can see the AA images 14:31:07 <rosmaita> but user B cannot 14:31:17 <rosmaita> and you do the same thing for domain BB 14:31:42 <rosmaita> the problem is that you have to manage the image sharing, but that could be automated, i think 14:31:55 <rosmaita> (automated by the operator, not by glance) 14:32:14 <rajiv> thanks, to clarify Domains AA, BB, CC 14:32:28 <rajiv> users in Domain AA cannot view public images 14:32:39 <rajiv> Domain BB,CC works like default 14:32:47 <rosmaita> only because there are no public images at all for any domain 14:32:58 <rajiv> restriction of public image view is only on Domain AA 14:33:49 <rosmaita> no, we are not restricting public image view at all ... what we are doing is not having *any* public images 14:34:09 <rajiv> public image view is mandatory in other domains :) 14:34:18 <rosmaita> not sure what you mean 14:34:48 <mhen> I think they want an isolated domain that has its own images but cannot see public images (which all other domains do)? 14:34:50 <rajiv> to clarify Domains AA, BB, CC ; users in Domain AA cannot view public images; 14:35:03 <rajiv> Domain BB,CC works like default 14:35:12 <rajiv> mhen: correct 14:35:14 <abhishekk> means they can view public images 14:36:21 <rosmaita> well, sounds like you need a dedicated glance or something 14:38:28 <rajiv> okay, glance per isolated domain ? 14:39:04 <rosmaita> i guess ... isolated glance in an isolated domain 14:40:15 <rajiv> oh, thats more complicated than i imagined :( 14:40:41 <abhishekk> your requirement is also complicated :D 14:41:28 <rajiv> haha true! 14:41:48 <rajiv> lastly, there is no way to import domain_id into glance, right ? 14:42:44 <abhishekk> not sure, need to check 14:44:16 <rajiv> any clue how owner info is populated ? 14:44:30 <rosmaita> probably by oslo.context 14:45:00 <rosmaita> i mean, there's some glance code, but it uses oslo.context 14:45:23 <rajiv> okay, in this case, domain_id should also be possible ? since oslo.context has domain_id https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L165 14:46:33 <rajiv> https://opendev.org/openstack/glance/src/branch/stable/2024.2/glance/context.py#L80-L83 ? 14:47:35 <abhishekk> rajiv: https://github.com/openstack/glance/blob/master/glance/api/middleware/context.py#L125 14:48:18 <abhishekk> IF you print req.environ here before line 148, you will see domain information there 14:49:35 <rajiv> okay sure, i can look into this direction 14:50:04 <rosmaita> the problem is going to be that images do not have a domain_id 14:50:57 <rosmaita> and aren't keystone domains fluid, that is, projects can be added and removed to domains? 14:51:00 <rajiv> yep, i fear the same 14:51:07 <abhishekk> exactly, I told him, but not sure what he has in mind 14:51:43 <rosmaita> yeah, my understanding is that keystone domains group users/projects, but not resources 14:52:42 <rajiv> if i am able to fetch domain_id, then i can introduce another logic to validate the project & domain_id mapping > then maybe in get_image 14:53:00 <rajiv> restriction via policies is the cleanest way right ? 14:53:49 <abhishekk> you need lot of tweaks for this to happen 14:54:08 <rajiv> true 14:55:17 <rajiv> enhance alembic as well, the list goes on! 14:56:03 <abhishekk> that's why I said, gather requirements and come back in PTG with detailed information 14:56:22 <rajiv> roger :) 14:56:47 <abhishekk> over and out :D 14:56:48 <rajiv> this is the requirement though :) 14:56:55 <rajiv> thanks for your time! 14:57:06 <abhishekk> np! 14:57:12 <croelandt> right in time \o/ 14:57:15 <croelandt> #endmeeting