)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d704d1de9b83af013b58bafdd1cc007bfe6a8fe4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3a3264f3_9f925c2d","updated":"2022-11-02 13:57:10.000000000","message":"A few things noted inline.  A question or two, but mostly it would be helpful to explain clearly why we\u0027re doing this and how it addresses the security issue.","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f15e0c43c0ef1c3cbc05cd73f9c3c1e3e32da9fb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d0a12cf6_3344d177","updated":"2022-11-04 09:09:17.000000000","message":"Thanks for the review Brian. I\u0027ve addressed almost all comments but the hash parameter, I\u0027m not sure about. Maybe we can discuss that in the next glance meeting?","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"5c961ea396534fcc8b60a87d5c17b1b301c46042","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6855ca7b_cd7e1b44","updated":"2022-11-17 06:18:03.000000000","message":"Some suggestions and one question inline","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"fd68da74a43f82cc9aede368ba7d73f199374e20","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e9921b8b_1f2d3ed3","updated":"2022-11-28 12:36:01.000000000","message":"Few minor things, overall looking quite good.\n\nThanks Rajat!","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a2f9679ce08ec9e3db3e13ee6d4e4469be83e9d6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"eac10c3d_6d0fb8ab","updated":"2022-11-21 08:33:30.000000000","message":"Thanks Abhishek for the review.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"ac684f5c7dbe0f3555d4b8783b3a3af62a492a31","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"163d94b9_176200b1","updated":"2022-11-28 18:35:36.000000000","message":"Thanks Erno for the review. replies inline.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"da16aab0056dd151215aa9b18c38bf447e38dc29","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"18b2ef5f_e71c8375","updated":"2022-11-28 18:46:27.000000000","message":"Two comments inline.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"814ac6a3_56779122","updated":"2022-11-29 19:45:08.000000000","message":"Adding Sean and Sylvain here to make sure they\u0027re aware of the implications this has for Nova. I\u0027m not sure if they have any idea this is happening or not (perhaps they do).\n\nI\u0027m cool with the general approach here. I think we need to document the image state transition, especially regarding how we handle the long-running hash operation for http URIs (hence the -1) at least.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"a5ed8dcf_8a9ff8ce","updated":"2022-12-02 13:31:03.000000000","message":"Thanks Dan and Sean for the reviews, replies inline but overall i think this needs more discussion about the implementation details.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6e5f5fb7f7ca58abec0f6c954a3dae46c1be3ca1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"50b10bb9_08861903","updated":"2022-12-01 20:03:44.000000000","message":"This is looking more and more complicated.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"e98f66bf_7fdc38b3","updated":"2022-12-15 12:02:54.000000000","message":"Added some responses.","commit_id":"b1765493273c9351cfbf53c65436b43e262ccafe"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c9c73e4c1f4cf96e3a8d3029ff3fcc01c11a8477","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"f8dd3d6b_7a18cf58","updated":"2022-12-02 13:40:22.000000000","message":"Requires discussion on the points mentioned\n1) regarding the way to query the progress of the image in QUEUED state and how to know when the hash calculation has completed/failed/processing.\n2) handling of different tokens provided by nova in case of a automatic snapshot creation by using service credentials","commit_id":"b1765493273c9351cfbf53c65436b43e262ccafe"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"d05bcf8e0900cb7422719dddd09eaaff0b944a06","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"3094ea01_95c83865","updated":"2022-12-26 05:50:25.000000000","message":"There needs to be discussion around if/how the new import method would be able to handle our use case and cover all corner cases.","commit_id":"5c0151dd9f86c05ba334e983c97578336f212132"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a43938579ff34d5e2103e73805d5537cce6cc8e4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"06e395f4_b7039dfa","updated":"2023-01-05 05:39:34.000000000","message":"recheck","commit_id":"5c0151dd9f86c05ba334e983c97578336f212132"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"32a1a160b7373839ebf3e7fcf55c74885a798f6c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"9e87e990_f5180e77","updated":"2022-12-30 13:40:24.000000000","message":"recheck for fresh logs - gate seems broken\n\nhttps://review.opendev.org/c/openstack/glance_store/+/843103","commit_id":"5c0151dd9f86c05ba334e983c97578336f212132"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"a7c9b6e1982c7c02cfcf09e0a74107050bcca92f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"3166da4d_87680491","updated":"2023-01-20 06:22:33.000000000","message":"As discussed in last weekly meeting I haven\u0027t seen any objection on this, so approving the spec.\n\nThanks all reviewers !!","commit_id":"67e61b00c1ea75aaf774f0b9a5b7d4c7067e1821"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"4b2a768818cb427fb64220c34943ce6d1b9906a8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"418010ea_62d97703","updated":"2023-01-17 14:21:28.000000000","message":"Looks good to me, thank you!","commit_id":"67e61b00c1ea75aaf774f0b9a5b7d4c7067e1821"},{"author":{"_account_id":19138,"name":"Pranali Deore","email":"pdeore@redhat.com","username":"PranaliD"},"change_message_id":"942b6054c077839478c06b462dd00172f14c2d7e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"00d8acc2_e83fd377","updated":"2023-01-19 05:55:37.000000000","message":"Looks good to me.. \nThanks Rajat !!","commit_id":"67e61b00c1ea75aaf774f0b9a5b7d4c7067e1821"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"9972b16fb22b99efd365fac8bd14536e719862c0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"cd56ff19_6dba6dbb","updated":"2023-01-17 06:37:12.000000000","message":"Updated the spec based on the discussion in last glance meeting.\n\nhttps://meetings.opendev.org/irclogs/%23openstack-meeting/%23openstack-meeting.2023-01-12.log.html#t2023-01-12T14:07:22","commit_id":"67e61b00c1ea75aaf774f0b9a5b7d4c7067e1821"}],"specs/2023.1/approved/glance/new-location-info-apis.rst":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d704d1de9b83af013b58bafdd1cc007bfe6a8fe4","unresolved":true,"context_lines":[{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in QUEUED"},{"line_number":69,"context_line":"state. Adding location when the image is in ACTIVE state will be disallowed"},{"line_number":70,"context_line":"with the new location add API. This is done in order to prevent malicious"},{"line_number":71,"context_line":"users from modifying the image location again and again since the location"},{"line_number":72,"context_line":"added for the first time is the correct one and there is no use case for"},{"line_number":73,"context_line":"modifying it at a later stage from a public API."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"Following APIs are not being implemented:"},{"line_number":76,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"77947a11_6aab017f","line":73,"range":{"start_line":70,"start_character":31,"end_line":73,"end_character":48},"updated":"2022-11-02 13:57:10.000000000","message":"I think it would be good here to describe how the new scheme addresses all the old use cases, something like this:\n\n  This is done in order to prevent malicious\n  users from modifying the image location again and again since the location\n  added for the first time is the correct one as far as Glance is concerned.\n\n  When multiple image locations were added, Glance had only a single image\n  store.  Since Train, Glance has  multiple stores, and we have added API\n  calls that allow users to manipulate data locality with respect to store.\n  Further, a store is an opaque identifier, whereas an image location\n  exposes backend details that users don\u0027t need to know.\n\n  Here are the current use cases for the direct manipulation of image\n  locations along with an explanation of how they can be handled by the\n  new Location API.\n\n  1. When using a copy-on-write (COW) backend shared by Nova and Glance,\n     Nova can create an image record in Glance, snapshot a server image\n     directly in the backend, and set the location on the image record.\n\n     This use case is covered by the new add-location call, and having\n     its default policy be image owner or service.\n\n  2. A user wants to have a single image record, but have image data\n     stored in multiple locations for locality (i.e., to have image\n     data as close as possible to where it\u0027s consumed).\n\n     This use case is handled by the glance multiple stores feature\n     plus image import, which since API v2.8, allows a \u0027stores\u0027 parameter\n     specifying where the image data should be stored.  This applies to both\n     newly created images and existing images (via the copy-image import\n     method).\n\n     In this workflow, Glance itself manipulates the image locations; there\n     is no need for the user to interact with locations directly.\n\n  3. An operator wants to introduce a new storage backend and decommission\n     the current backend while keeping the same image catalog.\n\n     Similar to #2, this can be handled by using the copy-image import\n     method and the delete-image-from-store API call introduced in v2.10.","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f15e0c43c0ef1c3cbc05cd73f9c3c1e3e32da9fb","unresolved":false,"context_lines":[{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in QUEUED"},{"line_number":69,"context_line":"state. Adding location when the image is in ACTIVE state will be disallowed"},{"line_number":70,"context_line":"with the new location add API. This is done in order to prevent malicious"},{"line_number":71,"context_line":"users from modifying the image location again and again since the location"},{"line_number":72,"context_line":"added for the first time is the correct one and there is no use case for"},{"line_number":73,"context_line":"modifying it at a later stage from a public API."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"Following APIs are not being implemented:"},{"line_number":76,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"97346db3_a3169b0c","line":73,"range":{"start_line":70,"start_character":31,"end_line":73,"end_character":48},"in_reply_to":"77947a11_6aab017f","updated":"2022-11-04 09:09:17.000000000","message":"Thanks Brian, this was elaborate and helpful, updated it.","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d704d1de9b83af013b58bafdd1cc007bfe6a8fe4","unresolved":true,"context_lines":[{"line_number":103,"context_line":"* Add Location"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  This will add a new location to an existing image."},{"line_number":106,"context_line":"  The request body will contain the location URL and an optional parameter,"},{"line_number":107,"context_line":"  ``do_checksum``, which will tell the API if we want to do the checksum or"},{"line_number":108,"context_line":"  not. The ``do_checksum`` flag is required by the HTTP Store to make it"},{"line_number":109,"context_line":"  compatible with new location add API."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"  POST /v2/images/{image_id}/locations"},{"line_number":112,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"519d9a34_3b40dd19","line":109,"range":{"start_line":106,"start_character":0,"end_line":109,"end_character":38},"updated":"2022-11-02 13:57:10.000000000","message":"I guess I lost focus during the PTG discussion, because I don\u0027t remember this at all.  I have four concerns here:\n\n1. First the stupid concern, namely people seem to think \u0027checksum\u0027\u003d\u003dmd5 (and historically, that has been true in Glance).  So let\u0027s call this parameter something like \"do_secure_hash\" or \"compute_os_hash_value\" so people don\u0027t freak out.\n\n2. If this is an HTTP Store issue, we already allow users to set \"validation data\" when adding a location [0, 1].  Why don\u0027t we do that instead of do_checksum (where I presume Glance would download the data, compute the checksum, and then store it)?\n\n3. What happens when \u0027\"do_checksum\": true\u0027 for other stores?  What\u0027s the behavior?\n\n4. Following #2, are we going to allow the caller to set validation_data with the new add-locations API?  I suspect we should.\n\n[0] https://review.opendev.org/c/openstack/glance-specs/+/597648\n[1] https://review.opendev.org/c/openstack/glance/+/597368","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c4916c40c870200467449a2d7fec86f4a0a5d026","unresolved":false,"context_lines":[{"line_number":103,"context_line":"* Add Location"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  This will add a new location to an existing image."},{"line_number":106,"context_line":"  The request body will contain the location URL and an optional parameter,"},{"line_number":107,"context_line":"  ``do_checksum``, which will tell the API if we want to do the checksum or"},{"line_number":108,"context_line":"  not. The ``do_checksum`` flag is required by the HTTP Store to make it"},{"line_number":109,"context_line":"  compatible with new location add API."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"  POST /v2/images/{image_id}/locations"},{"line_number":112,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9615535f_66b863af","line":109,"range":{"start_line":106,"start_character":0,"end_line":109,"end_character":38},"in_reply_to":"453785a5_5d8f829f","updated":"2022-11-30 12:48:00.000000000","message":"Done","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f15e0c43c0ef1c3cbc05cd73f9c3c1e3e32da9fb","unresolved":true,"context_lines":[{"line_number":103,"context_line":"* Add Location"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  This will add a new location to an existing image."},{"line_number":106,"context_line":"  The request body will contain the location URL and an optional parameter,"},{"line_number":107,"context_line":"  ``do_checksum``, which will tell the API if we want to do the checksum or"},{"line_number":108,"context_line":"  not. The ``do_checksum`` flag is required by the HTTP Store to make it"},{"line_number":109,"context_line":"  compatible with new location add API."