15:00:46 <gouthamr> #startmeeting manila 15:00:46 <openstack> Meeting started Thu Feb 4 15:00:46 2021 UTC and is due to finish in 60 minutes. The chair is gouthamr. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:50 <openstack> The meeting name has been set to 'manila' 15:00:52 <dviroel> o/ 15:00:53 <carloss> o/ 15:00:57 <maaritamm> o/ 15:00:58 <carthaca> hi 15:01:01 <andrebeltrami> hi 15:01:04 <vhari> o/ 15:01:12 <gouthamr> courtesy ping: ganso vkmc lseki carloss tbarron felipe_rodrigues esantos 15:01:13 <felipe_rodrigues> o/ 15:01:20 <tbarron> yo! 15:01:26 <gouthamr> beat you by a second, felipe_rodrigues 15:01:27 <tbarron> io 15:01:43 <chuan137> hi 15:01:56 <gouthamr> hello everyone! thanks for joining in! 15:02:14 <ecsantos> o/ 15:02:25 <gouthamr> hey there chuan137! don't believe we have met, but thanks for the os-profiler reviews! 15:02:42 <gouthamr> here's the agenda for today: https://wiki.openstack.org/wiki/Manila/Meetings#Next_meeting 15:02:51 <chuan137> thanks, am colleague of carthaca 15:02:52 <gouthamr> lets get started 15:03:02 <gouthamr> chuan137: nice, welcome! 15:03:07 <gouthamr> #topic Announcements 15:03:29 <gouthamr> as you're aware, today's the new driver submission deadline 15:04:17 <vkmc> o/ 15:04:27 <disap> o/ 15:04:40 <gouthamr> we have one driver that's met the deadline a few weeks ago, and is going through reviews 15:04:46 <gouthamr> #link https://review.opendev.org/768590 15:05:06 <gouthamr> thanks for reviewing dviroel carloss 15:05:32 <dviroel> yep, just added a comment about its CI 15:05:38 <gouthamr> looks good there, we may need to push the other two that were targeted for this release to Xena 15:05:55 <dviroel> It is reporting Succeeded, but its failing in some tests 15:06:13 <dviroel> nothing that can be fixed in the following weeks, i think 15:06:22 <dviroel> s/can/can't 15:06:36 <gouthamr> nice, that's a relief 15:06:42 <gouthamr> good catch, dviroel 15:07:04 <gouthamr> next week is our feature proposal freeze 15:07:15 <gouthamr> #link: https://releases.openstack.org/wallaby/schedule.html (Wallaby release schedule) 15:07:30 <gouthamr> per the schedule: "All new Manila features must be proposed and substantially completed, with unit, functional and integration tests by the end of the week." 15:08:13 <gouthamr> i know a number of things are in flight, so as we've said here before, reviewer attention at this point would be our biggest strength :) 15:08:47 <dviroel> we still have a feature to propose 15:09:23 <dviroel> isn't a 14k lines change this time 15:09:26 <dviroel> :) 15:09:33 <carloss> hehe 15:09:34 <gouthamr> that's always good to hear 15:10:20 <gouthamr> that's all for announcements today, a slew of end-of-release activity should begin soon 15:11:07 <gouthamr> oh wait, i had another - if you're relying on upstream releases for stable branches, we have a few that went out last week: 15:11:19 <gouthamr> #link http://lists.openstack.org/pipermail/release-announce/2021-February/010565.html (manila 9.1.5 (train)) 15:11:35 <gouthamr> #link http://lists.openstack.org/pipermail/release-announce/2021-February/010567.html (manila 10.0.2 (ussuri)) 15:11:46 <gouthamr> #link http://lists.openstack.org/pipermail/release-announce/2021-February/010566.html (manila 11.0.1 (victoria)) 15:13:00 <dviroel> 👏 15:13:28 <gouthamr> i think we should expect a refresh with more bugfixes that are in the pipeline around m-3 (4 weeks from now) 15:13:42 <gouthamr> any other announcements for today? 