)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f2a2c4d79c7233de41115e3df7572d9a27fc8b23","unresolved":true,"context_lines":[{"line_number":13,"context_line":"glance."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Needed-By: https://review.opendev.org/c/openstack/glance/+/958715"},{"line_number":16,"context_line":"Depends-On: https://review.opendev.org/c/openstack/cinder/+/958716"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"[1] https://review.opendev.org/c/openstack/glance/+/958715"},{"line_number":19,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"7043db5f_425dabe3","line":16,"range":{"start_line":16,"start_character":0,"end_line":16,"end_character":66},"updated":"2025-09-12 08:53:23.000000000","message":"this should not depend on the cinder change, it\u0027s quite the opposite.\nThe [glance] section configured in this patch is what makes the new location APIs work so we should remove this.\nOverall we are just creating the \"glance\" user with \"admin\" + \"service\" role and configuring it in the cinder.conf section which is independent of the glance and cinder changes.","commit_id":"b9246a20cd886adfd6a2857597e232c3c54c9ed5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"edd08d780ad9a637890ed8fc76d15f858a6b7b86","unresolved":false,"context_lines":[{"line_number":13,"context_line":"glance."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Needed-By: https://review.opendev.org/c/openstack/glance/+/958715"},{"line_number":16,"context_line":"Depends-On: https://review.opendev.org/c/openstack/cinder/+/958716"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"[1] https://review.opendev.org/c/openstack/glance/+/958715"},{"line_number":19,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"4b0495e8_d2c5f581","line":16,"range":{"start_line":16,"start_character":0,"end_line":16,"end_character":66},"in_reply_to":"7043db5f_425dabe3","updated":"2025-09-12 08:53:57.000000000","message":"Done","commit_id":"b9246a20cd886adfd6a2857597e232c3c54c9ed5"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"48ccdf4c80debddf88a3335443a95b680dc65f43","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"8bb17452_f51916cb","updated":"2025-08-28 20:22:09.000000000","message":"recheck kernel panin in tempet full \n\n[    6.292284] Kernel Offset: 0xc800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n[    6.295244] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode\u003d0x00001000 ]---","commit_id":"0abcf942e6900295746354b0f8b58076823959e3"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d04e3118b3053aac9187d0405880732e660f71a0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"02352915_8f8d55bc","updated":"2025-08-28 04:11:57.000000000","message":"testing it in https://review.opendev.org/c/openstack/cinder/+/958719","commit_id":"0abcf942e6900295746354b0f8b58076823959e3"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"3059aaf72c127e96a38303ea566d1482f6f81cc1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"fe263a29_aad104fe","updated":"2025-09-05 07:51:11.000000000","message":"LGTM","commit_id":"b9246a20cd886adfd6a2857597e232c3c54c9ed5"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"aa45a2e79c773f8873049b1c9ba243fb3d32c237","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"d95f705c_38628210","updated":"2025-09-11 21:59:20.000000000","message":"The cinder dependency has merged.","commit_id":"b9246a20cd886adfd6a2857597e232c3c54c9ed5"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"edd08d780ad9a637890ed8fc76d15f858a6b7b86","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"21156bb0_ed0f6fbb","updated":"2025-09-12 08:53:57.000000000","message":"Updated the commit message to remove cinder dependency","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1918c921f04cf848fb41cb0fd378024fae9afe44","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"171b8e5b_68c51777","updated":"2025-09-15 12:58:15.000000000","message":"https://bugs.launchpad.net/devstack/+bug/2123845\n\nOK bug filed.\n\nlet move this forward for now and address my feedback as part fo the generic bug cleanup","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d23b387a5047cedba8011039bf401edededd8377","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":5,"id":"a2db8489_2c1dd017","updated":"2025-09-15 12:38:58.000000000","message":"im kind of torn on the one hand devstack is incocetent in enforcign that service do not have acess to other service users credentials.\n\nnova properly uses the nova user to talk to other service where as other service use the nova user to talk to it which is not correct.\n\n\nthis patch is propagating the existing incorrect pattern by assigning the admin role to the glance user which does not require it for glance to function and then using the glance user to talk to glance which is an anti pattern.\n\ni would prefer if the service and admin roles were assigned to the cinder user and the cinder user was used to talk to glance. however i also dont think this patch need to correct the existing incorrect usage fo cinder using the nova user to talk to nova however it could also trivally do that.