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"  POST /v2/images/{image_id}/locations"},{"line_number":112,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"d3500e5e_361f6326","line":109,"range":{"start_line":106,"start_character":0,"end_line":109,"end_character":38},"in_reply_to":"519d9a34_3b40dd19","updated":"2022-11-04 09:09:17.000000000","message":"Since i heard about the HTTP store issue for the first time during PTG and I don\u0027t have much idea about the HTTP store itself, I will answer the concerns with superficial knowledge but Erno suggested the change and can answer things better.\n\n1) I don\u0027t mind changing the name since there was None suggested during PTG. \"do_secure_hash\" sounds good since people might confuse \"compute*\" with nova compute.\n\n2) I also have the same idea that glance will compute the hash values based on this parameter and assumed HTTP store is not capable of doing it. Even i couldn\u0027t find the checksum or hash value being computed in the http store[1].\nI think the idea of \"validation data\" is when a store provides hash information then we add it to the image right? If that\u0027s the case then maybe http store is not capable of computing it so assigning the task to glance for it.\nHaving said that, I\u0027m not super familiar with this so I think Erno can answer better as he suggested this approach.\n\n3) I don\u0027t think we will modify other stores to pass this parameter and I\u0027m unsure if other stores even call the locations API or it is handled internally.\n\n4) Same as #2, I\u0027m unsure about it and the glance team can suggest better on this.\n\n[1] https://github.com/openstack/glance_store/blob/0df64d5af92b46457fd3f13aceb69b4f94b8b53c/glance_store/_drivers/http.py","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"fd68da74a43f82cc9aede368ba7d73f199374e20","unresolved":true,"context_lines":[{"line_number":103,"context_line":"* Add Location"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"  This will add a new location to an existing image."},{"line_number":106,"context_line":"  The request body will contain the location URL and an optional parameter,"},{"line_number":107,"context_line":"  ``do_checksum``, which will tell the API if we want to do the checksum or"},{"line_number":108,"context_line":"  not. The ``do_checksum`` flag is required by the HTTP Store to make it"},{"line_number":109,"context_line":"  compatible with new location add API."},{"line_number":110,"context_line":""},{"line_number":111,"context_line":"  POST /v2/images/{image_id}/locations"},{"line_number":112,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"453785a5_5d8f829f","line":109,"range":{"start_line":106,"start_character":0,"end_line":109,"end_character":38},"in_reply_to":"d3500e5e_361f6326","updated":"2022-11-28 12:36:01.000000000","message":"Yes the point was that the user does not need to go and download the image on their laptop and calculate it\u0027s needed hash to be able to get usable image out of it. Glance is perfectly capable of calcuating the hash upon image upolad (say web-download), so it should be able to calculate the hash on location create as well. Like everything, this should be store agnostic and there is no reason to artificially imit it to http-store only. That was just an exampe of the usecase.\n\nWhat comes to #4 we should alow it in my opinion and if both are provided (the vaidation data and \"do_secure_hash\" we shoud reject the image data if these two does not match.","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d704d1de9b83af013b58bafdd1cc007bfe6a8fe4","unresolved":true,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"        {"},{"line_number":118,"context_line":"            \"url\": \"cinder://lvmdriver-1/0f031ed1-5872-43d5-a638-4b0d07c10ab5\","},{"line_number":119,"context_line":"            \"do_checksum\": \"False\","},{"line_number":120,"context_line":"        }"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  * JSON response body"}],"source_content_type":"text/x-rst","patch_set":1,"id":"0fe85176_00d88d68","line":119,"range":{"start_line":119,"start_character":27,"end_line":119,"end_character":34},"updated":"2022-11-02 13:57:10.000000000","message":"I think you want a JSON boolean here, not a string, so\n\n  \"do_checksum\": false,","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f15e0c43c0ef1c3cbc05cd73f9c3c1e3e32da9fb","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"        {"},{"line_number":118,"context_line":"            \"url\": \"cinder://lvmdriver-1/0f031ed1-5872-43d5-a638-4b0d07c10ab5\","},{"line_number":119,"context_line":"            \"do_checksum\": \"False\","},{"line_number":120,"context_line":"        }"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"  * JSON response body"}],"source_content_type":"text/x-rst","patch_set":1,"id":"29ddb743_ac56bb23","line":119,"range":{"start_line":119,"start_character":27,"end_line":119,"end_character":34},"in_reply_to":"0fe85176_00d88d68","updated":"2022-11-04 09:09:17.000000000","message":"Done","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d704d1de9b83af013b58bafdd1cc007bfe6a8fe4","unresolved":true,"context_lines":[{"line_number":148,"context_line":"            {"},{"line_number":149,"context_line":"                \"url\": \"cinder://lvmdriver-1/0f031ed1-5872-43d5-a638-4b0d07c10ab5\","},{"line_number":150,"context_line":"                \"metadata\": \"{\u0027store\u0027: \u0027lvmdriver-1\u0027,"},{"line_number":151,"context_line":"                              \u0027do_checksum\u0027: \u0027False\u0027}\""},{"line_number":152,"context_line":"            },"},{"line_number":153,"context_line":"            {"},{"line_number":154,"context_line":"                \"url\": \"cinder://cephdriver-1/11b4fa9f-a44b-46c9-950c-0026c467252c\","}],"source_content_type":"text/x-rst","patch_set":1,"id":"51f68509_c8f8e4cd","line":151,"range":{"start_line":151,"start_character":30,"end_line":151,"end_character":52},"updated":"2022-11-02 13:57:10.000000000","message":"I really don\u0027t understand the do_checksum business.  Why is it included in the GET call?","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f15e0c43c0ef1c3cbc05cd73f9c3c1e3e32da9fb","unresolved":false,"context_lines":[{"line_number":148,"context_line":"            {"},{"line_number":149,"context_line":"                \"url\": \"cinder://lvmdriver-1/0f031ed1-5872-43d5-a638-4b0d07c10ab5\","},{"line_number":150,"context_line":"                \"metadata\": \"{\u0027store\u0027: \u0027lvmdriver-1\u0027,"},{"line_number":151,"context_line":"                              \u0027do_checksum\u0027: \u0027False\u0027}\""},{"line_number":152,"context_line":"            },"},{"line_number":153,"context_line":"            {"},{"line_number":154,"context_line":"                \"url\": \"cinder://cephdriver-1/11b4fa9f-a44b-46c9-950c-0026c467252c\","}],"source_content_type":"text/x-rst","patch_set":1,"id":"aa0ae23b_053e3e36","line":151,"range":{"start_line":151,"start_character":30,"end_line":151,"end_character":52},"in_reply_to":"51f68509_c8f8e4cd","updated":"2022-11-04 09:09:17.000000000","message":"Correct, it\u0027s not useful here so removed.","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"d704d1de9b83af013b58bafdd1cc007bfe6a8fe4","unresolved":true,"context_lines":[{"line_number":163,"context_line":"Security impact"},{"line_number":164,"context_line":"---------------"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"None. All APIs will only allow authorization to a context with ``service``"},{"line_number":167,"context_line":"role which will be only supplied by the consumer services of glance locations"},{"line_number":168,"context_line":"like cinder and nova."},{"line_number":169,"context_line":"There can be an exception to the above statement in the location Add API,"},{"line_number":170,"context_line":"which can allow image owners to access it, but we handle that case with an"},{"line_number":171,"context_line":"additional check of the image status so there shouldn\u0027t be any security"},{"line_number":172,"context_line":"concerns."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"Notifications impact"},{"line_number":175,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"933388d5_a31f7254","line":172,"range":{"start_line":166,"start_character":0,"end_line":172,"end_character":9},"updated":"2022-11-02 13:57:10.000000000","message":"I suggest rewriting this section to say something like this:\n\n  No worse than it is now, and possibly better.\n\n  1. The get-locations policy is restricted to the \u0027service\u0027 role,\n     so users will not be able to see image locations.  Thus with\n     \u0027show_multiple_locations\u0027 and \u0027show_direct_url\u0027 set to False,\n     the new get-locations API will not expose location information\n     to users.\n\n  2. The add-location policy is restricted by default to\n     image-owner-or-service.  This will allow end users to add a\n     location to an image to address current uses of this functionality\n     that we aren\u0027t aware of.  Even allowing this, the data-substitution\n     attack is blocked because the API call will only be allowed for an\n     image in \u0027queued\u0027 status.  The add-location API cannot be used to\n     add a location to an \u0027active\u0027 image and then delete the original\n     location, so the OSSN-0065 attack is not possible under this\n     scenario.\n\n     Further, the add-locations call (unlike the current method of\n     updating locations via PATCH), does not require the locations to\n     be visible to succeed.  Thus operators will be able to configure\n     Glance with \u0027show_multiple_locations\u0027 and \u0027show_direct_url\u0027 set\n     to False, even when other services are sharing a COW backend with\n     Glance and the operator wants an optimized workflow.","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f15e0c43c0ef1c3cbc05cd73f9c3c1e3e32da9fb","unresolved":false,"context_lines":[{"line_number":163,"context_line":"Security impact"},{"line_number":164,"context_line":"---------------"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"None. All APIs will only allow authorization to a context with ``service``"},{"line_number":167,"context_line":"role which will be only supplied by the consumer services of glance locations"},{"line_number":168,"context_line":"like cinder and nova."},{"line_number":169,"context_line":"There can be an exception to the above statement in the location Add API,"},{"line_number":170,"context_line":"which can allow image owners to access it, but we handle that case with an"},{"line_number":171,"context_line":"additional check of the image status so there shouldn\u0027t be any security"},{"line_number":172,"context_line":"concerns."},{"line_number":173,"context_line":""},{"line_number":174,"context_line":"Notifications impact"},{"line_number":175,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"4ada99f4_cce0bb2b","line":172,"range":{"start_line":166,"start_character":0,"end_line":172,"end_character":9},"in_reply_to":"933388d5_a31f7254","updated":"2022-11-04 09:09:17.000000000","message":"Done","commit_id":"d0019d25925c98b48862a0c56fc975c1c25e5852"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"5c961ea396534fcc8b60a87d5c17b1b301c46042","unresolved":true,"context_lines":[{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"1. The ``add policy`` can default to the image owner or ``service`` role (when"},{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"1c67ff3d_11fe72dc","line":63,"range":{"start_line":63,"start_character":41,"end_line":63,"end_character":52},"updated":"2022-11-17 06:18:03.000000000","message":"how this will be default to image owner? are you saying role:member on project because owner field on image is nothing but the project/tenant (id) itself.","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"1. The ``add policy`` can default to the image owner or ``service`` role (when"},{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"4750ae04_99797f4f","line":63,"range":{"start_line":63,"start_character":41,"end_line":63,"end_character":52},"in_reply_to":"092d72fa_3592ea87","updated":"2022-12-02 13:31:03.000000000","message":"Yes, i didn\u0027t want to go very specific on the RBAC details but i think it also makes sense since we\u0027re mentioning the service role. will update this.","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"82f6773d0deb5120e98f73dac3cda8d1b54de8a4","unresolved":true,"context_lines":[{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"1. The ``add policy`` can default to the image owner or ``service`` role (when"},{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9378df92_e7147ce0","line":63,"range":{"start_line":63,"start_character":41,"end_line":63,"end_character":52},"in_reply_to":"092d72fa_3592ea87","updated":"2022-12-02 07:29:47.000000000","message":"right.","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a2f9679ce08ec9e3db3e13ee6d4e4469be83e9d6","unresolved":true,"context_lines":[{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"1. The ``add policy`` can default to the image owner or ``service`` role (when"},{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"95596c44_abe291dc","line":63,"range":{"start_line":63,"start_character":41,"end_line":63,"end_character":52},"in_reply_to":"1c67ff3d_11fe72dc","updated":"2022-11-21 08:33:30.000000000","message":"Correct. the context will contain the user/tenant information and that will be used to do the policy check.","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1891780d094bdc21cb16cbd0fd1dc9cf0026e8a0","unresolved":false,"context_lines":[{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"1. The ``add policy`` can default to the image owner or ``service`` role (when"},{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"662a6b58_6cf63191","line":63,"range":{"start_line":63,"start_character":41,"end_line":63,"end_character":52},"in_reply_to":"4750ae04_99797f4f","updated":"2022-12-02 13:38:27.000000000","message":"Done","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"1. The ``add policy`` can default to the image owner or ``service`` role (when"},{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"092d72fa_3592ea87","line":63,"range":{"start_line":63,"start_character":41,"end_line":63,"end_character":52},"in_reply_to":"95596c44_abe291dc","updated":"2022-11-30 14:56:00.000000000","message":"so to be precise the policy rule will be something like \"project_member or role(service)\"","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"5c961ea396534fcc8b60a87d5c17b1b301c46042","unresolved":true,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in QUEUED"},{"line_number":69,"context_line":"state. Adding location when the image is in ACTIVE state will be disallowed"},{"line_number":70,"context_line":"with the new location add API. This is done in order to prevent malicious"},{"line_number":71,"context_line":"users from modifying the image location again and again since the location"},{"line_number":72,"context_line":"added for the first time is the correct one as far as Glance is concerned."