15:01:00 #startmeeting manila 15:01:01 Meeting started Thu Apr 12 15:01:00 2018 UTC and is due to finish in 60 minutes. The chair is tbarron. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:02 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:05 hello o/ 15:01:05 The meeting name has been set to 'manila' 15:01:14 hi 15:01:14 .o/ 15:01:15 hello 15:01:16 hey hey \o 15:01:17 manila courtesy ping: gouthamr zhongjun xyang markstur vponomaryov cknight toabctl bswartz ganso 15:01:19 hi 15:01:22 bswartz: :) 15:01:36 Hi all 15:01:47 #topic announcements 15:02:02 hi 15:02:13 toabctl: hi 15:02:36 Sunday is the deadline for Forum submissions, so pls. update 15:02:50 #link https://etherpad.openstack.org/p/YVR-manila-brainstorming 15:03:12 Unless there are updates to that etherpad I'll go with what's there. 15:03:34 Spec freeze is 19 April, one week from today. 15:03:49 We'll talk about specs in more detail in a moment. 15:03:55 Any other announcements? 15:04:34 o/ 15:04:52 gouthamr: hi 15:04:59 * tbarron passes gouthamr a cup of coffee 15:05:11 o/ 15:05:17 thank you tbarron :P 15:05:36 * tbarron passes vkmc aspirin (for manila-ui) 15:05:49 oh so much needed 15:05:52 \o/ 15:06:22 #agenda https://wiki.openstack.org/wiki/Manila/Meetings#Next_meeting 15:06:35 #topic spec reviews 15:06:46 #link https://etherpad.openstack.org/p/manila-rocky-specs 15:07:02 https://review.openstack.org/#/c/553662/ 15:07:09 This one has some momentum 15:07:41 If anyone has concerns about backwards compatability for APIs returning the wrong codes speak fast 15:07:53 I already reviewed this -- for some reason I didn't press the +2 button 15:08:00 not fast, I mean raise your concerns or forever hold your peace :) 15:08:06 bswartz: cool 15:08:39 We'll skip the next one (access rule) since it has its own topic. 15:08:59 #link https://review.openstack.org/#/c/546301 15:09:19 dustins: can you work with the author to resolve your -1 ? 15:09:30 I agree with dustins that the diff is hard to read 15:09:39 dustins: I think you don't object to the actual correction, right? 15:10:04 tbarron: Indeed 15:10:07 gouthamr: dustins: so please reach out and get that procedural issue resolved 15:10:17 And yes, I can do so, thanks for the reminder 15:10:24 dustins: thanks much 15:10:35 Anyone have material objections to this one? 15:10:44 It's pretty minimal. 15:11:02 #link https://review.openstack.org/#/c/551106/ 15:11:13 metadata for access rule resource 15:11:22 haven't reviewed past zhongjun's latest changes.. 15:11:24 looks like it has review attention 15:11:47 but important point to note here is the list API is going to change 15:11:53 gouthamr: ack, so please keep the review going 15:12:07 yes, I fixed bunch of comments 15:12:16 gouthamr: do you have any fundamental objections at this point, or just fixups? 15:12:24 zhongjun_: please correct me if that's incorrect, you do plan on adding a new API to list access rules and that API will allow filtering on metadata? 15:13:10 gouthamr: yes 15:13:12 i.e, the existing API will be unchanged, and will continue to work as is, you won't be able to use it to filter by metadata 15:13:46 gouthamr: the existing list API already use POST action 15:14:44 zhongjun_: yes.. i guess we should add these points to the spec 15:15:13 tbarron: I thought it just fixups, gouthamr: right? 15:15:26 zhongjun_: yes, mostly 15:15:59 gouthamr: zhongjun_ is this one close enough that the remaining changes can be made by next week at this time? 15:16:03 tbarron: please see the bit about the API change, that's the only controversial part 15:16:27 the current API is POST /shares/{share-id}/action to get a list of access rules 15:17:34 a new API which will support filtering by access rule metadata will be GET /share-access?share_id={share-id}&key=value&key2=value2 15:17:37 tbarron: It's about how to design API for list access rule 15:18:17 gouthamr: zhongjun_ right, we're stuck with the old POST but does it make sense to use a GET for the new api to, umm, get ? 