\n\nonce the cinder user has both the service and admin role there is no need for the cidner.conf to have the nova user any more.","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c3120be34f6d554efe160c82ce95d3dbe7b92152","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":5,"id":"09104e44_502b0b04","in_reply_to":"a2db8489_2c1dd017","updated":"2025-09-15 12:50:06.000000000","message":"gmann is on pto for a while so im going to file a bug to correct the use of service users in genreal in devstack then we can adress this across the board as part of that and you can continue with the antipattgen in this patch.\n\nonce i have filed the bug ill swap from a -1 to +2w and we can adress teh technial debt sepreately","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"}],"lib/cinder":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d23b387a5047cedba8011039bf401edededd8377","unresolved":true,"context_lines":[{"line_number":420,"context_line":"    fi"},{"line_number":421,"context_line":""},{"line_number":422,"context_line":"    # Set glance credentials (used for location APIs)"},{"line_number":423,"context_line":"    configure_keystone_authtoken_middleware $CINDER_CONF glance glance"},{"line_number":424,"context_line":""},{"line_number":425,"context_line":"    # Set nova credentials (used for os-assisted-snapshots)"},{"line_number":426,"context_line":"    configure_keystone_authtoken_middleware $CINDER_CONF nova nova"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"c766fdc2_bb9acb8f","line":423,"updated":"2025-09-15 12:38:58.000000000","message":"this however is incorerct.\n\nyou shoudl not be using the glance user to talk to glance in the cinder config.\n\nyou shoudl be using the cidner user to talk to galnce in the cinder.conf\n\n\n```suggestion\n    configure_keystone_authtoken_middleware $CINDER_CONF glance cinder\n```\n\nthe same is true for the nova section.\n\nits incorrect for cinder to use the nova user to talk to nova.\n\nthat is not representative fo how this shoudl ever be deployed in production.","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d23b387a5047cedba8011039bf401edededd8377","unresolved":true,"context_lines":[{"line_number":467,"context_line":"            extra_role\u003d$(get_or_create_role \"creator\")"},{"line_number":468,"context_line":"        fi"},{"line_number":469,"context_line":""},{"line_number":470,"context_line":"        create_service_user \"cinder\" $extra_role"},{"line_number":471,"context_line":""},{"line_number":472,"context_line":"        local cinder_api_url"},{"line_number":473,"context_line":"        cinder_api_url\u003d\"$CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST/volume\""}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"40a9d2fe_161f107d","line":470,"updated":"2025-09-15 12:38:58.000000000","message":"you should be adding admin here","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"}],"lib/glance":[{"author":{"_account_id":10459,"name":"Luigi Toscano","email":"ltoscano@redhat.com","username":"ltoscano"},"change_message_id":"ad66ca7b86c4ac64f3a95a23423ab64f31c98f08","unresolved":true,"context_lines":[{"line_number":503,"context_line":"function create_glance_accounts {"},{"line_number":504,"context_line":"    if is_service_enabled g-api; then"},{"line_number":505,"context_line":""},{"line_number":506,"context_line":"        # When cinder talk to glance service APIs user needs service"},{"line_number":507,"context_line":"        # role for RBAC checks and admin role for cinder to access images."},{"line_number":508,"context_line":"        create_service_user \"glance\" \"admin\""},{"line_number":509,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"9cb8382b_8a54b590","line":506,"updated":"2025-09-12 11:06:00.000000000","message":"So will this configured in all cases, even when glance does not use cinder as its backend?","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":10459,"name":"Luigi Toscano","email":"ltoscano@redhat.com","username":"ltoscano"},"change_message_id":"a5d2ca8447e71752f241b505c50a57b07f7ab05c","unresolved":false,"context_lines":[{"line_number":503,"context_line":"function create_glance_accounts {"},{"line_number":504,"context_line":"    if is_service_enabled g-api; then"},{"line_number":505,"context_line":""},{"line_number":506,"context_line":"        # When cinder talk to glance service APIs user needs service"},{"line_number":507,"context_line":"        # role for RBAC checks and admin role for cinder to access images."},{"line_number":508,"context_line":"        create_service_user \"glance\" \"admin\""},{"line_number":509,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"29bf2510_c4971289","line":506,"in_reply_to":"4dcdf147_93fadafd","updated":"2025-09-15 09:57:34.000000000","message":"No, that\u0027s fine, I misread your comment","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"686e2318701f0c546289f1f4a8f6a0d4dc7e899b","unresolved":true,"context_lines":[{"line_number":503,"context_line":"function create_glance_accounts {"},{"line_number":504,"context_line":"    if is_service_enabled g-api; then"},{"line_number":505,"context_line":""},{"line_number":506,"context_line":"        # When cinder talk to glance service APIs user needs service"},{"line_number":507,"context_line":"        # role for RBAC checks and admin role for cinder to access images."