}],"source_content_type":"text/x-rst","patch_set":2,"id":"9f4cfab3_0b2174ba","line":69,"range":{"start_line":69,"start_character":44,"end_line":69,"end_character":50},"updated":"2022-11-17 06:18:03.000000000","message":"I think other than ACTIVE like staging/importing/uploading etc also needs to be considered here","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a2f9679ce08ec9e3db3e13ee6d4e4469be83e9d6","unresolved":false,"context_lines":[{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in QUEUED"},{"line_number":69,"context_line":"state. Adding location when the image is in ACTIVE state will be disallowed"},{"line_number":70,"context_line":"with the new location add API. This is done in order to prevent malicious"},{"line_number":71,"context_line":"users from modifying the image location again and again since the location"},{"line_number":72,"context_line":"added for the first time is the correct one as far as Glance is concerned."}],"source_content_type":"text/x-rst","patch_set":2,"id":"207b1a28_f2376046","line":69,"range":{"start_line":69,"start_character":44,"end_line":69,"end_character":50},"in_reply_to":"9f4cfab3_0b2174ba","updated":"2022-11-21 08:33:30.000000000","message":"Done","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"5c961ea396534fcc8b60a87d5c17b1b301c46042","unresolved":true,"context_lines":[{"line_number":85,"context_line":"   Nova can create an image record in Glance, snapshot a server image"},{"line_number":86,"context_line":"   directly in the backend, and set the location on the image record."},{"line_number":87,"context_line":"   This use case is covered by the new add-location call, and having"},{"line_number":88,"context_line":"   its default policy be image owner or service."},{"line_number":89,"context_line":"2. A user wants to have a single image record, but have image data"},{"line_number":90,"context_line":"   stored in multiple locations for locality (i.e., to have image"},{"line_number":91,"context_line":"   data as close as possible to where it\u0027s consumed)."}],"source_content_type":"text/x-rst","patch_set":2,"id":"432ff825_c9a7919d","line":88,"updated":"2022-11-17 06:18:03.000000000","message":"nit: you can put a blank line between two points","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a2f9679ce08ec9e3db3e13ee6d4e4469be83e9d6","unresolved":false,"context_lines":[{"line_number":85,"context_line":"   Nova can create an image record in Glance, snapshot a server image"},{"line_number":86,"context_line":"   directly in the backend, and set the location on the image record."},{"line_number":87,"context_line":"   This use case is covered by the new add-location call, and having"},{"line_number":88,"context_line":"   its default policy be image owner or service."},{"line_number":89,"context_line":"2. A user wants to have a single image record, but have image data"},{"line_number":90,"context_line":"   stored in multiple locations for locality (i.e., to have image"},{"line_number":91,"context_line":"   data as close as possible to where it\u0027s consumed)."}],"source_content_type":"text/x-rst","patch_set":2,"id":"bc96fd67_3277fc84","line":88,"in_reply_to":"432ff825_c9a7919d","updated":"2022-11-21 08:33:30.000000000","message":"Done","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"5c961ea396534fcc8b60a87d5c17b1b301c46042","unresolved":true,"context_lines":[{"line_number":160,"context_line":"                          \u0027do_secure_hash\u0027: false}\""},{"line_number":161,"context_line":"        }"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"    - Error - 409 (Location already exists), 403 (Forbidden for users)"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"* Get Location(s)"},{"line_number":166,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"966ac041_98394003","line":163,"range":{"start_line":163,"start_character":6,"end_line":163,"end_character":70},"updated":"2022-11-17 06:18:03.000000000","message":"404 if image is not in queued state?","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a2f9679ce08ec9e3db3e13ee6d4e4469be83e9d6","unresolved":false,"context_lines":[{"line_number":160,"context_line":"                          \u0027do_secure_hash\u0027: false}\""},{"line_number":161,"context_line":"        }"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"    - Error - 409 (Location already exists), 403 (Forbidden for users)"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"* Get Location(s)"},{"line_number":166,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"366e8959_53c3b2e7","line":163,"range":{"start_line":163,"start_character":6,"end_line":163,"end_character":70},"in_reply_to":"966ac041_98394003","updated":"2022-11-21 08:33:30.000000000","message":"I think 400 BadRequest would be better suited for this case. will add it in next PS.","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"5c961ea396534fcc8b60a87d5c17b1b301c46042","unresolved":true,"context_lines":[{"line_number":184,"context_line":"            }"},{"line_number":185,"context_line":"        ]"},{"line_number":186,"context_line":""},{"line_number":187,"context_line":"    - Error - 404 (Image ID does not exist)"},{"line_number":188,"context_line":""},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"05be8329_308bf69e","line":187,"range":{"start_line":187,"start_character":0,"end_line":187,"end_character":43},"updated":"2022-11-17 06:18:03.000000000","message":"403 for normal users?","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"a2f9679ce08ec9e3db3e13ee6d4e4469be83e9d6","unresolved":false,"context_lines":[{"line_number":184,"context_line":"            }"},{"line_number":185,"context_line":"        ]"},{"line_number":186,"context_line":""},{"line_number":187,"context_line":"    - Error - 404 (Image ID does not exist)"},{"line_number":188,"context_line":""},{"line_number":189,"context_line":""},{"line_number":190,"context_line":"Security impact"}],"source_content_type":"text/x-rst","patch_set":2,"id":"38944f30_40ffd444","line":187,"range":{"start_line":187,"start_character":0,"end_line":187,"end_character":43},"in_reply_to":"05be8329_308bf69e","updated":"2022-11-21 08:33:30.000000000","message":"Done","commit_id":"396ba5e88dc1f3a6f6cca22a1e649ad8ede26478"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"fd68da74a43f82cc9aede368ba7d73f199374e20","unresolved":true,"context_lines":[{"line_number":71,"context_line":"the image location again and again since the location added for the first time"},{"line_number":72,"context_line":"is the correct one as far as Glance is concerned."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"When multiple image locations support was added, Glance had only a single"},{"line_number":75,"context_line":"image store.  Since Train, Glance has multiple stores support, and we have"},{"line_number":76,"context_line":"added API calls that allow users to manipulate data locality with respect"},{"line_number":77,"context_line":"to store."},{"line_number":78,"context_line":"Further, a store is an opaque identifier, whereas an image location"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d9f3ef2a_a7e9b35f","line":75,"range":{"start_line":74,"start_character":0,"end_line":75,"end_character":12},"updated":"2022-11-28 12:36:01.000000000","message":"I know Brian asked to add this here, but I would remove it as it\u0027s not exactly correct and I think tryin to explain it any way here is not going to help anyone. Multi-store support brougth support of multiple store instances of same store type, even before you could have had multiple different store drivers configured simultaneously and it was totally supported configuration. The multiple image locations just allowed the image to be stored in different stores simultaneously.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1891780d094bdc21cb16cbd0fd1dc9cf0026e8a0","unresolved":false,"context_lines":[{"line_number":71,"context_line":"the image location again and again since the location added for the first time"},{"line_number":72,"context_line":"is the correct one as far as Glance is concerned."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"When multiple image locations support was added, Glance had only a single"},{"line_number":75,"context_line":"image store.  Since Train, Glance has multiple stores support, and we have"},{"line_number":76,"context_line":"added API calls that allow users to manipulate data locality with respect"},{"line_number":77,"context_line":"to store."},{"line_number":78,"context_line":"Further, a store is an opaque identifier, whereas an image location"}],"source_content_type":"text/x-rst","patch_set":3,"id":"dca83216_7f000c6f","line":75,"range":{"start_line":74,"start_character":0,"end_line":75,"end_character":12},"in_reply_to":"73271f16_d1c35a1a","updated":"2022-12-02 13:38:27.000000000","message":"Done","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"da16aab0056dd151215aa9b18c38bf447e38dc29","unresolved":true,"context_lines":[{"line_number":71,"context_line":"the image location again and again since the location added for the first time"},{"line_number":72,"context_line":"is the correct one as far as Glance is concerned."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"When multiple image locations support was added, Glance had only a single"},{"line_number":75,"context_line":"image store.  Since Train, Glance has multiple stores support, and we have"},{"line_number":76,"context_line":"added API calls that allow users to manipulate data locality with respect"},{"line_number":77,"context_line":"to store."},{"line_number":78,"context_line":"Further, a store is an opaque identifier, whereas an image location"}],"source_content_type":"text/x-rst","patch_set":3,"id":"73271f16_d1c35a1a","line":75,"range":{"start_line":74,"start_character":0,"end_line":75,"end_character":12},"in_reply_to":"c575f1e5_16cbd040","updated":"2022-11-28 18:46:27.000000000","message":"Erno is correct.  I suggest replacing that sentence with:\n\n  End-user access to image locations via the Image API is no longer necessary.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"ac684f5c7dbe0f3555d4b8783b3a3af62a492a31","unresolved":true,"context_lines":[{"line_number":71,"context_line":"the image location again and again since the location added for the first time"},{"line_number":72,"context_line":"is the correct one as far as Glance is concerned."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"When multiple image locations support was added, Glance had only a single"},{"line_number":75,"context_line":"image store.  Since Train, Glance has multiple stores support, and we have"},{"line_number":76,"context_line":"added API calls that allow users to manipulate data locality with respect"},{"line_number":77,"context_line":"to store."},{"line_number":78,"context_line":"Further, a store is an opaque identifier, whereas an image location"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c575f1e5_16cbd040","line":75,"range":{"start_line":74,"start_character":0,"end_line":75,"end_character":12},"in_reply_to":"d9f3ef2a_a7e9b35f","updated":"2022-11-28 18:35:36.000000000","message":"If Brian thinks this doesn\u0027t add much value as Erno mentioned, I will remove it.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"da16aab0056dd151215aa9b18c38bf447e38dc29","unresolved":true,"context_lines":[{"line_number":76,"context_line":"added API calls that allow users to manipulate data locality with respect"},{"line_number":77,"context_line":"to store."},{"line_number":78,"context_line":"Further, a store is an opaque identifier, whereas an image location"},{"line_number":79,"context_line":"exposes backend details that users don\u0027t need to know."},{"line_number":80,"context_line":"Here are the current use cases for the direct manipulation of image"},{"line_number":81,"context_line":"locations along with an explanation of how they can be handled by the"},{"line_number":82,"context_line":"new Location API."}],"source_content_type":"text/x-rst","patch_set":3,"id":"785fe12d_404e1e90","line":79,"updated":"2022-11-28 18:46:27.000000000","message":"Suggestion: add a blank line here so that line 80 starts a new paragraph.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c4916c40c870200467449a2d7fec86f4a0a5d026","unresolved":false,"context_lines":[{"line_number":76,"context_line":"added API calls that allow users to manipulate data locality with respect"},{"line_number":77,"context_line":"to store."},{"line_number":78,"context_line":"Further, a store is an opaque identifier, whereas an image location"},{"line_number":79,"context_line":"exposes backend details that users don\u0027t need to know."},{"line_number":80,"context_line":"Here are the current use cases for the direct manipulation of image"},{"line_number":81,"context_line":"locations along with an explanation of how they can be handled by the"},{"line_number":82,"context_line":"new Location API."}],"source_content_type":"text/x-rst","patch_set":3,"id":"18880ff2_39cd1ecd","line":79,"in_reply_to":"785fe12d_404e1e90","updated":"2022-11-30 12:48:00.000000000","message":"Done","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"f58e1ea81a3ade8a40f09685d6452bfb21ed89e4","unresolved":true,"context_lines":[{"line_number":98,"context_line":""},{"line_number":99,"context_line":"   In this workflow, Glance itself manipulates the image locations; there"},{"line_number":100,"context_line":"   is no need for the user to interact with locations directly."},{"line_number":101,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":102,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":103,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":104,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."