15:18:25 so with the microversion bump the POST /shares/{share-id}/action will start rejecting calls for that access-list action and only the new one will work, right? 15:19:34 IIRC correctly share list API is a GET, so why shouldn't this be? 15:19:48 zhongjun_: do you disagree? 15:19:54 yeah, all of the list APIs are GETs 15:19:56 s/'correctly'/'' 15:20:57 tbarron: I am not disagree, but it is a little big change 15:21:16 so I think we should put it on the meeting 15:21:37 zhongjun_: This is the meeting :) 15:21:42 :) +1 15:22:54 If there isn't any to against it, then we could go on 15:23:37 zhongjun_: are you saying that you are willing to revise the new spec such that the new API will be a GET rather than a POST ? 15:23:54 s/the new spec/the spec/ 15:25:10 yes 15:25:15 zhongjun_: thanks 15:25:18 ganso: yes, we'll be setting a maximum microversion on the old API 15:25:27 #topic New Drivers 15:25:43 #link https://etherpad.openstack.org/p/manila-rocky-drivers 15:26:02 We have two new driver submissions, both of which are passing CI now. 15:26:12 So it's time to sign up for reviews. 15:26:25 cool 15:27:07 are passing the gate checks but not their own third-party CI 15:27:14 gouthamr: you must love reviewing drivers 15:27:30 bswartz: i must love reviewing 15:27:45 gouthamr: yeah, put a -1 in there and say that 15:27:51 they've asked for reviews 15:28:07 I'll encourage people who have recently added drivers 15:28:10 hint hint 15:28:13 to review 15:28:22 who're you hinting to? ;) 15:28:29 amito: oh, not you :) 15:28:45 oh, good then :P 15:29:05 You'll be able to help and also be able to note where common problems could be solved by common code :) 15:29:14 And stuff like that. 15:29:34 Let's get these reviews going early enough so that there are no surprises. 15:29:44 Anything else on this topic? 15:30:15 #topic priority for access rules spec 15:30:25 #link https://review.openstack.org/#/c/552935 15:30:48 zhongjun_: this one is yours, right? 15:30:56 yes 15:31:12 Do we require a limitation for value of the access rule priority (1~100) 15:32:20 I forget the reasoning you and bswartz gave for having a limited range 15:32:25 I remember we discussed in PTG, we agreed that the value of priority is "1-100", bswartz: right? if my member is right 15:32:37 It wasn't that there aren't enough integers 15:32:40 We never need more priorities than there are bits in a netmask for ip-based rules 15:33:02 100 is a good round number that fits into human brains 15:33:14 gouthamr: does that address your concern? 15:33:30 gouthamr's question is if we have more access rules, more than 100, is it work? 15:33:34 For user-based rules, you'd never need more priorities than there are groups that contain the same user 15:34:02 There's no problem with using the same priority for multiple rules, as long as the rules don't overlap 15:34:04 the range is not for different access rules, just for overlapping ones 15:34:05 tbarron: no 15:34:21 there's no such limitation on adding access rules, so why bother adding a limit? 15:35:00 Putting a limit on the priority number is a subtle indication to users about how the feature should be used 15:35:08 In reality there is no need to limit it 15:35:19 But I think 1-100 will result in better usuability 15:35:39 ganso: agreed that this feature is for overlapping rules, but having an API check around something that isn't really limited is kinda weird 15:35:50 bswartz: maybe we should add a hint in the UI? 15:36:13 Limits make users happier 15:36:34 * gouthamr thinks of ONTAP's limits... smiles 15:36:34 gouthamr: which hint? the order in which the rules are shown? 15:36:38 If we leave it unbound people will wonder about negative numbers higher than 4.2 billion 15:36:58 If we leave it unbound people will wonder about negative numbers and numbers higher than 4.2 billion 15:37:18 if 100 isn't big enough we can make it bigger 15:37:20 And they might wonder a couple of times too 15:37:24 When people see there's a small range, they get the message that they don't need that many different priorities 15:37:25 :) 15:37:39 bswartz: a valid value is any positive integer 15:37:55 Incuding numbers higher than 64 bits? 15:38:09 That might break mariadb 15:38:14 or make it could be configed ? 