)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"cc0d3e06afea9011735d218e6d8553fab637fad4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"6bb71d03_b46822ce","updated":"2025-08-28 20:38:19.000000000","message":"ignoring the unit test fialure this looks more or less correct to me with regards to constucting the new client but obvioulsy this is quite far form complete.","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d02cf98bf7133c9ae693bd105c84923ec0913e55","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"554c8bee_c92a7e6e","updated":"2025-08-28 04:11:44.000000000","message":"testing it in https://review.opendev.org/c/openstack/cinder/+/958719","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1524da5e2bed8094f024cfe77dff05d15b5ac577","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"365cfe5b_e12d3e85","updated":"2025-08-29 19:51:19.000000000","message":"The test patch is failing with the following trace\n\nCinder logs\n\nRequest returned failure status 404.\n\nFailed to register image volume location cinder://3b744801-a4ae-4bb6-91aa-d4d74f72e5d3.: cinder.exception.ImageNotFound: Image a245cbb6-0d4e-4e73-b51c-fd08d1b79b90 could not be found.\n\nGlance logs\n\nForbidding request, image a245cbb6-0d4e-4e73-b51c-fd08d1b79b90 not visible {{(pid\u003d88292) _image_get /opt/stack/glance/glance/db/sqlalchemy/api.py:311}}\n\nLooks like with this change, we are unable to access the image.\n\nCinder: https://a55f767299fb33315200-0934359c4776b2a989e29d4e220a815a.ssl.cf5.rackcdn.com/openstack/adb408caf0514d3686da4463c39963fc/controller/logs/screen-c-vol.txt\nGlance: https://a55f767299fb33315200-0934359c4776b2a989e29d4e220a815a.ssl.cf5.rackcdn.com/openstack/adb408caf0514d3686da4463c39963fc/controller/logs/screen-g-api.txt","commit_id":"15609361ca9dcc51c3134b7ce7d5cc569123faca"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b199efbe1e8d5ef5e0bbbdc424787a90fc68cc23","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"625528c4_40ddfbc4","in_reply_to":"365cfe5b_e12d3e85","updated":"2025-08-29 23:25:01.000000000","message":"I see, so user with only service role cannot get the image, it needs to be admin right also. This is same as Nova case where Nova need \u0027service\u0027 role to check policy and admin role for background operation.\n\nI will fix it.","commit_id":"15609361ca9dcc51c3134b7ce7d5cc569123faca"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ffbfebc88365aa0349fbb2386bcb83d09423f008","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"f7c3e8eb_f9c9813c","in_reply_to":"625528c4_40ddfbc4","updated":"2025-09-02 18:24:23.000000000","message":"I think the log were from job cinder-for-glance-optimized (non-voting) which was passing even with the error you mentioned. That seems not good.\n\nI checked the job log after fix and could not find any error now. please check if all good?\n\nc-vol:\n\nhttps://zuul.opendev.org/t/openstack/build/b981ec8c9f9a4a55b8399e47d7464fad/log/controller/logs/screen-c-vol.txt?severity\u003d0\n\nglance-api: \nhttps://zuul.opendev.org/t/openstack/build/b981ec8c9f9a4a55b8399e47d7464fad/log/controller/logs/screen-g-api.txt","commit_id":"15609361ca9dcc51c3134b7ce7d5cc569123faca"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f2f20d86ca1384d168df6ae7e3d357f28a66bac2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"027f7747_e9b1b3eb","in_reply_to":"f7c3e8eb_f9c9813c","updated":"2025-09-03 12:18:29.000000000","message":"Yes, that\u0027s the job and the desired path is taken for the new location APIs to be executed.","commit_id":"15609361ca9dcc51c3134b7ce7d5cc569123faca"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"238f5e67f398edf59735aa6458109c15d8ec49ad","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"02298c67_a2338228","updated":"2025-09-04 10:27:13.000000000","message":"Thanks for bearing with me through the review process, my main goal was to get clarity on the standardized approach to implement it and know the consequences on deployment tooling for the same.\nThis looks really good now and the \u0027add_image_location\u0027 call is working as expected[1].\nOne last thing i wanted to verify was that it works correctly with the \u0027get_image_locations\u0027 API as well which I\u0027m implementing/testing here[2] and have added a depends-on the glance patch[3]. Once that shows positive results, we are good to merge this.\n\n[1] Sep 03 21:45:50.497294 np9e0856399f4f4 cinder-volume[86387]: DEBUG cinder.volume.manager [None req-45865a37-28da-418a-a66c-d34e24e477a6 tempest-VolumesActionsTest-564909843 None] Registered image volume location to glance image-id: 1851e2a3-d0d5-4cc3-8333-99852aad8d91. {{(pid\u003d86387) copy_volume_to_image /opt/stack/cinder/cinder/volume/manager.py:1773}}\n[2] https://review.opendev.org/c/openstack/cinder/+/957589\n[3] https://review.opendev.org/c/openstack/glance/+/958715","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"5292f4810eefca9c9d2e936f785a1e92cbff5d24","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"a4e62f51_86786ce9","updated":"2025-09-01 14:54:53.000000000","message":"The change works as expected now[1] but I still doubts.\n\nThe issue which we faced in last attempt was that the \u0027glance\u0027 user was not able to access the image because it only had \u0027service\u0027 role. Now to fix that we are creating a new user \u0027glance-cinder\u0027 that has both \u0027admin\u0027 and \u0027service\u0027 role.\n\n1. Since we need to create/supply a privileged user for service-to-service interaction, how is it better than our legacy way of interaction when the APIs were admin only? My understanding was that the whole \u0027service\u0027 role effort was a way to get rid of these admin configurations.\n2. Don\u0027t we have an option to have a lesser privileged role like \u0027member\u0027 added to \u0027glance\u0027 user for it to have access to the image? Creating a new user and adding \u0027admin\u0027 privileges to it seems like an extra deployment effort that needs to be propagated to deployment tooling projects otherwise these new APIs won\u0027t work.\n\nI\u0027m in favor of the \u0027service\u0027 role changes but the implementation doesn\u0027t look as clean as i expected to be.\n\nAdding @smooney@redhat.com to learn his thoughts as well ^\n\n[1] Aug 30 00:02:04.590047 np555aa0aa0e054 cinder-volume[86384]: DEBUG cinder.volume.manager [None req-8eb0fa96-25a5-42d9-a834-716d12c54aa9 tempest-VolumesActionsTest-317561138 None] Registered image volume location to glance image-id: 4b62fa16-50a0-4e3f-a7b6-6cc0a2e26538. {{(pid\u003d86384) copy_volume_to_image /opt/stack/cinder/cinder/volume/manager.py:1773}}","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"371296a328b5c6832c95a45889e8097b4acf8ac4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"09b2327d_08f3cfa8","in_reply_to":"01aa23d3_637771f8","updated":"2025-09-03 16:58:47.000000000","message":"so swap voluem si a bad exampel\n\nthat shoudl only requrie teh service role and nothign more.