}],"source_content_type":"text/x-rst","patch_set":3,"id":"38fd852e_2b0baeaa","line":101,"range":{"start_line":101,"start_character":3,"end_line":101,"end_character":5},"updated":"2022-11-24 01:10:44.000000000","message":"Nitpick: please add a line break before the third point.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c4916c40c870200467449a2d7fec86f4a0a5d026","unresolved":false,"context_lines":[{"line_number":98,"context_line":""},{"line_number":99,"context_line":"   In this workflow, Glance itself manipulates the image locations; there"},{"line_number":100,"context_line":"   is no need for the user to interact with locations directly."},{"line_number":101,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":102,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":103,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":104,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."}],"source_content_type":"text/x-rst","patch_set":3,"id":"e402e07c_1e418dad","line":101,"range":{"start_line":101,"start_character":3,"end_line":101,"end_character":5},"in_reply_to":"38fd852e_2b0baeaa","updated":"2022-11-30 12:48:00.000000000","message":"Done","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"fd68da74a43f82cc9aede368ba7d73f199374e20","unresolved":true,"context_lines":[{"line_number":201,"context_line":"   the new get-locations API will not expose location information"},{"line_number":202,"context_line":"   to users."},{"line_number":203,"context_line":"2. The add-location policy is restricted by default to"},{"line_number":204,"context_line":"   image-owner-or-service.  This will allow end users to add a"},{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa8f644_a8f36b59","line":204,"range":{"start_line":204,"start_character":3,"end_line":204,"end_character":25},"updated":"2022-11-28 12:36:01.000000000","message":"Not sure if there is a reason to default the write part to service at all. Actual use-case examples why all location creations should not be done with the user credentials?","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c4916c40c870200467449a2d7fec86f4a0a5d026","unresolved":false,"context_lines":[{"line_number":201,"context_line":"   the new get-locations API will not expose location information"},{"line_number":202,"context_line":"   to users."},{"line_number":203,"context_line":"2. The add-location policy is restricted by default to"},{"line_number":204,"context_line":"   image-owner-or-service.  This will allow end users to add a"},{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5e171891_1426f4b0","line":204,"range":{"start_line":204,"start_character":3,"end_line":204,"end_character":25},"in_reply_to":"137e0e9e_b4e1cac9","updated":"2022-11-30 12:48:00.000000000","message":"Done","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"ac684f5c7dbe0f3555d4b8783b3a3af62a492a31","unresolved":true,"context_lines":[{"line_number":201,"context_line":"   the new get-locations API will not expose location information"},{"line_number":202,"context_line":"   to users."},{"line_number":203,"context_line":"2. The add-location policy is restricted by default to"},{"line_number":204,"context_line":"   image-owner-or-service.  This will allow end users to add a"},{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"}],"source_content_type":"text/x-rst","patch_set":3,"id":"137e0e9e_b4e1cac9","line":204,"range":{"start_line":204,"start_character":3,"end_line":204,"end_character":25},"in_reply_to":"3fa8f644_a8f36b59","updated":"2022-11-28 18:35:36.000000000","message":"Makes sense, the first image location registered should be by end user only. will update it.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"f58e1ea81a3ade8a40f09685d6452bfb21ed89e4","unresolved":true,"context_lines":[{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"},{"line_number":208,"context_line":"   image in \u0027queued\u0027 status.  The add-location API cannot be used to"},{"line_number":209,"context_line":"   add a location to an image in other states and then delete the original"},{"line_number":210,"context_line":"   location, so the OSSN-0065 attack is not possible under this"},{"line_number":211,"context_line":"   scenario."}],"source_content_type":"text/x-rst","patch_set":3,"id":"2404ccea_d72d8288","line":208,"range":{"start_line":208,"start_character":13,"end_line":208,"end_character":19},"updated":"2022-11-24 01:10:44.000000000","message":"Sometimes, users reports bugs in which their images are stuck in the \"queued\" state. Wouldn\u0027t they become vulnerable to this attack, then?","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":false,"context_lines":[{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"},{"line_number":208,"context_line":"   image in \u0027queued\u0027 status.  The add-location API cannot be used to"},{"line_number":209,"context_line":"   add a location to an image in other states and then delete the original"},{"line_number":210,"context_line":"   location, so the OSSN-0065 attack is not possible under this"},{"line_number":211,"context_line":"   scenario."}],"source_content_type":"text/x-rst","patch_set":3,"id":"6e81ce79_0dfea463","line":208,"range":{"start_line":208,"start_character":13,"end_line":208,"end_character":19},"in_reply_to":"15910980_2dc845be","updated":"2022-12-19 18:46:17.000000000","message":"Ack","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"fd68da74a43f82cc9aede368ba7d73f199374e20","unresolved":true,"context_lines":[{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"},{"line_number":208,"context_line":"   image in \u0027queued\u0027 status.  The add-location API cannot be used to"},{"line_number":209,"context_line":"   add a location to an image in other states and then delete the original"},{"line_number":210,"context_line":"   location, so the OSSN-0065 attack is not possible under this"},{"line_number":211,"context_line":"   scenario."}],"source_content_type":"text/x-rst","patch_set":3,"id":"4438bba9_35f0a5f0","line":208,"range":{"start_line":208,"start_character":13,"end_line":208,"end_character":19},"in_reply_to":"2404ccea_d72d8288","updated":"2022-11-28 12:36:01.000000000","message":"I don\u0027t see how this would be relevant as the image has never got to a usable state, so there is no substitution attack vector there or am I missing something?","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"ac684f5c7dbe0f3555d4b8783b3a3af62a492a31","unresolved":true,"context_lines":[{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"},{"line_number":208,"context_line":"   image in \u0027queued\u0027 status.  The add-location API cannot be used to"},{"line_number":209,"context_line":"   add a location to an image in other states and then delete the original"},{"line_number":210,"context_line":"   location, so the OSSN-0065 attack is not possible under this"},{"line_number":211,"context_line":"   scenario."}],"source_content_type":"text/x-rst","patch_set":3,"id":"6d194002_b5c0fe61","line":208,"range":{"start_line":208,"start_character":13,"end_line":208,"end_character":19},"in_reply_to":"4438bba9_35f0a5f0","updated":"2022-11-28 18:35:36.000000000","message":"I think a case to consider here is (and pardon me if my assumption about glance is wrong), when we create an empty image i.e. ``glance image-create`` and we later want to update it with import plugin to make it a usable image. In that case, the amount of time the image is in queued state makes it vulnerable to attacks? Although it\u0027s not usable at the moment but later if user tries to modify it then do we need a case here to reject it? if state \u003d\u003d queued and len(locations) \u003e 0 ?\n\nNot sure if it makes total sense but just a case I thought about.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":true,"context_lines":[{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"},{"line_number":208,"context_line":"   image in \u0027queued\u0027 status.  The add-location API cannot be used to"},{"line_number":209,"context_line":"   add a location to an image in other states and then delete the original"},{"line_number":210,"context_line":"   location, so the OSSN-0065 attack is not possible under this"},{"line_number":211,"context_line":"   scenario."}],"source_content_type":"text/x-rst","patch_set":3,"id":"15910980_2dc845be","line":208,"range":{"start_line":208,"start_character":13,"end_line":208,"end_character":19},"in_reply_to":"6884972f_989e0932","updated":"2022-12-15 12:02:54.000000000","message":"@Rajat one cannot consume queued image, so no what comes to the related vulnerability this is not concern. There is also no way AFAIK to create an image that would have locations and stay queued and there should not be after this new API either.\n\n@Cyril there is no \"image go back to usable state\" when it never has been active. Should we introduce such a bug, it\u0027s the problem at that time to also fix it.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"42ef94cac96e86a79227058ca189f993a5b1d811","unresolved":true,"context_lines":[{"line_number":205,"context_line":"   location to an image to address current uses of this functionality"},{"line_number":206,"context_line":"   that we aren\u0027t aware of.  Even allowing this, the data-substitution"},{"line_number":207,"context_line":"   attack is blocked because the API call will only be allowed for an"},{"line_number":208,"context_line":"   image in \u0027queued\u0027 status.  The add-location API cannot be used to"},{"line_number":209,"context_line":"   add a location to an image in other states and then delete the original"},{"line_number":210,"context_line":"   location, so the OSSN-0065 attack is not possible under this"},{"line_number":211,"context_line":"   scenario."}],"source_content_type":"text/x-rst","patch_set":3,"id":"6884972f_989e0932","line":208,"range":{"start_line":208,"start_character":13,"end_line":208,"end_character":19},"in_reply_to":"6d194002_b5c0fe61","updated":"2022-11-29 19:22:39.000000000","message":"@Erno: I don\u0027t have a full working scenario, just poking at something to see if there might be an issue. Wouldn\u0027t it somehow be possible to:\n\n1) Have a newly created image in the queued state because of a bug/outage\n2) Have an attacker add a location to that image while it\u0027s queued\n3) Have the image go back to a usable state with this unwanted location?\n\n\nWhat about Rajat\u0027s scenario?","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"fd68da74a43f82cc9aede368ba7d73f199374e20","unresolved":true,"context_lines":[{"line_number":224,"context_line":"Other end user impact"},{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"Since the new APIs are for service to service interaction, there is not much"},{"line_number":228,"context_line":"value to expose them via CLI. We will add methods to the client"},{"line_number":229,"context_line":"(that will call the new location APIs) that will be used by other services"},{"line_number":230,"context_line":"like cinder and nova but those methods won\u0027t be exposed via the shell to end"},{"line_number":231,"context_line":"users. End users can still use the existing commands (that internally calls"},{"line_number":232,"context_line":"the image-update API) to perform operations on locations:"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."},{"line_number":235,"context_line":"* ``glance location-delete:`` Remove locations (and related metadata) from an image."},{"line_number":236,"context_line":"* ``glance location-update:`` Update metadata of an image\u0027s location."},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Performance Impact"},{"line_number":239,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"306139e9_d54333fb","line":236,"range":{"start_line":227,"start_character":0,"end_line":236,"end_character":69},"updated":"2022-11-28 12:36:01.000000000","message":"We shoud have cient functionality included.\n\nAdding the location (say the http-store case) is valid use of the api by end-user directly.\n\nWhy should be expect consuming service to implement their own client feature for this instead of using the glanceclient to add and list locations. The list part does not need to be exposed on the CLI, but shoud be available in the client.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"ac684f5c7dbe0f3555d4b8783b3a3af62a492a31","unresolved":true,"context_lines":[{"line_number":224,"context_line":"Other end user impact"},{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"Since the new APIs are for service to service interaction, there is not much"},{"line_number":228,"context_line":"value to expose them via CLI. We will add methods to the client"},{"line_number":229,"context_line":"(that will call the new location APIs) that will be used by other services"},{"line_number":230,"context_line":"like cinder and nova but those methods won\u0027t be exposed via the shell to end"},{"line_number":231,"context_line":"users. End users can still use the existing commands (that internally calls"},{"line_number":232,"context_line":"the image-update API) to perform operations on locations:"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."},{"line_number":235,"context_line":"* ``glance location-delete:`` Remove locations (and related metadata) from an image."},{"line_number":236,"context_line":"* ``glance location-update:`` Update metadata of an image\u0027s location."},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Performance Impact"},{"line_number":239,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5cebc2f7_ebbb012a","line":236,"range":{"start_line":227,"start_character":0,"end_line":236,"end_character":69},"in_reply_to":"306139e9_d54333fb","updated":"2022-11-28 18:35:36.000000000","message":"Maybe the wordings might not be 100% accurate but the paragraph describes how you said. We will implement methods on the glanceclient side that will not be exposed via the CLI but will be used by glance and other consumer services to access location APIs.\nI will add the HTTP case here as well.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c4916c40c870200467449a2d7fec86f4a0a5d026","unresolved":true,"context_lines":[{"line_number":224,"context_line":"Other end user impact"},{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"Since the new APIs are for service to service interaction, there is not much"},{"line_number":228,"context_line":"value to expose them via CLI. We will add methods to the client"},{"line_number":229,"context_line":"(that will call the new location APIs) that will be used by other services"},{"line_number":230,"context_line":"like cinder and nova but those methods won\u0027t be exposed via the shell to end"},{"line_number":231,"context_line":"users. End users can still use the existing commands (that internally calls"},{"line_number":232,"context_line":"the image-update API) to perform operations on locations:"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."