15:38:34 bswartz: you could theoretically have >100 rules and assume you can only do so many 15:38:44 s/and/but 15:40:07 gouthamr: Yes but that's around the point that you're doing something wrong even ignoring priorities 15:40:28 bswartz: i agree validation is important, but the limit may seem confusing to the end user 15:40:35 We can support over 100 rules, but there's probably not a good use case for it 15:40:52 I don't feel strongly on this 15:41:01 bswartz: gouthamr why don't you two take this one offline 15:41:01 How do you handle two rules with the same priority? (and how does it show in the ui?) does the spec address that? I don't remember 15:41:15 bswartz: gouthamr specc should indicate the reasoninig for the choice 15:41:26 bswartz: gouthamr and talk about ipv6 explicitly 15:41:30 amito: same priority means the order between them is arbitrary (how it is today for all rules) 15:41:41 why 64 max with 128 bit addresses 15:41:54 bswartz: so that is my real concern 15:41:54 tbarron: agreed, i was asking zhongjun_ for the reason from the PTG because i wasn't around and the spec didn't mention what it was 15:41:58 amito: I added the example in the spec 15:42:01 tbarron: that's easy, it's in the RFC 15:42:05 bswartz: then there should be some precedence based on other attributes (access type / address range / etc.) 15:42:11 I'm not sure that the spec solves the problem it's intended to address 15:42:30 bswartz: I just said put it in the spec :) pointing to rfc is fine 15:42:50 back to the problem, ambiguity in our access rules 15:43:02 what will this one mean? 15:43:15 #link https://tools.ietf.org/html/rfc7421 15:43:34 A 192.168.1.0/24 RO 5 15:43:45 A 192.168.1.10 RW 1 15:43:52 5 is higher 15:44:03 order is irrelevant 15:44:03 1 is higher than 5 15:44:24 I don't care which is higher, but I thought the spec said 5 is higher. 15:44:28 Priorities always sort backwards 15:44:42 tbarron: the spec states the lowest number is higher priority 15:45:01 Read the example such aht the more general rule is higher priority. 15:45:08 ganso: kk 15:45:19 what does that mean? 15:45:20 "The lower number have the higher priority" 15:45:34 gouthamr: right, so let me re-do the example 15:45:44 A 192.168.1.0/24 RO 1 15:45:52 ganso: yes, because we could have multiple overlap access rule than 5 ? 15:45:53 A 192.168.1.10 RW 5 15:46:01 ^ In this example the second rule is effectively ignored 15:46:21 in that example the RW ones is pointless 15:46:40 However, we keep it in the database because if the other rule is deleted (denied) then it suddenly has meaning 15:46:55 bswartz: it doesn't though 15:47:02 bswartz: oh, you mean the subnet rule 15:47:11 gouthamr: the RW one 15:47:39 ganso: if the access for 192.168.1.0/24 is denied, the RW one actually works 15:47:49 gouthamr: yes 15:47:51 I am not sure this is implementable naturally on all backends 15:48:19 a backend that matches most specific over more general for example 15:48:30 tbarron: the ordering that could cause a rule to be ignored does not prevent them from being sent to the backend 15:48:31 All we need to do is implement the sorting in the share manager and document what the ordering of the rules now has meaning 15:49:00 or we could document that more specific over general has meaning 15:49:08 bswartz: +1, that's where i'm caught up with this feature 15:49:11 which would avoid nonsense entries like the one I gave 15:49:12 If the backend can interpret the meaning correctly, then they should all be sent to to the backend -- otherwise the driver may want to perform some preprocessing 15:49:35 and backends that process first match priority would just sort more specific first 15:49:48 That would be unambiguous semantics. 15:49:59 With less chance of user error. 15:50:05 Clear rules. 15:50:28 No need for assigning priorities. 