\n\nthe fact that admin is required today is because supprot for the service role in nova and cinder is incompelte and more work is requried to actully make this work end ot end.\n\nbut again that is not becaue fo the policy layer its because we have db check and other places where we need to fix this outside fo the policy layer. that is not somethign we will fix this cycle but shoudl eb fixed in the future.\nas you note we need to modify cinder\u0027s ploicy to allow nova to call back the compeltion api with only the service role too but provided teh nova user has the service role on the user specifed in the cinder section that hsoudl just work once the cinder change is done.\n\nuntil that is doen and we can remove the admin role form nova cinder ectra users the implementaion fo the service role across openstack is not complete.\n\nthis is just a tansationaly pain point while we get all service apis and internal implmeation are updated.\n\nto smoth that we expect service users like nova or cidner to have both admin and service for the transtion period.","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"faf11b56cc9fbfae70b4897bb0a381b3788457ec","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"e78285ae_af09bc3d","in_reply_to":"02298c67_a2338228","updated":"2025-09-04 17:06:31.000000000","message":"thanks for review and discussion, it is always productive and great to have such deep considering of things like you did in this review.\n\nCool, thanks for testing get_image_location in 957589 with glance change which make sure glance APIs rules change are backward compatible.","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"7e7e8e84bea7ad82c0d00774100a228f4f882596","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"27bcb10d_2cde28f7","in_reply_to":"09b2327d_08f3cfa8","updated":"2025-09-03 18:53:42.000000000","message":"\u003e Anyways, my question is why you think this glance fix is a \u0027big deployment impact for deployment tools\u0027 and the existing \u0027nova service user in cinder requires admin[*]\u0027 role is not impact to them?\n\nSo nova and cinder have interacted using the admin role since a long time, that was the only mechanism in place to exchange the API calls in a safe way (not allow non-admins to access these APIs).\nThe cinder\u003c-\u003eglance interaction in a service\u003c-\u003eservice way is a new one for which i can see we are asking for two things:\n1. A new [glance] section in cinder.conf\n2. A new glance-cinder user that has admin+service role\n\nIf you look at the original design of new location API spec, it used ADMIN only policies which was not acceptable by the glance team[1].\nI understand the new design enforces \u0027service\u0027 role for policy check and \u0027admin\u0027 because the legacy way of restrictions (that we want to remove in future), but i feel it\u0027s similar to a case where an admin assigning \u0027service\u0027 role to itself and calling the location ADD/GET APIs.\nI think that\u0027s why i wanted some sort of documentation with all the clear semantics of how we are about to implement these changes.\nLet me discuss this with the wider team and see what they think about this.\n\n[1] https://review.opendev.org/c/openstack/glance-specs/+/840882/comments/3777f506_093c0f7a","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"27bd495d8ec88ce532a9bb2832c1adf266116b56","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"df985916_3939fa3e","in_reply_to":"09b2327d_08f3cfa8","updated":"2025-09-03 18:37:08.000000000","message":"True, I am not denying that we cannot make those APIs workable for service but as you mentioned, it is not just policy but DB checks removal, which is a lot of work. You need to have two sets of DB APIs (one for getting all projects and one for projects) and call those from API/\u0027any other places it needs based on what the user is calling or so. That is not a small amount of work. And in some APIs, it can be even more than just policy+DB. I tried for volume swap and server external event in below change (a few cycles back) and it did not work for changing the visible things for admin. At some stage, I had to use the admin context for many bacgrounfd task and then gave up on that.\n\n- https://review.opendev.org/c/openstack/nova/+/864594/4 \n\nAnyways, I am not denying all those improvement but my point is we should not hold the service API RBAC goal which is kind of first step to restrict those API to be accessed from external user which is what this and glance change doing. Any further improvement is welcome but should not be blocker for RBAC goal. If we are blocking it then glance service API default stay incorrect which is my main goal here to fix.\n\nNOTE: I am going to PTO next week for a month so I leave call on you both if you want to proceed with this series which fix the glance service API default or wait for the glance APIs implementation to be refactored first (I do not think I will be able to do that considering my limited knowledge on glance use cases and who all should be able to get images (cam serviec role do?)).","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"05270dfc83c715bbdd2ab2d546707cd5845d2d45","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ae17b538_76093bf7","in_reply_to":"0a7104ca_82ca0494","updated":"2025-09-03 21:24:53.000000000","message":"I did not change the existing \u0027glance\u0027 user as it was used in other place and saw that glance-swift service user [1] which also require other role are defcined as a separate user. That is reason I created the new user but If you want I can update the existing user also to assign admin role.\n\n[1] https://review.opendev.org/c/openstack/devstack/+/958718/2/lib/glance#517","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"452474248837f228b78a7f99588cf298fce4f4d9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"32ebae68_8c5bec43","in_reply_to":"27bcb10d_2cde28f7","updated":"2025-09-03 19:09:18.000000000","message":"\u003e \u003e..., but I feel it\u0027s similar to a case where an admin assigns \u0027service\u0027 role to itself and calls the location ADD/GET APIs.\n\n\nThis can happen in any case, if you make APIs to work for service role only then also admin can assign themself the \u0027service\u0027 role and do everything we restricting service APIs to. \n\nThe operator needs to make sure that \u0027service\u0027 role is not assigned or assignable in their deployment. otherwise nothing prevent admin to behave as service and keep using the service-only APIs.\n\nThanks for the plan of discussing in team. Main point to discuss is:\n\n- To work cinder-glance communication for add_image_location, we need to refactor or open (policy + DB change) glance API GET /images for service role also (currently it is admin only). is it ok and safe?