},{"line_number":235,"context_line":"* ``glance location-delete:`` Remove locations (and related metadata) from an image."},{"line_number":236,"context_line":"* ``glance location-update:`` Update metadata of an image\u0027s location."},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Performance Impact"},{"line_number":239,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"5da1cdba_3b45777f","line":236,"range":{"start_line":227,"start_character":0,"end_line":236,"end_character":69},"in_reply_to":"5cebc2f7_ebbb012a","updated":"2022-11-30 12:48:00.000000000","message":"While writing this, I got a little confused. How do we want to expose the functionality to add location for the HTTP store case?\n1) add a new command for the API\n2) Modify the existing command to add this functionality?","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":true,"context_lines":[{"line_number":224,"context_line":"Other end user impact"},{"line_number":225,"context_line":"---------------------"},{"line_number":226,"context_line":""},{"line_number":227,"context_line":"Since the new APIs are for service to service interaction, there is not much"},{"line_number":228,"context_line":"value to expose them via CLI. We will add methods to the client"},{"line_number":229,"context_line":"(that will call the new location APIs) that will be used by other services"},{"line_number":230,"context_line":"like cinder and nova but those methods won\u0027t be exposed via the shell to end"},{"line_number":231,"context_line":"users. End users can still use the existing commands (that internally calls"},{"line_number":232,"context_line":"the image-update API) to perform operations on locations:"},{"line_number":233,"context_line":""},{"line_number":234,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."},{"line_number":235,"context_line":"* ``glance location-delete:`` Remove locations (and related metadata) from an image."},{"line_number":236,"context_line":"* ``glance location-update:`` Update metadata of an image\u0027s location."},{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Performance Impact"},{"line_number":239,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"e68775f5_7b6005cc","line":236,"range":{"start_line":227,"start_character":0,"end_line":236,"end_character":69},"in_reply_to":"5da1cdba_3b45777f","updated":"2022-12-15 12:02:54.000000000","message":"I think we indeed need new method for the API and new command for the CLI.","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"fd68da74a43f82cc9aede368ba7d73f199374e20","unresolved":true,"context_lines":[{"line_number":248,"context_line":"Developer impact"},{"line_number":249,"context_line":"----------------"},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"Consumers like Cinder, Nova and HTTP store need to implement code to call the"},{"line_number":252,"context_line":"new APIs for location operations."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"Implementation"},{"line_number":255,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a6cee9ff_22ae192f","line":252,"range":{"start_line":251,"start_character":51,"end_line":252,"end_character":8},"updated":"2022-11-28 12:36:01.000000000","message":"modify code to call the new client functions to access the API","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c4916c40c870200467449a2d7fec86f4a0a5d026","unresolved":false,"context_lines":[{"line_number":248,"context_line":"Developer impact"},{"line_number":249,"context_line":"----------------"},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"Consumers like Cinder, Nova and HTTP store need to implement code to call the"},{"line_number":252,"context_line":"new APIs for location operations."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"Implementation"},{"line_number":255,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"053f0f1b_7a292fd2","line":252,"range":{"start_line":251,"start_character":51,"end_line":252,"end_character":8},"in_reply_to":"a6cee9ff_22ae192f","updated":"2022-11-30 12:48:00.000000000","message":"Done","commit_id":"7982d4754fcbe7921f6215610033c1546a82b480"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"3. Remove ``show_multiple_locations`` config option when it is no longer"},{"line_number":53,"context_line":"   required by other services (cinder/nova) to perform operations on"},{"line_number":54,"context_line":"   locations."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"The config option ``show_multiple_locations`` has been deprecated since Newton"},{"line_number":57,"context_line":"but we will keep the config option until the consumers of glance locations"}],"source_content_type":"text/x-rst","patch_set":4,"id":"0539698e_7db35a98","line":54,"updated":"2022-11-29 19:45:08.000000000","message":"Even though it\u0027s been deprecated for a long time, it\u0027s been a bit unfair, as it has to be enabled for a very (very) common deployment arrangement. I think we need to be nice and not remove it for a good while to make sure there\u0027s plenty of time to transition. I don\u0027t expect there\u0027s much pain involved in keeping it around, so shouldn\u0027t be a problem.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"3. Remove ``show_multiple_locations`` config option when it is no longer"},{"line_number":53,"context_line":"   required by other services (cinder/nova) to perform operations on"},{"line_number":54,"context_line":"   locations."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"The config option ``show_multiple_locations`` has been deprecated since Newton"},{"line_number":57,"context_line":"but we will keep the config option until the consumers of glance locations"}],"source_content_type":"text/x-rst","patch_set":4,"id":"13136936_01ef6a22","line":54,"in_reply_to":"0539698e_7db35a98","updated":"2022-11-30 14:56:00.000000000","message":"the config option has been deprecated yes but i dont think we can remove that in the A cycle. we can do it in the B cycle once we have had at least one release for operators to upgrade to a nova/cinder that supprots the new apis\n\nso it would be good to make phase 3 a B or C release task","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"3. Remove ``show_multiple_locations`` config option when it is no longer"},{"line_number":53,"context_line":"   required by other services (cinder/nova) to perform operations on"},{"line_number":54,"context_line":"   locations."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"The config option ``show_multiple_locations`` has been deprecated since Newton"},{"line_number":57,"context_line":"but we will keep the config option until the consumers of glance locations"}],"source_content_type":"text/x-rst","patch_set":4,"id":"82ed68d3_fdd25024","line":54,"in_reply_to":"13136936_01ef6a22","updated":"2022-12-02 13:31:03.000000000","message":"Once we move all consumers i.e. nova, cinder, http store to using the new locations API, I don\u0027t think there is any use case left for users to make good use of this config option. Having said that, we will wait a release after implementing the new location APIs and then move the consumers to using it so it will automatically have a gap. I will mention it here.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1891780d094bdc21cb16cbd0fd1dc9cf0026e8a0","unresolved":false,"context_lines":[{"line_number":51,"context_line":""},{"line_number":52,"context_line":"3. Remove ``show_multiple_locations`` config option when it is no longer"},{"line_number":53,"context_line":"   required by other services (cinder/nova) to perform operations on"},{"line_number":54,"context_line":"   locations."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"The config option ``show_multiple_locations`` has been deprecated since Newton"},{"line_number":57,"context_line":"but we will keep the config option until the consumers of glance locations"}],"source_content_type":"text/x-rst","patch_set":4,"id":"a5cf8160_81b091e5","line":54,"in_reply_to":"82ed68d3_fdd25024","updated":"2022-12-02 13:38:27.000000000","message":"Done","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"The config option ``show_multiple_locations`` has been deprecated since Newton"},{"line_number":57,"context_line":"but we will keep the config option until the consumers of glance locations"},{"line_number":58,"context_line":"(nova, cinder, http store etc) start using the new location APIs."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"73841f36_b57b7201","line":58,"updated":"2022-11-30 14:56:00.000000000","message":"deprecated yes but unless we make the multiple locations always shown it would be a breaking change and major regression to remove it without the new feature so yes we will need to keep it until the consuemers have been updated to use this new api.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":false,"context_lines":[{"line_number":55,"context_line":""},{"line_number":56,"context_line":"The config option ``show_multiple_locations`` has been deprecated since Newton"},{"line_number":57,"context_line":"but we will keep the config option until the consumers of glance locations"},{"line_number":58,"context_line":"(nova, cinder, http store etc) start using the new location APIs."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"We will introduce 2 new policies, for each API performing different operations"},{"line_number":61,"context_line":"like add and get, as follows:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"bc16ede3_eb80b639","line":58,"in_reply_to":"73841f36_b57b7201","updated":"2022-12-02 13:31:03.000000000","message":"Yes, that\u0027s the idea here.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in ``QUEUED``"},{"line_number":69,"context_line":"state and adding location when the image is in other states will be"},{"line_number":70,"context_line":"disallowed. This is done in order to prevent malicious users from modifying"}],"source_content_type":"text/x-rst","patch_set":4,"id":"6fbc861c_29317f59","line":67,"range":{"start_line":67,"start_character":21,"end_line":67,"end_character":24},"updated":"2022-11-30 14:56:00.000000000","message":"add is a little imprecise by the way\n\ni assume you mean the policy usee for create/update or post/put request to the api endpoint\n\nin osc terminoloty this woudl be somethin like\n\nopenstack image location set \u003cimage\u003e  \u003curi\u003e","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in ``QUEUED``"},{"line_number":69,"context_line":"state and adding location when the image is in other states will be"},{"line_number":70,"context_line":"disallowed. This is done in order to prevent malicious users from modifying"}],"source_content_type":"text/x-rst","patch_set":4,"id":"f477bd41_1cf66af3","line":67,"range":{"start_line":67,"start_character":21,"end_line":67,"end_character":24},"in_reply_to":"6fbc861c_29317f59","updated":"2022-12-02 13:31:03.000000000","message":"Don\u0027t mind changing it but we\u0027ve used the same convention across the spec so if there is a strong objection to changing this to create_update, I would like to keep it same.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":false,"context_lines":[{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in ``QUEUED``"},{"line_number":69,"context_line":"state and adding location when the image is in other states will be"},{"line_number":70,"context_line":"disallowed. This is done in order to prevent malicious users from modifying"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8fa36646_9f0ac4ff","line":67,"range":{"start_line":67,"start_character":21,"end_line":67,"end_character":24},"in_reply_to":"72f1c651_da4f2c85","updated":"2022-12-19 18:46:17.000000000","message":"Done","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":true,"context_lines":[{"line_number":64,"context_line":"   it is implemented)."},{"line_number":65,"context_line":"2. The ``get policy`` will default to the ``service`` role for authorization."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"Along with the new ``add policy``, we will add a check in the location add API"},{"line_number":68,"context_line":"code to check the status of image and only add location if it is in ``QUEUED``"},{"line_number":69,"context_line":"state and adding location when the image is in other states will be"},{"line_number":70,"context_line":"disallowed. This is done in order to prevent malicious users from modifying"}],"source_content_type":"text/x-rst","patch_set":4,"id":"72f1c651_da4f2c85","line":67,"range":{"start_line":67,"start_character":21,"end_line":67,"end_character":24},"in_reply_to":"f477bd41_1cf66af3","updated":"2022-12-15 12:02:54.000000000","message":"I think it\u0027s also more consistent with the rest of the Glance policies.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":69,"context_line":"state and adding location when the image is in other states will be"},{"line_number":70,"context_line":"disallowed. This is done in order to prevent malicious users from modifying"},{"line_number":71,"context_line":"the image location again and again since the location added for the first time"},{"line_number":72,"context_line":"is the correct one as far as Glance is concerned."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"When multiple image locations support was added, Glance had only a single"},{"line_number":75,"context_line":"image store.  Since Train, Glance has multiple stores support, and we have"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ac55ce53_618e214c","line":72,"updated":"2022-11-30 14:56:00.000000000","message":"is this going to be a race. what will transition the image form queued to another state.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":false,"context_lines":[{"line_number":69,"context_line":"state and adding location when the image is in other states will be"},{"line_number":70,"context_line":"disallowed. This is done in order to prevent malicious users from modifying"},{"line_number":71,"context_line":"the image location again and again since the location added for the first time"},{"line_number":72,"context_line":"is the correct one as far as Glance is concerned."