},{"line_number":508,"context_line":"        create_service_user \"glance\" \"admin\""},{"line_number":509,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"e2d66f98_9f804d4e","line":506,"in_reply_to":"717374d3_9709f71f","updated":"2025-09-12 15:26:45.000000000","message":"Digging more into it, seems like fetching the image location irrespective of the glance\u003c-\u003ecinder check is correct since RBD also leverages the same GET locations API for it\u0027s optimization to create bootable volume from image[1] \n\n[1] https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/rbd.py#L1949-L1976","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"ea046aab71c120ea3d02c6edc04dc7d49ecceb71","unresolved":true,"context_lines":[{"line_number":503,"context_line":"function create_glance_accounts {"},{"line_number":504,"context_line":"    if is_service_enabled g-api; then"},{"line_number":505,"context_line":""},{"line_number":506,"context_line":"        # When cinder talk to glance service APIs user needs service"},{"line_number":507,"context_line":"        # role for RBAC checks and admin role for cinder to access images."},{"line_number":508,"context_line":"        create_service_user \"glance\" \"admin\""},{"line_number":509,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"717374d3_9709f71f","line":506,"in_reply_to":"9cb8382b_8a54b590","updated":"2025-09-12 15:20:38.000000000","message":"Unfortunately yes, Cinder calls GET location API[1] without looking into the configuration and later checks if we can perform the glance-cinder optimization based on the output[2].\nThis is non optimal but that\u0027s how we have it right now so we need the [glance] configuration irrespective of the optimization.\n\n[1] https://github.com/openstack/cinder/blob/master/cinder/volume/flows/manager/create_volume.py#L323-L324\n[2] https://github.com/openstack/cinder/blob/master/cinder/volume/flows/manager/create_volume.py#L729-L730","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"663efcd6c2ea22d1c0de9a78d3fe7d7578925923","unresolved":true,"context_lines":[{"line_number":503,"context_line":"function create_glance_accounts {"},{"line_number":504,"context_line":"    if is_service_enabled g-api; then"},{"line_number":505,"context_line":""},{"line_number":506,"context_line":"        # When cinder talk to glance service APIs user needs service"},{"line_number":507,"context_line":"        # role for RBAC checks and admin role for cinder to access images."},{"line_number":508,"context_line":"        create_service_user \"glance\" \"admin\""},{"line_number":509,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"4dcdf147_93fadafd","line":506,"in_reply_to":"b7b0c2dc_48fadc5a","updated":"2025-09-12 19:05:58.000000000","message":"I\u0027m not sure what the ask is.\nThe comment, as I interpret, is saying that we need service and admin role for glance user when cinder wants to talk to glance service APIs (which in our case is location APIs but could be extended in future to more APIs)\nDo we want to include cinder specific details here that in which backend configurations we will have this interaction?","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":10459,"name":"Luigi Toscano","email":"ltoscano@redhat.com","username":"ltoscano"},"change_message_id":"952bd9c011ef00cc07a4f0f45b9902138313b502","unresolved":true,"context_lines":[{"line_number":503,"context_line":"function create_glance_accounts {"},{"line_number":504,"context_line":"    if is_service_enabled g-api; then"},{"line_number":505,"context_line":""},{"line_number":506,"context_line":"        # When cinder talk to glance service APIs user needs service"},{"line_number":507,"context_line":"        # role for RBAC checks and admin role for cinder to access images."},{"line_number":508,"context_line":"        create_service_user \"glance\" \"admin\""},{"line_number":509,"context_line":""}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"b7b0c2dc_48fadc5a","line":506,"in_reply_to":"e2d66f98_9f804d4e","updated":"2025-09-12 16:15:22.000000000","message":"Would it make sense to update this comment a bit then?","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d23b387a5047cedba8011039bf401edededd8377","unresolved":true,"context_lines":[{"line_number":505,"context_line":""},{"line_number":506,"context_line":"        # When cinder talk to glance service APIs user needs service"},{"line_number":507,"context_line":"        # role for RBAC checks and admin role for cinder to access images."},{"line_number":508,"context_line":"        create_service_user \"glance\" \"admin\""},{"line_number":509,"context_line":""},{"line_number":510,"context_line":"        # required for swift access"},{"line_number":511,"context_line":"        if is_service_enabled s-proxy; then"}],"source_content_type":"application/x-shellscript","patch_set":5,"id":"e92c55b1_38a11139","line":508,"updated":"2025-09-15 12:38:58.000000000","message":"ack so create_service_user will grant service by default and the second positional arg is a addtional role to grant.\n\nhttps://github.com/openstack/devstack/blob/6eabfa32c844e4ce9db2cc1e0476c34263f712b4/lib/keystone#L415\n\nso this is considtent with our existin usage for example for placement\nhttps://github.com/openstack/devstack/blob/6eabfa32c844e4ce9db2cc1e0476c34263f712b4/lib/placement#L102\n\ngiven its the cidner user that need this access however i think this is incorrect to do.","commit_id":"2df0d7ab8230a0cc7ca1c5a90c254717c9ff2dc6"}]}