\n\nNOTE: It might need other changes than just policy+DB change but at least policy + DB changes very visible one in add_image_location case.","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"de58f5f001dbf52b14e0c1220785bf61a64b19d0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"0a7104ca_82ca0494","in_reply_to":"32ebae68_8c5bec43","updated":"2025-09-03 19:43:50.000000000","message":"I discussed this with @abishop@redhat.com and looks like this isn\u0027t a major concern for the deployment tools as I thought it would be. (apologies for my paranoia).\nHowever, the consensus of the discussion was that wouldn\u0027t it be better to have the \u0027glance\u0027 user have the \u0027admin\u0027 role instead of creating a new user?\nThe nova user already has it\n\n$ openstack role assignment list --user nova --names\n+---------+--------------+-------+-----------------+--------+--------+-----------+\n| Role    | User         | Group | Project         | Domain | System | Inherited |\n+---------+--------------+-------+-----------------+--------+--------+-----------+\n| admin   | nova@Default |       | service@Default |        |        | False     |\n| service | nova@Default |       | service@Default |        |        | False     |\n+---------+--------------+-------+-----------------+--------+--------+-----------+\n\nWe just need to add the same for glance\n\nopenstack role assignment list --user glance --names\n+---------+----------------+-------+-----------------+--------+--------+-----------+\n| Role    | User           | Group | Project         | Domain | System | Inherited |\n+---------+----------------+-------+-----------------+--------+--------+-----------+\n| service | glance@Default |       | service@Default |        |        | False     |\n| reader  | glance@Default |       |                 |        | all    | False     |\n+---------+----------------+-------+-----------------+--------+--------+-----------+","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"cfc2d06409e1094768f5ab36ca9bcf0ca09f7e15","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"72029345_675c19f2","in_reply_to":"3c106df8_dcf7a03b","updated":"2025-09-03 21:32:18.000000000","message":"running test again with that updated devstack change - https://review.opendev.org/c/openstack/cinder/+/958719/4","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"83f1d10aa17d3bb21b566883df9685dfd1241ade","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"83a3f46c_c76b44dc","in_reply_to":"4d6de818_e88a279e","updated":"2025-09-02 20:11:58.000000000","message":"yes, service user I mean nova user, cinder user, glance service user etc and not the service token defined in \u0027service_user\u0027 section. I know both are similar term and most of the time those are confused with.\n\nThat is what I mean  that glance service user or cinder service user can perform operation depends on the called service operation and its background tasks. If those needs admin role (which is case now) then glance service user needs to assign the admin role also. If glance change their implementation to not require admin role then glance service user with \u0027service\u0027 role is enough. This maybe a very simple example where you can just allow GET image to service role user and it will work But that is not valid for all the service only operation.\n\nFor example: Volume swap API: This nova service only API is called by the cinder and it require nova service user to have admin role also. Because from volume swap call, Nova call back Cinder to mark volume migration complete API[1] which require admin role[2]. So nova swap volume is a good example of what I was explaining in my comment that any service user (*not service token from service_user section*) may require more role assigned along with \u0027service\u0027 role depends on the operation they are calling.\n\n[1] https://github.com/openstack/nova/blob/73724fef9a66c4df3d018e7368067f883b1ed9e2/nova/compute/manager.py#L8415 \n[2] https://github.com/openstack/cinder/blob/3b35adc2c9a82bec865a6df1d8d7122961fcf262/cinder/policies/volume_actions.py#L244","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d737ee8d8e618929e0f027c02bb9046f91dd320e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"01aa23d3_637771f8","in_reply_to":"5c9369b8_6a23d0eb","updated":"2025-09-03 16:15:19.000000000","message":"Well, it is not API is working incorrectly, they work correctly as per the policy default permission. The fix in this case can be to let service user to get all the images from all projects (similar to admin user). Key thing is if any external user gets service role then they will be able to get images from all project and that is something glance team needs to check if that is ok or that can cause any security issue.\n\nBut again as I explained the volume swap case[*], the \u0027service user with only service role is not enough always\u0027. Take the volume swap case I mentioned above where nova service user in cinder had to have admin role for background tasks which should not be open for service role to do.\n- Can we say that API impplementation is wrong: NO\n- Can we modify the cinder \u0027volume migration complete API\u0027 to allow for service role: something to discuss as this is API change and again opening critical things to non-admin USER (not just admin role).\n\nAnyways, my question is why you think this glance fix is a \u0027big deployment impact for deployment tools\u0027 and the existing \u0027nova service user in cinder requires admin[*]\u0027 role is not impact to them?\n\nI am not against of any further API improvemrent but my point is:\n- Fix the glance API default policy which is wrong and kind of noop as glance always get \u0027service_role:service\u0027 from cinder service_token.\n- Ask Cinder to use the service user with required roles whatever glance need for their call.\n- In future, APIs implementation can be modified to work for \u0027service-only-role\u0027 which is change in API and need more discussion.\n\n\n[*]\n----------------\nFor example: Volume swap API: This nova service only API is called by the cinder and it require nova service user to have admin role also. Because from volume swap call, Nova call back Cinder to mark volume migration complete API[1] which require admin role[2]. So nova swap volume is a good example of what I was explaining in my comment that any service user (not service token from service_user section) may require more role assigned along with \u0027service\u0027 role depends on the operation they are calling.\n\n[1] https://github.com/openstack/nova/blob/73724fef9a66c4df3d018e7368067f883b1ed9e2/nova/compute/manager.py#L8415\n[2] https://github.com/openstack/cinder/blob/3b35adc2c9a82bec865a6df1d8d7122961fcf262/cinder/policies/volume_actions.py#L244\n----------------------------","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"238f5e67f398edf59735aa6458109c15d8ec49ad","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"16c8a138_6bf37c46","in_reply_to":"72029345_675c19f2","updated":"2025-09-04 10:27:13.000000000","message":"\u003e I did not change the existing \u0027glance\u0027 user as it was used in other place and saw that glance-swift service user\n\nSo that change was done 11 years ago[1] and i think it might be influenced by the fact that swift is an optional service whereas in our case glance and cinder are not, and anyone who wants to enable the optimizations using location APIs should have the right roles set during the deployment phase.