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"When multiple image locations support was added, Glance had only a single"},{"line_number":75,"context_line":"image store.  Since Train, Glance has multiple stores support, and we have"}],"source_content_type":"text/x-rst","patch_set":4,"id":"348f35e2_4aecc450","line":72,"in_reply_to":"00a5f01e_6629af46","updated":"2022-12-19 18:46:17.000000000","message":"Thanks Abhishek for explaining, will mark it as done.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"82f6773d0deb5120e98f73dac3cda8d1b54de8a4","unresolved":true,"context_lines":[{"line_number":69,"context_line":"state and adding location when the image is in other states will be"},{"line_number":70,"context_line":"disallowed. This is done in order to prevent malicious users from modifying"},{"line_number":71,"context_line":"the image location again and again since the location added for the first time"},{"line_number":72,"context_line":"is the correct one as far as Glance is concerned."},{"line_number":73,"context_line":""},{"line_number":74,"context_line":"When multiple image locations support was added, Glance had only a single"},{"line_number":75,"context_line":"image store.  Since Train, Glance has multiple stores support, and we have"}],"source_content_type":"text/x-rst","patch_set":4,"id":"00a5f01e_6629af46","line":72,"in_reply_to":"ac55ce53_618e214c","updated":"2022-12-02 07:29:47.000000000","message":"image upload, image stage (both PUT calls) and location add (PATCH call), will transition the image from queued to another state (either saving/uploading or active state)\n\nBelow are the valid transitions for image from queued state.\n\n\u0027queued\u0027: (\u0027saving\u0027, \u0027uploading\u0027, \u0027importing\u0027, \u0027active\u0027, \u0027deleted\u0027),","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":86,"context_line":"   Nova can create an image record in Glance, snapshot a server image"},{"line_number":87,"context_line":"   directly in the backend, and set the location on the image record."},{"line_number":88,"context_line":"   This use case is covered by the new add-location call, and having"},{"line_number":89,"context_line":"   its default policy be image owner or service."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"2. A user wants to have a single image record, but have image data"},{"line_number":92,"context_line":"   stored in multiple locations for locality (i.e., to have image"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b58ab93b_64f0ab86","line":89,"updated":"2022-11-30 14:56:00.000000000","message":"so your relying on the project member token for an exiplcit snapshot.\n\nnova for better or worse allso you to schdule automatic snapshots.\ni hae not looked at how that is implemted today but that presumabel is not using\nthe user token so for that to work we would need to have the service role.\n\ni suspect that this is using the default credentials we have in the keystone_auth section but i woudl have to check that.\n\nthat backup functionality could break on upgrade if its converted to the new api but we dont have the crediteals in our config so this is one place we will need to be carful of on the nova side.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":true,"context_lines":[{"line_number":86,"context_line":"   Nova can create an image record in Glance, snapshot a server image"},{"line_number":87,"context_line":"   directly in the backend, and set the location on the image record."},{"line_number":88,"context_line":"   This use case is covered by the new add-location call, and having"},{"line_number":89,"context_line":"   its default policy be image owner or service."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"2. A user wants to have a single image record, but have image data"},{"line_number":92,"context_line":"   stored in multiple locations for locality (i.e., to have image"}],"source_content_type":"text/x-rst","patch_set":4,"id":"487c0293_6300df55","line":89,"in_reply_to":"1ac232df_1e81744b","updated":"2022-12-15 12:02:54.000000000","message":"@Sean I\u0027m pretty sure it\u0027s using the user token, or simply does not work, as far as I know that\u0027s the only credential we support in the Glance side.\n\nDo you have a test that would indicate otherwise you could share?","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ba085f8aa0e05998bb789c722cebcea6599c354f","unresolved":true,"context_lines":[{"line_number":86,"context_line":"   Nova can create an image record in Glance, snapshot a server image"},{"line_number":87,"context_line":"   directly in the backend, and set the location on the image record."},{"line_number":88,"context_line":"   This use case is covered by the new add-location call, and having"},{"line_number":89,"context_line":"   its default policy be image owner or service."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"2. A user wants to have a single image record, but have image data"},{"line_number":92,"context_line":"   stored in multiple locations for locality (i.e., to have image"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5b09e67c_6c9278cb","line":89,"in_reply_to":"487c0293_6300df55","updated":"2022-12-15 13:16:40.000000000","message":"ill see if i can find one but this is an api that has existed in nova since very very early releases maybe even pre glance as a project.\n\nwe do not have glance creditals in our config and a user token woudl expire if we stored it so unless we are using the service_user token + the expired user token im not sure how this works today.\n\ni think we have coverage fo this in tempest but our tempest jobs woudl not run long enough for the token to expire.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6e5f5fb7f7ca58abec0f6c954a3dae46c1be3ca1","unresolved":true,"context_lines":[{"line_number":86,"context_line":"   Nova can create an image record in Glance, snapshot a server image"},{"line_number":87,"context_line":"   directly in the backend, and set the location on the image record."},{"line_number":88,"context_line":"   This use case is covered by the new add-location call, and having"},{"line_number":89,"context_line":"   its default policy be image owner or service."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"2. A user wants to have a single image record, but have image data"},{"line_number":92,"context_line":"   stored in multiple locations for locality (i.e., to have image"}],"source_content_type":"text/x-rst","patch_set":4,"id":"79681731_34e063c3","line":89,"in_reply_to":"b58ab93b_64f0ab86","updated":"2022-12-01 20:03:44.000000000","message":"That\u0027s a good point, glad you noticed it.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":86,"context_line":"   Nova can create an image record in Glance, snapshot a server image"},{"line_number":87,"context_line":"   directly in the backend, and set the location on the image record."},{"line_number":88,"context_line":"   This use case is covered by the new add-location call, and having"},{"line_number":89,"context_line":"   its default policy be image owner or service."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"2. A user wants to have a single image record, but have image data"},{"line_number":92,"context_line":"   stored in multiple locations for locality (i.e., to have image"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1ac232df_1e81744b","line":89,"in_reply_to":"b58ab93b_64f0ab86","updated":"2022-12-02 13:31:03.000000000","message":"We can consider this in the nova spec (it looks likely we need to write one).","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":102,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":103,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":104,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":105,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Following APIs are not being implemented:"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"082bb93d_19cf069f","line":105,"updated":"2022-11-29 19:45:08.000000000","message":"Maybe I\u0027m missing it, but if I host my image on a protected HTTP server and only point glance at it, I can\u0027t use copy-image to move to a new server right? If I want to keep my image unchanged (from the user\u0027s point of view) but move the referring URI to a different server, how would I do that without an \"add and delete old\" procedure?","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":102,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":103,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":104,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":105,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Following APIs are not being implemented:"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ee1da650_993e91b3","line":105,"in_reply_to":"082bb93d_19cf069f","updated":"2022-11-30 14:56:00.000000000","message":"so  procedure 3 would only work for images that are not stored on cinder or ceph right.\n\nif it was on ceph the delete form store would either not work or be unsafe if nova had created vms from that image usign the thin clone.\n\nsame for volume backed images.\n\nif we have created volumes form that then the backing\nvolume for the image cant safely be removed.\n\nit would be fine form movign between the filestore and swift backend for example.\nbut when COW is used its problematic.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":true,"context_lines":[{"line_number":102,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":103,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":104,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":105,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Following APIs are not being implemented:"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ee951a82_a7f66d33","line":105,"in_reply_to":"491edb13_5e889e85","updated":"2022-12-19 18:46:17.000000000","message":"For the RBD store, when using COW cloning, because of the dependency chain, the image delete will fail.\nFrom a cinder store perspective, we use the clone functionality of backends to create new images from existing ones (optimized path). As Brian mentioned, unless we\u0027ve a dependency chain on the backend side, we should probably be able to delete the image else the delete will fail until we flatten the children.\nI will mention these cases but as Erno pointed out, that is not in the scope of the spec but just additional details.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":true,"context_lines":[{"line_number":102,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":103,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":104,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":105,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Following APIs are not being implemented:"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"491edb13_5e889e85","line":105,"in_reply_to":"ddb59e15_c103491b","updated":"2022-12-15 12:02:54.000000000","message":"@Dan correct, just like you can\u0027t use image-upload or image import to read-only web store either.\n\n@Sean About right indeed, will not change from the current situation. There\u0027s ways around that, but I really don\u0027t think changing that behaviour is in scope of this spec.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"6e5f5fb7f7ca58abec0f6c954a3dae46c1be3ca1","unresolved":true,"context_lines":[{"line_number":102,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":103,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":104,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":105,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Following APIs are not being implemented:"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"ddb59e15_c103491b","line":105,"in_reply_to":"ee1da650_993e91b3","updated":"2022-12-01 20:03:44.000000000","message":"@Dan: I guess you\u0027re right.  HTTP store is read only, so if you want to move from one HTTP store to another HTTP store, you can\u0027t use copy-image.  So I guess this needs some more thought.\n\n@Sean: Right, as far as getting the image data, the RBD or cinder store will give you a complete image when you download it from glance.  Hopefully, the delete-from-store will fail if the image is still in use on the backend as part of a dependency chain.  I think what you\u0027d have to do is use copy-image-to-store to load the new store and then set up the location_strategy to supply the new store first (though I don\u0027t know if nova would respect that when using a common ceph backing store).  But the idea is that you would let the old backend drain.  Not sure how plausible that is.\n\nAlso, it looks like the current location_strategy has not been updated for glance multi-store (you can order by store type, but not by store name, unless you write custom code).","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c72be23c7778e23df3a094655b19561d016ed79f","unresolved":false,"context_lines":[{"line_number":102,"context_line":"3. An operator wants to introduce a new storage backend and decommission"},{"line_number":103,"context_line":"   the current backend while keeping the same image catalog."},{"line_number":104,"context_line":"   Similar to #2, this can be handled by using the copy-image import"},{"line_number":105,"context_line":"   method and the delete-image-from-store API call introduced in v2.10."},{"line_number":106,"context_line":""},{"line_number":107,"context_line":"Following APIs are not being implemented:"},{"line_number":108,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"a3d0f354_913ed9df","line":105,"in_reply_to":"ee951a82_a7f66d33","updated":"2022-12-19 18:48:36.000000000","message":"Done","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":120,"context_line":"Alternatives"},{"line_number":121,"context_line":"------------"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"None"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Data model impact"},{"line_number":126,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"48fb60d1_1c8a7f89","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":4},"updated":"2022-11-30 14:56:00.000000000","message":"the alternitive is much simpler\n\nremove the config option for multiple locations and filter the image show results by role.\n\nin nova there are many field on the server that are only show if you are an admin\n\nso you coudl just make the image location files visable to a \"admin_or_service\" role policy rule.