15:51:02 The priorities are about the API not the driver 15:51:20 API has clear rules with more specific wins. 15:51:28 Right now if I have 2 overlapping rules defined, and they're in the wrong order, I have no choice but to delete them and add them back in the right order 15:51:41 Adding priorities allows me to reorder them without deleting anything 15:51:52 It allows a lot of confusion 15:52:06 And therefore support cases. 15:52:26 The current situation leads to incorrect behavior and tough-to-solve problems 15:52:27 Proving to customers that they shot themselves in the foot and deserve to hurt. 15:52:32 I'm not sure which is worse 15:52:36 tbarron: o_O 15:52:48 I'm not for the current situation, to be clear. 15:52:55 tbarron: oh 15:52:59 I think this spec poses the problem well. 15:53:09 Currenlty we have ambiguity. 15:53:23 tbarron: so we should document it correctly 15:53:29 I'm just not sure at this point that user assigned priorities are the best solution. 15:53:55 "more specific wins" is a familiar semantic from routing 15:53:56 tbarron: implementation-wise it doesn't seem there much to improve on usability 15:53:59 we should document it in the spec or a special doc? 15:54:12 Didn't someone point out that a real cloud provider today implements this with priority numbers? 15:54:31 (One that's not using openstack) 15:54:49 bswartz: mebbe, AWS? 15:54:59 AWS doesn't have access rule priority last i checked 15:55:32 Let's take some time to think about this one a bit more even if it means extending the spec deadline for it. 15:55:39 bswartz: aliyun implement this with priority numbers today 15:55:40 see https://docs.aws.amazon.com/efs/latest/ug/gs-step-two-create-efs-resources.html 15:55:44 I'm convinced that there's a real problem. 15:55:59 But let's get a solution that we'll be happy with down the road. 15:56:16 I think priorities are pretty straightforward 15:56:23 #topic New Bugs 15:56:26 zhongjun_: do you have a link to their documentation 15:56:30 Think of how a UI could be built for this feature 15:56:42 It would just be a listbox with ^ and v buttons 15:57:01 #link https://etherpad.openstack.org/p/manila-bug-triage-pad 15:57:12 dustins: you're up 15:57:16 gouthamr: I am finding 15:57:21 bswartz: we'll talk some more .... 15:57:44 I think you skipped the second bullet, but we're out of time in 3 min anyway 15:57:52 amito: oh sorry 15:58:11 It's ok, maybe we should move this off-meeting 15:58:18 zhongjun_: found it 15:58:21 #link https://www.alibabacloud.com/help/doc-detail/27534.htm?spm=a3c0i.o27533en.b99.23.77643ad5TzJF1D 15:58:24 amito: ok 15:58:25 Do we have conclution 15:58:26 1-100 :D 15:58:31 zhongjun_: no 15:58:35 amito: Feel free to continue, my bugs will take more time than is remaining 15:58:40 zhongjun_: but we'll give more time if we need to 15:58:46 zhongjun_: for the spec 15:58:46 "When the same authorization object matches multiple rules, the rule with the highest priority overwrites the remaining rules." 15:58:59 tbarron: thanks 15:59:05 gouthamr: +1 15:59:17 oops, i'm messing up the meeting log, sorry tbarron 15:59:26 gouthamr: that's ok 15:59:35 We can always #undo the topic change 15:59:46 #undo 15:59:46 Removing item from minutes: #link https://www.alibabacloud.com/help/doc-detail/27534.htm?spm=a3c0i.o27533en.b99.23.77643ad5TzJF1D 15:59:58 Doh that undid the #link 16:00:03 I might've missed if you discussed it above since I was afk for awhile now, but how do we handle overlapping allow-deny rules? gouthamr and bswartz stated that priority is irrelevant for deny rules, but I don't think that's the case. 16:00:05 lol 16:00:07 hahaa 16:00:07 #undo 16:00:12 Removing item from minutes: #link https://etherpad.openstack.org/p/manila-bug-triage-pad 16:00:20 #undo 16:00:21 Removing item from minutes: #topic New Bugs 16:00:31 rollback :P 16:00:41 time check 16:00:42 #link https://www.alibabacloud.com/help/doc-detail/27534.htm?spm=a3c0i.o27533en.b99.23.77643ad5TzJF1D 16:00:53 Thanks everyone!! 16:01:02 amito: #openstack-manila? 16:01:07 gouthamr: kk 16:01:12 let's continue in #openstack-manila 16:01:15 #endmeeting