\nI think it makes sense to add the \u0027admin\u0027 role for glance user itself, that makes it consistent with how Cinder interacts with nova using the nova user (service+admin) and shouldn\u0027t be affecting any existing operations relating with the glance user.\n\nhttps://github.com/openstack/devstack/commit/85a85f87f814446dd2364eea1b6d976d50500203","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f2f20d86ca1384d168df6ae7e3d357f28a66bac2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"5c9369b8_6a23d0eb","in_reply_to":"83a3f46c_c76b44dc","updated":"2025-09-03 12:18:29.000000000","message":"Thanks gmann for the explanation.\nWhat Sean said is exactly what i expected the design to be, only using service user (here \"glance\" user with \"service\" role) should be able to make the request succeed including all the policy checks and internal operations performed.\nLooks like this needs more ground work to figure out the APIs that are intended to be for service-to-service interaction and close out gaps that restrict the service user (glance here) to perform all the required operation.\n\nRight now we are trying to make it work by creating a new service user with admin access, which is fine from an upstream devstack perspective, but this tech debt will create a big deployment impact for deployment tools to:\n1. adapt the new changes of creating a new user with service+admin role\n2. Configure the new user for cinder\u003c-\u003eglance interaction\n3. Make a note of reverting the changes when the issue is fixed\n\nI\u0027m still inclined on making the APIs work correctly rather than creating another challenge for deployments to fix in the future.","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ffbfebc88365aa0349fbb2386bcb83d09423f008","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"c044fd00_67e73243","in_reply_to":"a4e62f51_86786ce9","updated":"2025-09-02 18:24:23.000000000","message":"The main purpose of the \u0027service\u0027 role is to restrict the external user (admin or no-admin) from using those APIs directly. Because if they can access it, then it creates issues. There are two things here: 1. \u0027service\u0027 role. 2. \u0027service user\u0027.\n\n\u0027service\u0027 role:\n---------------\n\n The main purpose of \u0027service\u0027 role in RBAC is to ensure that no external users can call the service APIs. This is not supposed to be workable/usable for doing the actual operation alone, and that is where the service user as a complete required capability comes into the picture (explaining below).\n \nservice user:\n-------------\n\n  This is the user which is configured by the operator in services to talk to other services. The operator should make sure it is a special user for internal machine-to-machine talk and not any external user (this should not even be an admin user who manages their cloud resources/deployment).\n  Now the question is what all the roles this service user should have (basically the question you asked when the admin role was also assigned to the glance service user). It depends on service to service and what operations they are making as service-only APIs and their code implementations. Some operations might be doable with the service user having \u0027service\u0027 role only (Nova\u0027s assisted volume snapshot API). For some API (example, Nova\u0027s assisted volume snapshot API) it may work as they do not perform any admin-related (accessing other project resources) tasks. But for other service APIs, the actual operation is to perform the background task with admin rights. Accessing the other project resource is a very common example because services do not allow the service user to access the other project resources. Most of the services have the admin check hard-coded in the DB. Anyways, this is just an example, and service APIs may need an admin for other background tasks also. That is why we have service users per services; a service user for a Cinder-to-Nova call can have a different role assigned than a Cinder-to-Glance or Glance-to-Nova call.\n  This service user can have \u0027service\u0027 and \u0027admin\u0027 role, but that is not the same as cloud \u0027admin\u0027 user or vice versa. The cloud admin user (which has an admin role but not a service role) cannot access the service APIs, and that is the main point of SRBAC.\n\n\nIn summary:\n-----------\n- OpenStack services can know if a call is from other services by checking if the user has \u0027service\u0027 role or not.\n- OpenStack services can perform the service\u0027s called operation with the help of the service user, but that user needs all the capabilities/roles that are required for that operation to complete. \n\nI hope I clarified things now.\n\n\u003e 1. Since we need to create/supply a privileged user for service-to-service interaction, how is it better than our legacy way of interaction when the APIs were admin only? My understanding was that the whole \u0027service\u0027 role effort was a way to get rid of these admin configurations.\n\nAs I explained above, there is a difference between both. With this implementation, the admin user in any cloud will not be able to access the service APIs but a special service user, which is configured by the operator, can only access. It is not about the role, it is about the user.\n\n\u003e 2. Don\u0027t we have an option to have a lesser privileged role like \u0027member\u0027 added to \u0027glance\u0027 user for it to have access to the image? Creating a new user and adding \u0027admin\u0027 privileges to it seems like an extra deployment effort that needs to be propagated to deployment tooling projects otherwise these new APIs won\u0027t work.\n\nThis will not work as the \u0027member\u0027 role alone cannot perform the glance operation. Cinder needs to get the image which a \u0027member\u0027 role cannot get; instead, project-member can get, and Cinder does not have that project access or a project user having member role. But yes, if glance allows get the image to only \u0027role:member\u0027 (not \u0027role\"member\u0027 and project_id), then yes, the service user can have member role instead of admin. That is what is depends on, service to service and operation and what all roles it requires to complete that operation. \n\n\u003e \n\u003e I\u0027m in favor of the \u0027service\u0027 role changes but the implementation doesn\u0027t look as clean as i expected to be.