\n\n\nfor example OS-EXT-SRV-ATTR:hostname  is only show to admin users\n\nhttps://docs.openstack.org/api-ref/compute/?expanded\u003dshow-server-details-detail#show-server-details\n\nyou could do exactly the same for the location field in \nhttps://docs.openstack.org/api-ref/image/v2/?expanded\u003dshow-image-detail#images\n\nnova would still need to have a credetial for glance with the admin or ideally service role and we woudl have to be carful to use that when reading the location but there woudl be no client changes(glanceclient, openstack client)","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":120,"context_line":"Alternatives"},{"line_number":121,"context_line":"------------"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"None"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Data model impact"},{"line_number":126,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b736445a_e5a0befe","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":4},"in_reply_to":"48fb60d1_1c8a7f89","updated":"2022-12-02 13:31:03.000000000","message":"That is a good alternative and also the initial proposal of this spec. Erno had some concerns[1] with it and we had to change a lot but it\u0027s not at all bad for an alternative.\n\n[1] https://review.opendev.org/c/openstack/glance-specs/+/840882/2..15/specs/zed/approved/glance/new-location-info-apis.rst#b199","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1891780d094bdc21cb16cbd0fd1dc9cf0026e8a0","unresolved":false,"context_lines":[{"line_number":120,"context_line":"Alternatives"},{"line_number":121,"context_line":"------------"},{"line_number":122,"context_line":""},{"line_number":123,"context_line":"None"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Data model impact"},{"line_number":126,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"6c5f32ca_3a625799","line":123,"range":{"start_line":123,"start_character":0,"end_line":123,"end_character":4},"in_reply_to":"b736445a_e5a0befe","updated":"2022-12-02 13:38:27.000000000","message":"Done","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":137,"context_line":"  This will add a new location to an existing image."},{"line_number":138,"context_line":"  The request body will contain the location URL and an optional parameter,"},{"line_number":139,"context_line":"  ``do_secure_hash``, which will tell the API if we want to do the checksum or"},{"line_number":140,"context_line":"  not. The ``do_secure_hash`` flag is required by the HTTP Store to make it"},{"line_number":141,"context_line":"  compatible with new location add API."},{"line_number":142,"context_line":"  We will allow ``validation data`` [3]_ to be passed in case of HTTP store"},{"line_number":143,"context_line":"  else glance will calculate the image hash. If both ``do_secure_hash`` and"},{"line_number":144,"context_line":"  ``validation data`` are passed, then we will compare them and fail the"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9bb827c5_fed53c71","line":141,"range":{"start_line":140,"start_character":7,"end_line":141,"end_character":39},"updated":"2022-11-29 19:45:08.000000000","message":"The hash will take a long time... What is the state of the image while this is happening? And how will we expose that it\u0027s progressing/finished/failed?\n\nSee my note below about doing this a different way.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":137,"context_line":"  This will add a new location to an existing image."},{"line_number":138,"context_line":"  The request body will contain the location URL and an optional parameter,"},{"line_number":139,"context_line":"  ``do_secure_hash``, which will tell the API if we want to do the checksum or"},{"line_number":140,"context_line":"  not. The ``do_secure_hash`` flag is required by the HTTP Store to make it"},{"line_number":141,"context_line":"  compatible with new location add API."},{"line_number":142,"context_line":"  We will allow ``validation data`` [3]_ to be passed in case of HTTP store"},{"line_number":143,"context_line":"  else glance will calculate the image hash. If both ``do_secure_hash`` and"},{"line_number":144,"context_line":"  ``validation data`` are passed, then we will compare them and fail the"}],"source_content_type":"text/x-rst","patch_set":4,"id":"f168faf8_f7a78b29","line":141,"range":{"start_line":140,"start_character":7,"end_line":141,"end_character":39},"in_reply_to":"9bb827c5_fed53c71","updated":"2022-12-02 13:31:03.000000000","message":"The image remains in \"QUEUED\" state.\nThis is a good question since IIUC, initial image record is in QUEUED state and we do the staging or import call on the QUEUED image to transition it to importing, saving and active state.\nAlso we don\u0027t want to add a location until we\u0027ve the image created by the glance store driver.\nIn this case I assume, we will first upload/import the image and then move the image to QUEUED state, after the hash is calculated, we will move it to ACTIVE state but would be good to get the confirmation from glance team about implementation details (as I won\u0027t be implementing this).","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c72be23c7778e23df3a094655b19561d016ed79f","unresolved":false,"context_lines":[{"line_number":137,"context_line":"  This will add a new location to an existing image."},{"line_number":138,"context_line":"  The request body will contain the location URL and an optional parameter,"},{"line_number":139,"context_line":"  ``do_secure_hash``, which will tell the API if we want to do the checksum or"},{"line_number":140,"context_line":"  not. The ``do_secure_hash`` flag is required by the HTTP Store to make it"},{"line_number":141,"context_line":"  compatible with new location add API."},{"line_number":142,"context_line":"  We will allow ``validation data`` [3]_ to be passed in case of HTTP store"},{"line_number":143,"context_line":"  else glance will calculate the image hash. If both ``do_secure_hash`` and"},{"line_number":144,"context_line":"  ``validation data`` are passed, then we will compare them and fail the"}],"source_content_type":"text/x-rst","patch_set":4,"id":"eaf54d26_36ddace6","line":141,"range":{"start_line":140,"start_character":7,"end_line":141,"end_character":39},"in_reply_to":"f168faf8_f7a78b29","updated":"2022-12-19 18:48:36.000000000","message":"Done","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":193,"context_line":"        ]"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"    - Error - 404 (Image ID does not exist), 403 (Forbidden for normal users)"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":""},{"line_number":198,"context_line":"Security impact"},{"line_number":199,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"6b2e0a11_ac8c2d4d","line":196,"updated":"2022-11-29 19:45:08.000000000","message":"Can you add some explanation here of what the image state transitions look like? I\u0027m assuming it\u0027s \"queued\" -\u003e \"active\" when setting the first location. If so, I think we should document that, and cover my question about the many minutes between the two while we hash images over http.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"c72be23c7778e23df3a094655b19561d016ed79f","unresolved":false,"context_lines":[{"line_number":193,"context_line":"        ]"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"    - Error - 404 (Image ID does not exist), 403 (Forbidden for normal users)"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":""},{"line_number":198,"context_line":"Security impact"},{"line_number":199,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"a42d05f3_18ee04ca","line":196,"in_reply_to":"132f35d9_fc1cd365","updated":"2022-12-19 18:48:36.000000000","message":"Done","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":193,"context_line":"        ]"},{"line_number":194,"context_line":""},{"line_number":195,"context_line":"    - Error - 404 (Image ID does not exist), 403 (Forbidden for normal users)"},{"line_number":196,"context_line":""},{"line_number":197,"context_line":""},{"line_number":198,"context_line":"Security impact"},{"line_number":199,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"132f35d9_fc1cd365","line":196,"in_reply_to":"6b2e0a11_ac8c2d4d","updated":"2022-12-02 13:31:03.000000000","message":"I think we need to discuss it again since i was under the assumption that after saving, import, upload etc states, the image again moves to queued state which doesn\u0027t seem to be the case given in this diagram\n\nhttps://github.com/openstack/glance/blob/8fc9b653936de840371a1cec914d298c131f1575/doc/source/images/image_status_transition.png","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":204,"context_line":"   so users will not be able to see image locations.  Thus with"},{"line_number":205,"context_line":"   \u0027show_multiple_locations\u0027 and \u0027show_direct_url\u0027 set to False,"},{"line_number":206,"context_line":"   the new get-locations API will not expose location information"},{"line_number":207,"context_line":"   to users."},{"line_number":208,"context_line":"2. The add-location policy is restricted by default to image-owner."},{"line_number":209,"context_line":"   This will allow end users to add a location to an image to address"},{"line_number":210,"context_line":"   current uses of this functionality that we aren\u0027t aware of."}],"source_content_type":"text/x-rst","patch_set":4,"id":"bef7e520_1550b63a","line":207,"updated":"2022-11-29 19:45:08.000000000","message":"Today, Nova has no service user credentials for talking to glance and does not discriminate between two methods of looking at anything in the image code.\n\nHave you sanity-checked this approach with the nova team? And who will be making the nova changes?","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ba085f8aa0e05998bb789c722cebcea6599c354f","unresolved":true,"context_lines":[{"line_number":204,"context_line":"   so users will not be able to see image locations.  Thus with"},{"line_number":205,"context_line":"   \u0027show_multiple_locations\u0027 and \u0027show_direct_url\u0027 set to False,"},{"line_number":206,"context_line":"   the new get-locations API will not expose location information"},{"line_number":207,"context_line":"   to users."},{"line_number":208,"context_line":"2. The add-location policy is restricted by default to image-owner."},{"line_number":209,"context_line":"   This will allow end users to add a location to an image to address"},{"line_number":210,"context_line":"   current uses of this functionality that we aren\u0027t aware of."}],"source_content_type":"text/x-rst","patch_set":4,"id":"b9f53177_588bea39","line":207,"in_reply_to":"6fa2db28_1b687962","updated":"2022-12-15 13:16:40.000000000","message":"this is a very very old feature in nova\nand there are tempest tests https://github.com/openstack/tempest/blob/edd5a4cba37e94579ac5583b5bce38109c14bf75/tempest/api/compute/servers/test_server_actions.py#L475-L596\n\nhowever i dont think any of our jobs configure the keystone token lifetiem short enough with a short enough backupt time for the token to expire and the backup to run.\n\nthe create backup api predates microversion so its juno or liketly older.\n\nwe will need to adress this in any nova spec for this change.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":true,"context_lines":[{"line_number":204,"context_line":"   so users will not be able to see image locations.  Thus with"},{"line_number":205,"context_line":"   \u0027show_multiple_locations\u0027 and \u0027show_direct_url\u0027 set to False,"},{"line_number":206,"context_line":"   the new get-locations API will not expose location information"},{"line_number":207,"context_line":"   to users."},{"line_number":208,"context_line":"2. The add-location policy is restricted by default to image-owner."},{"line_number":209,"context_line":"   This will allow end users to add a location to an image to address"},{"line_number":210,"context_line":"   current uses of this functionality that we aren\u0027t aware of."}],"source_content_type":"text/x-rst","patch_set":4,"id":"6fa2db28_1b687962","line":207,"in_reply_to":"a8fade6e_ff992a18","updated":"2022-12-15 12:02:54.000000000","message":"@Sean do you have tempest test or something of this feature you could share or is this one of those Nova side \"we would want to do in way X but it was never implemented or tested\"-things? AFAIK Glance does not have anything in the Images API that would have supported this so far nor have I seen any proposals for such, so I do think it should also not be a change tat is in the scope of this spec.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":204,"context_line":"   so users will not be able to see image locations.  Thus with"},{"line_number":205,"context_line":"   \u0027show_multiple_locations\u0027 and \u0027show_direct_url\u0027 set to False,"},{"line_number":206,"context_line":"   the new get-locations API will not expose location information"},{"line_number":207,"context_line":"   to users."},{"line_number":208,"context_line":"2. The add-location policy is restricted by default to image-owner."},{"line_number":209,"context_line":"   This will allow end users to add a location to an image to address"},{"line_number":210,"context_line":"   current uses of this functionality that we aren\u0027t aware of."}],"source_content_type":"text/x-rst","patch_set":4,"id":"fb719faf_49f05173","line":207,"in_reply_to":"bef7e520_1550b63a","updated":"2022-11-30 14:56:00.000000000","message":"we should idealy have a sibling nova spec for the nova specific part that are required.\n\nthat said there is not much time between now and milestone 2 on january 5th to propose, review and appove a spec at this point.\n\nthe aspect we will care most about will be the cow thin clone funcitonaltiy for ceph and bfv with volume backed images.\nthe upgrade impact (ensuring no config change are required to maintain existing functionality)  when moving form zed to antilope.\nand posisble the interaction with the backup api/snapshots.\n\n\nhttps://docs.openstack.org/api-ref/compute/?expanded\u003dcreate-server-back-up-createbackup-action-detail#create-server-back-up-createbackup-action\n\n{\n    \"createBackup\": {\n        \"name\": \"Backup 1\",\n        \"backup_type\": \"daily\",\n        \"rotation\": 1\n    }\n}\n\nthis snapshot will not be created with a user token.