15:14:18 <gouthamr> #topic OpenStackSDK spec review 15:15:17 <gouthamr> this is a short one 15:15:51 <gouthamr> as you're aware, we embarked on adding manila API support in openstacksdk earlier in the cycle 15:16:20 <gouthamr> driven by three senior year students at Boston University 15:16:58 <gouthamr> they've submitted a release-independent specification here: 15:17:05 <gouthamr> #link https://review.opendev.org/c/openstack/manila-specs/+/768516 (Add Manila Support on OpenStack SDK) 15:17:51 <gouthamr> the spec includes a link to the task tracker, and highlights the APIs intended to be addressed, by priority determined by them 15:18:12 <gouthamr> i'd like for more eyes on this 15:19:12 <gouthamr> we're still targeting to get a few things merged in wallaby, albeit the deadline's fast approaching 15:20:14 <gouthamr> #link https://review.opendev.org/q/topic:%22openstacksdk-manila-support%22 15:20:36 <gouthamr> ^ if you're interested in helping with reviews, that's the gerrit topic for patches :) 15:21:42 <gouthamr> that's what i had on the topic 15:22:20 <gouthamr> you can reach out to me/vkmc/maaritamm with questions at the moment, the students have no irc bouncers yet, but we meet with them regularly 15:23:29 <gouthamr> in related news, they've been working with maaritamm to propose bugfixes in manilaclient/OSC and learning a lot 15:24:06 <tbarron> maaritamm++ 15:24:39 <gouthamr> cool, that's all about $topic - thank you for reviews! :) 15:24:45 <gouthamr> #topic Dropping project_id from API URLs 15:24:49 <vkmc> maaritamm++ 15:26:49 <gouthamr> lbragstad was working with testing the secure rbac work in cinder, and he noticed that the service catalog for system users doesn't list the cinder endpoint 15:27:03 <gouthamr> he started a discussion on the mailing list 15:27:10 <gouthamr> #link http://lists.openstack.org/pipermail/openstack-discuss/2021-January/020103.html ([dev][cinder][keystone] Properly consuming system-scope in cinder) 15:27:49 <gouthamr> interestingly, we have the same issue with manila 15:28:31 <gouthamr> and we've discussed the question of removing the project_id in the API URLs in the past 15:29:44 <gouthamr> there's code in the manila api that relies on this project_id - many API routes need it to be present 15:29:49 <gouthamr> although, we never really use it 15:30:42 <gouthamr> we do validate it however 15:31:03 <gouthamr> when a project_id is present, we want to be sure the request is coming from who they say they are 15:31:07 <gouthamr> #link https://opendev.org/openstack/manila/src/commit/39efc2bde81c2a0c747a491d3a778b822ca263b8/manila/api/openstack/wsgi.py#L816-L821 15:31:57 <gouthamr> but the authorization components ignore the project_id in the URL everywhere else in the API code 15:32:32 <gouthamr> and they rely on the request context object that's constructed with the help of keystone and the token used by the caller 15:33:30 <gouthamr> and in case you're running manila in a standalone mode, we set the project_id to "admin" so we can pass the validation above to conform to the URL structure 15:34:45 <gouthamr> for noauth, it doesn't really have to be "admin" - in our testing, we use "fake" and "openstack" - so really any string 15:35:21 <gouthamr> the problem with having the project_id in the URL is that system users that interact with manila will not have one 15:36:36 <gouthamr> system users are meant to operate outside of projects and domains 15:36:59 <tbarron> so we are insisting on project id in the url even though nowadays it is the keystone request context that is used, 15:37:07 <gouthamr> +1 15:37:26 <tbarron> for example, to restrict regular project members acess to resources to the appropriate scope 15:37:54 <tbarron> just checking my understading. 