\n\u003e \n\u003e Adding @smooney@redhat.com to learn his thoughts as well ^\n\u003e \n\u003e [1] Aug 30 00:02:04.590047 np555aa0aa0e054 cinder-volume[86384]: DEBUG cinder.volume.manager [None req-8eb0fa96-25a5-42d9-a834-716d12c54aa9 tempest-VolumesActionsTest-317561138 None] Registered image volume location to glance image-id: 4b62fa16-50a0-4e3f-a7b6-6cc0a2e26538. {{(pid\u003d86384) copy_volume_to_image /opt/stack/cinder/cinder/volume/manager.py:1773}}","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"100663bd75604fdc8b9d1f5fbab474e96318ae8c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"3c106df8_dcf7a03b","in_reply_to":"ae17b538_76093bf7","updated":"2025-09-03 21:30:33.000000000","message":"I fixed that https://review.opendev.org/c/openstack/devstack/+/958718","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c1402b5f1176daa5323d7e19640014b9037e84d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"4d6de818_e88a279e","in_reply_to":"c044fd00_67e73243","updated":"2025-09-02 19:16:07.000000000","message":"so i wont have tiem to respond to this in full this enveing but \n\n\"The main purpose of \u0027service\u0027 role in RBAC is to ensure that no external users can call the service APIs. This is not supposed to be workable/usable for doing the actual operation alone, \" that i woudl disagree with.\n\nthe service user shoudl work like the admin role for most uses except with the caveat that it will never be used by a human.\n\nso long term the only thing that cidner or neutron shoudl need to call the service only apis in nova is the service role.\n\nsame for cinder calling glance. you shoudl not need toe admin roel to be able to view the image even if its belows to a diffent tenant then the cidner users defualt.\n\nthe service roles shoudl be enouch.\n\n@gmaan i think using the pahrse `service user` is not helping.\n\nyou actully mean the nova user or glance user or cidner user above.\n\ni.e. the user specififed in teh username filed of a config used by a opensack servie to create a token when talking to another service.\n\nyou are exipclity not talking about the [service_user] secont or the token genreated from that in your `service user:` paragraph above.\n\nthe eventraul end goal of the service role is to evernally remove the need for the nova or cinder role to have any role other then service because the only api that a python service will invoke with a token form a config shoudl be service to service api. for the rest a user toek shoudl be used.\n\nthere may be some narror exception to that but ideally  when all is done teh nova user used by the nova service will only have the service role.\n\nit will be a long time before htat can happen and that not what we are aiming for this cycle.\n\nto get to that point we will need to remove the hardcoded db check for the admin role for cross tenant api calls.\n\nthat shoudl not exist long term and service shoudl be enough but it is required to have both admin and service today because fo that technical debt.","commit_id":"6590f743e7e61746940f58184362fc67d5426725"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"5c30b2f6a83f81dda513ac01503f1a2398195c57","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"85b96d51_7a678f44","updated":"2025-09-04 20:59:58.000000000","message":"Added an upgrade section in releasenote to mention the deployment/upgrade impact with the adoption of new location APIs","commit_id":"238de53add34204225a2a643b34a133ff625a213"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"39cd76575ed8cc559e86bb2e0cb936ce0d41f8a2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"798124e7_b19e29dc","updated":"2025-09-05 07:49:16.000000000","message":"Thanks a lot for working on this! this looks good now.\n1. The existing add_image_location passes in the glance cinder job\n\nSep 04 23:00:01.181045 np8cf99e3158494 cinder-volume[87647]: DEBUG cinder.volume.manager [None req-501e427e-d254-4553-b0bb-bdfe1d789155 tempest-VolumesActionsTest-700031116 None] Registered image volume location to glance image-id: 49fab3f5-7c49-4365-83a4-fe64f6865f18. {{(pid\u003d87647) copy_volume_to_image /opt/stack/cinder/cinder/volume/manager.py:1773}}\n\n2. The get_image_locations is also passing populating the image location\n\u0027image_location\u0027: (None, [{\u0027url\u0027: \u0027cinder://lvmdriver-1/c5a0320e-cb54-49d2-9ea0-0f7f7983b1fd\u0027\n\n3. The grenade job failed before due to missing [glance] section causing unauthorized/forbidden errors which is handled in the GET location API patch itself.\nWe also mention this in the upgrade release note.\n\nLGTM.","commit_id":"211fbf50dd817f636fdfaafcd64946b023f20462"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0e73c18a3197ff4ef661c96c1a00c48c16d0e984","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"f130dc34_2bb9db72","updated":"2025-09-05 19:28:14.000000000","message":"Thanks for your suggestion on the releasenote, added the feature section for configuring the [glance] group.","commit_id":"211fbf50dd817f636fdfaafcd64946b023f20462"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"ea2c3c07c6166dc3bd25089032438668e2263ec5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"56f256fd_838692f4","updated":"2025-09-05 07:44:55.000000000","message":"recheck POST_FAILURE in nfs jobs devstack-plugin-nfs-tempest-full","commit_id":"211fbf50dd817f636fdfaafcd64946b023f20462"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3bd012218d87f8984047020046c70ac7d327ac36","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"e58b86b5_c0b71096","updated":"2025-09-05 16:52:46.000000000","message":"thanks for adding releasenotes which I should have done but got lost in other testing etc. \n\nlgtm, one comment.","commit_id":"211fbf50dd817f636fdfaafcd64946b023f20462"},{"author":{"_account_id":9236,"name":"Jon Bernard","email":"jobernar@redhat.com","username":"jbernard"},"change_message_id":"a2253cf4ef99420c18887fd047406f8e5cd3f867","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"75e4786d_7e380ded","updated":"2025-09-09 17:54:19.000000000","message":"Code, CI and release note look good to me, thank you all for working on this.","commit_id":"9dfb500d5bb4fb6523731d7053a0424280d11da2"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ccb19f7953f892132242e9de38628ded988450d6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"410c2b88_4cb3433c","updated":"2025-09-05 19:49:42.000000000","message":"lgtm, +1 for releasenotes","commit_id":"9dfb500d5bb4fb6523731d7053a0424280d11da2"}],"cinder/image/glance.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"cc0d3e06afea9011735d218e6d8553fab637fad4","unresolved":true,"context_lines":[{"line_number":86,"context_line":"]"},{"line_number":87,"context_line":"CONF \u003d cfg.CONF"},{"line_number":88,"context_line":"CONF.register_opts(image_opts)"},{"line_number":89,"context_line":"CONF.register_opts(glance_core_properties_opts)"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"# Register keystoneauth options to create service user"},{"line_number":92,"context_line":"# to talk to glance."}],"source_content_type":"text/x-python","patch_set":1,"id":"253b7cc2_7f574997","line":89,"updated":"2025-08-28 20:38:19.000000000","message":"i assume this is where the other optiosn are regesitered\nso you might need to duplicat thse into the new section then use the depcreated section/name setting to make this \"just work\" with the old or new names","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"784016cffdd597edb62e41f832d95734636e8d13","unresolved":false,"context_lines":[{"line_number":86,"context_line":"]"},{"line_number":87,"context_line":"CONF \u003d cfg.CONF"},{"line_number":88,"context_line":"CONF.register_opts(image_opts)"},{"line_number":89,"context_line":"CONF.register_opts(glance_core_properties_opts)"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"# Register keystoneauth options to create service user"},{"line_number":92,"context_line":"# to talk to glance."}],"source_content_type":"text/x-python","patch_set":1,"id":"655b9913_bb1a8d29","line":89,"in_reply_to":"253b7cc2_7f574997","updated":"2025-08-28 23:22:26.000000000","message":"there is \u0027glance\u0027 section and all glance config are registered under default one. Evanltually those can be moved under glance section but need to follow the deprecation phase.","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"cc0d3e06afea9011735d218e6d8553fab637fad4","unresolved":true,"context_lines":[{"line_number":144,"context_line":"                              }"},{"line_number":145,"context_line":"            _SESSION \u003d ks_session.Session().load_from_options(**config_options)"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"        auth \u003d service_auth.get_auth_plugin(context, auth\u003dg_auth)"},{"line_number":148,"context_line":"        params[\u0027auth\u0027] \u003d auth"},{"line_number":149,"context_line":"        params[\u0027session\u0027] \u003d _SESSION"},{"line_number":150,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"65b887af_3c7f19db","line":147,"updated":"2025-08-28 20:38:19.000000000","message":"+1 this is aligned to what we disucssed on irc\n\nif privileged_user is false then g_auth is None and we use the toke form the context\n\nif its true we will create an auto object form teh config option and use that instad as the user_token for service ot service calls.","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"784016cffdd597edb62e41f832d95734636e8d13","unresolved":false,"context_lines":[{"line_number":144,"context_line":"                              }"},{"line_number":145,"context_line":"            _SESSION \u003d ks_session.Session().load_from_options(**config_options)"},{"line_number":146,"context_line":""},{"line_number":147,"context_line":"        auth \u003d service_auth.get_auth_plugin(context, auth\u003dg_auth)"},{"line_number":148,"context_line":"        params[\u0027auth\u0027] \u003d auth"},{"line_number":149,"context_line":"        params[\u0027session\u0027] \u003d _SESSION"},{"line_number":150,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"24444774_e9880356","line":147,"in_reply_to":"65b887af_3c7f19db","updated":"2025-08-28 23:22:26.000000000","message":"yeah. this loaded user token are passed to glance which has the service role.","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"cc0d3e06afea9011735d218e6d8553fab637fad4","unresolved":true,"context_lines":[{"line_number":200,"context_line":"                 context: Optional[context.RequestContext] \u003d None,"},{"line_number":201,"context_line":"                 netloc: Optional[str] \u003d None,"},{"line_number":202,"context_line":"                 use_ssl: bool \u003d False,"},{"line_number":203,"context_line":"                 privileged_user\u003dFalse):"},{"line_number":204,"context_line":"        self.client: Optional[glanceclient.Client]"},{"line_number":205,"context_line":"        if netloc is not None:"},{"line_number":206,"context_line":"            assert context is not None"}],"source_content_type":"text/x-python","patch_set":1,"id":"efd627a9_09021304","line":203,"updated":"2025-08-28 20:38:19.000000000","message":"you are defualting to false both keeping the old behivor and the most common case where the end users token shoudl be used.","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"784016cffdd597edb62e41f832d95734636e8d13","unresolved":false,"context_lines":[{"line_number":200,"context_line":"                 context: Optional[context.RequestContext] \u003d None,"},{"line_number":201,"context_line":"                 netloc: Optional[str] \u003d None,"},{"line_number":202,"context_line":"                 use_ssl: bool \u003d False,"},{"line_number":203,"context_line":"                 privileged_user\u003dFalse):"},{"line_number":204,"context_line":"        self.client: Optional[glanceclient.Client]"},{"line_number":205,"context_line":"        if netloc is not None:"},{"line_number":206,"context_line":"            assert context is not None"}],"source_content_type":"text/x-python","patch_set":1,"id":"57968799_12c1e559","line":203,"in_reply_to":"efd627a9_09021304","updated":"2025-08-28 23:22:26.000000000","message":"yeah, most of the call to glance are user facing API so keeping it false and pass true only for glance service only APIs","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"cc0d3e06afea9011735d218e6d8553fab637fad4","unresolved":true,"context_lines":[{"line_number":413,"context_line":"                # default to \u0027service\u0027 role so cinder needs to load the auth"},{"line_number":414,"context_line":"                # plugin from the keystoneauth which has the \u0027service\u0027 role."},{"line_number":415,"context_line":"                if method \u003d\u003d \u0027add_image_location\u0027:"},{"line_number":416,"context_line":"                    privileged_user \u003d True"},{"line_number":417,"context_line":"                return client.call(context, method,"},{"line_number":418,"context_line":"                                   image_id, url, metadata,"},{"line_number":419,"context_line":"                                   privileged_user\u003dprivileged_user)"}],"source_content_type":"text/x-python","patch_set":1,"id":"00bd665c_aeaf4eb5","line":416,"updated":"2025-08-28 20:38:19.000000000","message":"and thetn only elevating to using cinder user for the image locations endpoint","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"784016cffdd597edb62e41f832d95734636e8d13","unresolved":false,"context_lines":[{"line_number":413,"context_line":"                # default to \u0027service\u0027 role so cinder needs to load the auth"},{"line_number":414,"context_line":"                # plugin from the keystoneauth which has the \u0027service\u0027 role."