15:38:21 <gouthamr> yes - we have the scope and project information from the request context and we rely solely on that 15:39:06 <gouthamr> to ensure RBAC on resources (APIs and database objects) 15:40:29 <gouthamr> so, we could drop this project_id requirement from the URLs and not lose any important validation 15:40:53 <tbarron> +1 15:41:18 <gouthamr> other projects that required project_id in the API URLs have removed it 15:41:47 <gouthamr> notably, nova 15:41:56 <gouthamr> #link https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#id16 15:42:50 <gouthamr> #link https://opendev.org/openstack/nova/commit/1f16a763e793098b26f37110db35828024e44025 15:43:20 <gouthamr> the idea is to advertise API routes with and without project_id 15:44:18 <gouthamr> since we cannot just drop the requirement altogether, this could break clients 15:44:39 <gouthamr> and for making such major breaking changes, we'd need a new major version of the API 15:45:31 <gouthamr> the reason i don't think that's warranted is because we can easily provide this compatibility, following nova's path and using our microversions framework 15:45:54 <gouthamr> we signal to end users by increasing the API microversion 15:46:31 <gouthamr> and let them know that if their cloud supports that microversion, it would mean that they don't need to use their project_id in the URLs 15:47:06 <gouthamr> if they choose to, however, it wouldn't be a big deal, since it'll still be accepted by the service 15:47:15 <gouthamr> and everything works as it is today 15:47:39 <gouthamr> including the validation that your the project_id derived from the caller's token matches the project_id that they provide in the URL 15:48:20 <gouthamr> any thoughts/objections to this? 15:49:06 <tbarron> well you already know I like this approach, but for the record. 15:49:25 <dviroel> gouthamr: thanks for the clarification and for working on this 15:49:52 <gouthamr> #link https://review.opendev.org/q/topic:%22bp%252Fremove-project-id-from-urls%22 15:50:15 <gouthamr> ^ these are the changes 15:50:36 <tbarron> alternative approaches like hacking the client to fake a project in the url when it's not supplied by the user would just be a stop gap and 15:50:51 <tbarron> leave holes for anyone not usint the right client 15:51:02 <tbarron> using 15:51:25 <gouthamr> +1 - that's true, and even with that case, keystone would not be able to give us the project_id with the token 15:51:48 <gouthamr> so we'll have to modify the API code to allow system scope users to bypass the project_id validation 15:53:03 <gouthamr> since we're not breaking anyone and dropping the project_id is desirable in the long run 15:53:25 <gouthamr> i advocate for doing that instead 15:54:14 <gouthamr> it'd be a pita if _every_ client/sdk/application had to fake a project ID 15:54:49 <gouthamr> that sort of change breaks existing clients if they want to interact as system scope users 15:55:40 <gouthamr> sorry we've spent a long time on this discussion 15:56:00 <gouthamr> we can't get to the rest of our agenda today - which are regular items 15:56:50 <gouthamr> with the few mins left, any further thoughts on $topic? 15:57:40 <tbarron> Thanks for the expanation, gouthamr, should make review a lot easier. 15:58:12 <gouthamr> you're welcome - i'm happy to answer questions, thank you for reviewing! 15:58:18 <gouthamr> #topic Open Discussion 15:58:40 <gouthamr> last couple of minutes to kick start anything on record and take it to #openstack-manila :) 15:59:04 <gouthamr> sorry about the loss of bug triage time, vhari 15:59:30 <vhari> gouthamr, how about this new bug #link https://bugs.launchpad.net/manila/+bug/1914453 15:59:31 <openstack> Launchpad bug 1914453 in OpenStack Shared File Systems Service (Manila) "CephFS Native driver gets blacklisted during startup with Ceph Octopus " [Undecided,New] 16:00:06 <gouthamr> ouch, we are testing with octopus 16:00:32 <vhari> np, but maybe a good topic for openstack-manila :) 16:00:41 <gouthamr> ack, thank you vhari 16:00:49 <vhari> gouthamr, yw 16:00:51 <gouthamr> we'll continue the triage in #openstack-manila 16:01:02 <gouthamr> thanks everyone for joining, see you here next week 16:01:08 <gouthamr> #endmeeting