},{"line_number":415,"context_line":"                if method \u003d\u003d \u0027add_image_location\u0027:"},{"line_number":416,"context_line":"                    privileged_user \u003d True"},{"line_number":417,"context_line":"                return client.call(context, method,"},{"line_number":418,"context_line":"                                   image_id, url, metadata,"},{"line_number":419,"context_line":"                                   privileged_user\u003dprivileged_user)"}],"source_content_type":"text/x-python","patch_set":1,"id":"0613a7bf_ef81d364","line":416,"in_reply_to":"00bd665c_aeaf4eb5","updated":"2025-08-28 23:22:26.000000000","message":"yeah, if cinder will call fetch_image_locations also which is another service API from glance then that can also follow the same pattern.","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1524da5e2bed8094f024cfe77dff05d15b5ac577","unresolved":true,"context_lines":[{"line_number":223,"context_line":"             context: context.RequestContext,"},{"line_number":224,"context_line":"             method: str,"},{"line_number":225,"context_line":"             *args: Any,"},{"line_number":226,"context_line":"             **kwargs: str) -\u003e Any:"},{"line_number":227,"context_line":"        \"\"\"Call a glance client method."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"        If we get a connection error,"}],"source_content_type":"text/x-python","patch_set":3,"id":"bd5310a6_a177ab12","side":"PARENT","line":226,"range":{"start_line":226,"start_character":21,"end_line":226,"end_character":26},"updated":"2025-08-29 19:51:19.000000000","message":"We should not remove this as it decreases the mypy coverage, we can replace it with Union[str, bool] or Any","commit_id":"644b6362a6b0debf6395d4bf15f963faf1a42ced"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b199efbe1e8d5ef5e0bbbdc424787a90fc68cc23","unresolved":false,"context_lines":[{"line_number":223,"context_line":"             context: context.RequestContext,"},{"line_number":224,"context_line":"             method: str,"},{"line_number":225,"context_line":"             *args: Any,"},{"line_number":226,"context_line":"             **kwargs: str) -\u003e Any:"},{"line_number":227,"context_line":"        \"\"\"Call a glance client method."},{"line_number":228,"context_line":""},{"line_number":229,"context_line":"        If we get a connection error,"}],"source_content_type":"text/x-python","patch_set":3,"id":"74e4b6d4_f55c5376","side":"PARENT","line":226,"range":{"start_line":226,"start_character":21,"end_line":226,"end_character":26},"in_reply_to":"bd5310a6_a177ab12","updated":"2025-08-29 23:25:01.000000000","message":"Done","commit_id":"644b6362a6b0debf6395d4bf15f963faf1a42ced"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1524da5e2bed8094f024cfe77dff05d15b5ac577","unresolved":true,"context_lines":[{"line_number":414,"context_line":"                # NOTE(gmaan): Glance add_image_location API policy rule is"},{"line_number":415,"context_line":"                # default to \u0027service\u0027 role so cinder needs to load the auth"},{"line_number":416,"context_line":"                # plugin from the keystoneauth which has the \u0027service\u0027 role."},{"line_number":417,"context_line":"                if method \u003d\u003d \u0027add_image_location\u0027:"},{"line_number":418,"context_line":"                    privileged_user \u003d True"},{"line_number":419,"context_line":"                else:"},{"line_number":420,"context_line":"                    privileged_user \u003d False"},{"line_number":421,"context_line":"                return client.call(context, method,"},{"line_number":422,"context_line":"                                   image_id, url, metadata,"},{"line_number":423,"context_line":"                                   privileged_user\u003dprivileged_user)"}],"source_content_type":"text/x-python","patch_set":3,"id":"564e1263_9c8695aa","line":420,"range":{"start_line":417,"start_character":16,"end_line":420,"end_character":43},"updated":"2025-08-29 19:51:19.000000000","message":"nit: we can remove L#411 and change this to,\n\n    privileged_user \u003d False\n    if method \u003d\u003d \u0027add_image_location\u0027:\n        privileged_user \u003d True","commit_id":"15609361ca9dcc51c3134b7ce7d5cc569123faca"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b199efbe1e8d5ef5e0bbbdc424787a90fc68cc23","unresolved":false,"context_lines":[{"line_number":414,"context_line":"                # NOTE(gmaan): Glance add_image_location API policy rule is"},{"line_number":415,"context_line":"                # default to \u0027service\u0027 role so cinder needs to load the auth"},{"line_number":416,"context_line":"                # plugin from the keystoneauth which has the \u0027service\u0027 role."},{"line_number":417,"context_line":"                if method \u003d\u003d \u0027add_image_location\u0027:"},{"line_number":418,"context_line":"                    privileged_user \u003d True"},{"line_number":419,"context_line":"                else:"},{"line_number":420,"context_line":"                    privileged_user \u003d False"},{"line_number":421,"context_line":"                return client.call(context, method,"},{"line_number":422,"context_line":"                                   image_id, url, metadata,"},{"line_number":423,"context_line":"                                   privileged_user\u003dprivileged_user)"}],"source_content_type":"text/x-python","patch_set":3,"id":"66614117_f7f09d57","line":420,"range":{"start_line":417,"start_character":16,"end_line":420,"end_character":43},"in_reply_to":"564e1263_9c8695aa","updated":"2025-08-29 23:25:01.000000000","message":"Done","commit_id":"15609361ca9dcc51c3134b7ce7d5cc569123faca"}],"cinder/opts.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"cc0d3e06afea9011735d218e6d8553fab637fad4","unresolved":true,"context_lines":[{"line_number":456,"context_line":"        (\u0027glance\u0027,"},{"line_number":457,"context_line":"            itertools.chain("},{"line_number":458,"context_line":"                cinder_image_glance.glance_session_opts,"},{"line_number":459,"context_line":"                cinder_image_glance.glance_auth_opts,"},{"line_number":460,"context_line":"            )),"},{"line_number":461,"context_line":"        (\u0027nova\u0027,"},{"line_number":462,"context_line":"            itertools.chain("}],"source_content_type":"text/x-python","patch_set":1,"id":"f2525621_a446b923","line":459,"updated":"2025-08-28 20:38:19.000000000","message":"this renders in https://2298c9fbd235b89d0be2-e873feb845d99f2e0685947947034235.ssl.cf5.rackcdn.com/openstack/19229743e815406a99dc6c6108db805d/docs/_static/cinder.conf.sample\n\nhowever it does not render out the region_name or other values like username \n\n```\n[glance]\n\n#\n# From cinder\n#\n\n# PEM encoded Certificate Authority to use when verifying HTTPs connections.\n# (string value)\n#cafile \u003d \u003cNone\u003e\n\n# PEM encoded client certificate cert file (string value)\n#certfile \u003d \u003cNone\u003e\n\n# PEM encoded client certificate key file (string value)\n#keyfile \u003d \u003cNone\u003e\n\n# Verify HTTPS connections. (boolean value)\n#insecure \u003d false\n\n# Timeout value for http requests (integer value)\n#timeout \u003d \u003cNone\u003e\n\n# Collect per-API call timing information. (boolean value)\n#collect_timing \u003d false\n\n# Log requests to multiple loggers. (boolean value)\n#split_loggers \u003d false\n\n# Authentication type to load (string value)\n# Deprecated group/name - [glance]/auth_plugin\n#auth_type \u003d \u003cNone\u003e\n\n# Config Section from which to load plugin specific options (string value)\n#auth_section \u003d \u003cNone\u003e\n\n\n```\n\ncinder also has some exsitng config option for glance in teh default section i belie\n\n```\n# A list of the URLs of glance API servers available to cinder\n# ([http[s]://][hostname|ip]:port). If protocol is not specified it defaults to\n# http. (list value)\n#glance_api_servers \u003d \u003cNone\u003e\n\n# Number retries when downloading an image from glance (integer value)\n# Minimum value: 0\n#glance_num_retries \u003d 3\n\n# Allow to perform insecure SSL (https) requests to glance (https will be used\n# but cert validation will not be performed). (boolean value)\n#glance_api_insecure \u003d false\n\n# Enables or disables negotiation of SSL layer compression. In some cases\n# disabling compression can improve data throughput, such as when high network\n# bandwidth is available and you use compressed image formats like qcow2.\n# (boolean value)\n#glance_api_ssl_compression \u003d false\n\n# Location of ca certificates file to use for glance client requests. (string\n# value)\n#glance_ca_certificates_file \u003d \u003cNone\u003e\n\n# Location of certificate file to use for glance client requests. (string\n# value)\n#glance_certfile \u003d \u003cNone\u003e\n\n# Location of certificate key file to use for glance client requests. (string\n# value)\n#glance_keyfile \u003d \u003cNone\u003e\n\n# http/https timeout value for glance operations. If no value (None) is\n# supplied here, the glanceclient default value is used. (integer value)\n#glance_request_timeout \u003d \u003cNone\u003e\n```\nthsoe should all be moved eventually.","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"784016cffdd597edb62e41f832d95734636e8d13","unresolved":false,"context_lines":[{"line_number":456,"context_line":"        (\u0027glance\u0027,"},{"line_number":457,"context_line":"            itertools.chain("},{"line_number":458,"context_line":"                cinder_image_glance.glance_session_opts,"},{"line_number":459,"context_line":"                cinder_image_glance.glance_auth_opts,"},{"line_number":460,"context_line":"            )),"},{"line_number":461,"context_line":"        (\u0027nova\u0027,"},{"line_number":462,"context_line":"            itertools.chain("}],"source_content_type":"text/x-python","patch_set":1,"id":"a8b462cb_612dc633","line":459,"in_reply_to":"f2525621_a446b923","updated":"2025-08-28 23:22:26.000000000","message":"yeah, those should be moved here but I did not touch them as those need to eb deprecated from default section and them moved to \u0027glance\u0027 section","commit_id":"400c45ba29f309adf74d963630bd77ab4dafe7aa"}],"releasenotes/notes/add-glance-service-section-3e73daee0e995442.yaml":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3bd012218d87f8984047020046c70ac7d327ac36","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    two additional changes during the deployment:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    1. Assign the ``admin`` and ``service`` role to the ``glance`` user"},{"line_number":11,"context_line":"    2. Configure a ``[glance]`` section in cinder configuration file"},{"line_number":12,"context_line":"       with the credentials for ``glance`` user and ``service`` project."},{"line_number":13,"context_line":"       Refer to the ``[nova]`` or ``[service_user]`` section for reference."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":6,"id":"90e76f00_bac8b97e","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":75},"updated":"2025-09-05 16:52:46.000000000","message":"++, I think we should add this new config section in normal feature section also so that any new user (non-upgrade) can also get to know about this.","commit_id":"211fbf50dd817f636fdfaafcd64946b023f20462"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"0e73c18a3197ff4ef661c96c1a00c48c16d0e984","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    two additional changes during the deployment:"},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    1. Assign the ``admin`` and ``service`` role to the ``glance`` user"},{"line_number":11,"context_line":"    2. Configure a ``[glance]`` section in cinder configuration file"},{"line_number":12,"context_line":"       with the credentials for ``glance`` user and ``service`` project."},{"line_number":13,"context_line":"       Refer to the ``[nova]`` or ``[service_user]`` section for reference."},{"line_number":14,"context_line":""}],"source_content_type":"text/x-yaml","patch_set":6,"id":"8eb18b60_0a0e1500","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":75},"in_reply_to":"90e76f00_bac8b97e","updated":"2025-09-05 19:28:14.000000000","message":"Done","commit_id":"211fbf50dd817f636fdfaafcd64946b023f20462"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1342d08c87921df00964f5c368766eb546b457c7","unresolved":true,"context_lines":[{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    1. Assign the ``admin`` and ``service`` role to the ``glance`` user"},{"line_number":11,"context_line":"    2. Configure a ``[glance]`` section in cinder configuration file"},{"line_number":12,"context_line":"       with the credentials of ``glance`` user and ``service`` project."},{"line_number":13,"context_line":"       Refer to the ``[nova]`` or ``[service_user]`` section for reference."},{"line_number":14,"context_line":"features:"},{"line_number":15,"context_line":"  - |"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"f10c14bf_929ba64e","line":12,"range":{"start_line":12,"start_character":51,"end_line":12,"end_character":71},"updated":"2025-09-08 11:51:06.000000000","message":"nit: this last bit is technically not required for this chage.\nits a very common practice espiclly if you want to to use cidner as a glance backend for thin provison of lvm or other BFV guests as you can have teh volume stored in teh service project instead.\n\nbeing in the service project in general is not required for service users becasue of the SRBAC goal so puting glance user in the glance project is also accpatble.\n\nin anycase there is no need to respin just for this but the reaons for using a shared service project is becasue of other optimistaion that that can enable so it not incorect advice its just not required.\n\nfor exmaple if you are usign glance backed by swift there is no reason im aware of to have cinder and glance both be part fo a single service proejct.","commit_id":"9dfb500d5bb4fb6523731d7053a0424280d11da2"}]}