\n\nit might be using the service_user token \nhttps://docs.openstack.org/nova/latest/configuration/config.html#service_user.username\n\n\nwe woudl have to look into that as its not clear how this is workign today looking at the config but we need to ensure that we dont break it.\n\nthe service_user is optional but also not intended for this usecase.\nso we will need to start adding auth info to the glance section to do this properly.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":204,"context_line":"   so users will not be able to see image locations.  Thus with"},{"line_number":205,"context_line":"   \u0027show_multiple_locations\u0027 and \u0027show_direct_url\u0027 set to False,"},{"line_number":206,"context_line":"   the new get-locations API will not expose location information"},{"line_number":207,"context_line":"   to users."},{"line_number":208,"context_line":"2. The add-location policy is restricted by default to image-owner."},{"line_number":209,"context_line":"   This will allow end users to add a location to an image to address"},{"line_number":210,"context_line":"   current uses of this functionality that we aren\u0027t aware of."}],"source_content_type":"text/x-rst","patch_set":4,"id":"a8fade6e_ff992a18","line":207,"in_reply_to":"fb719faf_49f05173","updated":"2022-12-02 13:31:03.000000000","message":"Thanks for providing use cases from nova\u0027s perspective. The idea here is to first implement the new APIs in glance and then target and work on the nova and cinder changes to adapt the new APIs. We could also provide a cycle difference between the two efforts.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":232,"context_line":"value to expose them via glanceclient CLI. However, we will add methods to"},{"line_number":233,"context_line":"the glanceclient (that will call the new location APIs) that will be used by"},{"line_number":234,"context_line":"other consumer services like cinder and nova but those methods won\u0027t be"},{"line_number":235,"context_line":"exposed via the shell to end users. We will allow end users to add the"},{"line_number":236,"context_line":"location in case of HTTP store."},{"line_number":237,"context_line":"End users can still use the existing commands (that internally calls the image-update API) to perform operations on locations:"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."}],"source_content_type":"text/x-rst","patch_set":4,"id":"8505554c_6ad1466f","line":236,"range":{"start_line":235,"start_character":35,"end_line":236,"end_character":31},"updated":"2022-11-29 19:45:08.000000000","message":"So there will be a special case allowance for http URIs? That seems confusing to me.\n\nWhat about a new import method called web-reference (or a better name) that works like web-download but only references the remote image? That way, the image goes through \"importing\" state and provides us an opportunity to hash the image (whether we do initially or not). Otherwise I think this API will have to allow for setting the URL and the hash will remain empty or just be set sometime later.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"7fca7c48d2ab59421c27d338cacaaaf0790fd3a0","unresolved":false,"context_lines":[{"line_number":232,"context_line":"value to expose them via glanceclient CLI. However, we will add methods to"},{"line_number":233,"context_line":"the glanceclient (that will call the new location APIs) that will be used by"},{"line_number":234,"context_line":"other consumer services like cinder and nova but those methods won\u0027t be"},{"line_number":235,"context_line":"exposed via the shell to end users. We will allow end users to add the"},{"line_number":236,"context_line":"location in case of HTTP store."},{"line_number":237,"context_line":"End users can still use the existing commands (that internally calls the image-update API) to perform operations on locations:"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."}],"source_content_type":"text/x-rst","patch_set":4,"id":"4e5d9d5b_5b65400a","line":236,"range":{"start_line":235,"start_character":35,"end_line":236,"end_character":31},"in_reply_to":"556f8464_f4e56659","updated":"2022-12-22 17:07:06.000000000","message":"Done\nThanks Abhishek!","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":232,"context_line":"value to expose them via glanceclient CLI. However, we will add methods to"},{"line_number":233,"context_line":"the glanceclient (that will call the new location APIs) that will be used by"},{"line_number":234,"context_line":"other consumer services like cinder and nova but those methods won\u0027t be"},{"line_number":235,"context_line":"exposed via the shell to end users. We will allow end users to add the"},{"line_number":236,"context_line":"location in case of HTTP store."},{"line_number":237,"context_line":"End users can still use the existing commands (that internally calls the image-update API) to perform operations on locations:"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."}],"source_content_type":"text/x-rst","patch_set":4,"id":"6efde786_266f9e2a","line":236,"range":{"start_line":235,"start_character":35,"end_line":236,"end_character":31},"in_reply_to":"5a2c6ae5_9b5c2999","updated":"2022-12-02 13:31:03.000000000","message":"This change was requested by Erno[1]. I\u0027m also not sure how this will work (as mentioned in my comment) so will remove it for the time being. http store seems pretty exceptional and I\u0027m not sure about all the use cases we need to support around it. the \"do_secure_hash\" parameter is also a result of requirement for http store and wasn\u0027t there in the original spec.\n\n[1] https://review.opendev.org/c/openstack/glance-specs/+/863209/3..4/specs/2023.1/approved/glance/new-location-info-apis.rst#b236","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":5202,"name":"Erno Kuvaja","email":"jokke@usr.fi","username":"jokke"},"change_message_id":"6bdf540f913af2158372a3cc6a68bc2897ec9e1f","unresolved":true,"context_lines":[{"line_number":232,"context_line":"value to expose them via glanceclient CLI. However, we will add methods to"},{"line_number":233,"context_line":"the glanceclient (that will call the new location APIs) that will be used by"},{"line_number":234,"context_line":"other consumer services like cinder and nova but those methods won\u0027t be"},{"line_number":235,"context_line":"exposed via the shell to end users. We will allow end users to add the"},{"line_number":236,"context_line":"location in case of HTTP store."},{"line_number":237,"context_line":"End users can still use the existing commands (that internally calls the image-update API) to perform operations on locations:"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."}],"source_content_type":"text/x-rst","patch_set":4,"id":"82cec6a0_942abc96","line":236,"range":{"start_line":235,"start_character":35,"end_line":236,"end_character":31},"in_reply_to":"6efde786_266f9e2a","updated":"2022-12-15 12:02:54.000000000","message":"@Dan How about method \"direct-location\" and we wrap this whole feature there?\n\n@Sean But it is and has been supported, the whole point was to not break but have a pass of sec checks while we\u0027re at it.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"61be6abd32dcc4f912e690e27cd915945f5f16dc","unresolved":true,"context_lines":[{"line_number":232,"context_line":"value to expose them via glanceclient CLI. However, we will add methods to"},{"line_number":233,"context_line":"the glanceclient (that will call the new location APIs) that will be used by"},{"line_number":234,"context_line":"other consumer services like cinder and nova but those methods won\u0027t be"},{"line_number":235,"context_line":"exposed via the shell to end users. We will allow end users to add the"},{"line_number":236,"context_line":"location in case of HTTP store."},{"line_number":237,"context_line":"End users can still use the existing commands (that internally calls the image-update API) to perform operations on locations:"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."}],"source_content_type":"text/x-rst","patch_set":4,"id":"556f8464_f4e56659","line":236,"range":{"start_line":235,"start_character":35,"end_line":236,"end_character":31},"in_reply_to":"6fb819f7_59001780","updated":"2022-12-20 10:02:52.000000000","message":"Rajat I think here erno is talking about new import method direct-location same as glance-direct, web-download etc.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":true,"context_lines":[{"line_number":232,"context_line":"value to expose them via glanceclient CLI. However, we will add methods to"},{"line_number":233,"context_line":"the glanceclient (that will call the new location APIs) that will be used by"},{"line_number":234,"context_line":"other consumer services like cinder and nova but those methods won\u0027t be"},{"line_number":235,"context_line":"exposed via the shell to end users. We will allow end users to add the"},{"line_number":236,"context_line":"location in case of HTTP store."},{"line_number":237,"context_line":"End users can still use the existing commands (that internally calls the image-update API) to perform operations on locations:"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."}],"source_content_type":"text/x-rst","patch_set":4,"id":"6fb819f7_59001780","line":236,"range":{"start_line":235,"start_character":35,"end_line":236,"end_character":31},"in_reply_to":"82cec6a0_942abc96","updated":"2022-12-19 18:46:17.000000000","message":"Added a CLI command here, let me know what you think.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":232,"context_line":"value to expose them via glanceclient CLI. However, we will add methods to"},{"line_number":233,"context_line":"the glanceclient (that will call the new location APIs) that will be used by"},{"line_number":234,"context_line":"other consumer services like cinder and nova but those methods won\u0027t be"},{"line_number":235,"context_line":"exposed via the shell to end users. We will allow end users to add the"},{"line_number":236,"context_line":"location in case of HTTP store."},{"line_number":237,"context_line":"End users can still use the existing commands (that internally calls the image-update API) to perform operations on locations:"},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"* ``glance location-add:`` Add a location (and related metadata) to an image."}],"source_content_type":"text/x-rst","patch_set":4,"id":"5a2c6ae5_9b5c2999","line":236,"range":{"start_line":235,"start_character":35,"end_line":236,"end_character":31},"in_reply_to":"8505554c_6ad1466f","updated":"2022-11-30 14:56:00.000000000","message":"referncig a remote image might create operational and security problems\n\nthe image content coudl change and that woudl be a security issue and the external souce coudl go offline making the image unaviable with is a operational concern\n\nas is the data transefer time and cost.\n\nso i woudl personly not supprot either web-refernce or the special case for http.\n\nif we were to supprot this i prefer the web-reference import method approch but in general i dont think this is a functionalty that we shoudl support.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":255,"context_line":"----------------"},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"Consumers like Cinder, Nova and HTTP store need to modify code to call the"},{"line_number":258,"context_line":"new client functions to access the API."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"Implementation"},{"line_number":261,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"8c59999c_7a205ea4","line":258,"updated":"2022-11-29 19:45:08.000000000","message":"As noted above, Nova will need to do more than this - we\u0027ll have to split our client usage into two, grow some new credentials, and make sure we use the right client/creds for the add-location operation.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"f187b4d3b685048c7a0526467446b6f5417d1a2e","unresolved":true,"context_lines":[{"line_number":255,"context_line":"----------------"},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"Consumers like Cinder, Nova and HTTP store need to modify code to call the"},{"line_number":258,"context_line":"new client functions to access the API."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"Implementation"},{"line_number":261,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"fa960126_b5eeae70","line":258,"in_reply_to":"380e95ae_e278646c","updated":"2022-12-02 13:31:03.000000000","message":"Initially i wasn\u0027t thinking about a specific spec for nova and cinder but if nova has sufficient cases to consider, we can work on a nova spec as well. Again, I\u0027m not sure if we need to implement everything in a single cycle and we can divide the effort spanning across 2-3 cycles as the service role doesn\u0027t seem to be ready yet which is a requirement of this spec.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":false,"context_lines":[{"line_number":255,"context_line":"----------------"},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"Consumers like Cinder, Nova and HTTP store need to modify code to call the"},{"line_number":258,"context_line":"new client functions to access the API."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"Implementation"},{"line_number":261,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"309d49ae_3ee745ff","line":258,"in_reply_to":"4916503f_46dc093f","updated":"2022-12-19 18:46:17.000000000","message":"Ack, let\u0027s target the nova and cinder work for B cycle.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1c4740d4d6da0237df470cccb04e7b9628dfb5ca","unresolved":true,"context_lines":[{"line_number":255,"context_line":"----------------"},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"Consumers like Cinder, Nova and HTTP store need to modify code to call the"},{"line_number":258,"context_line":"new client functions to access the API."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"Implementation"},{"line_number":261,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"380e95ae_e278646c","line":258,"in_reply_to":"8c59999c_7a205ea4","updated":"2022-11-30 14:56:00.000000000","message":"we will need a sibling spec to cover those changes and we will need to figure out who will actully do the work.\n\nthis likely woudl be somethign we would do in the B cycle at this point unless someone form the comunity steps up to actuly take this on.\n\nputting my redhat hat on the comptue team does not have capastity to work on this in Antilope but i can bring this up for our B cycle planning.\n\nwith my comunity hat back on if there is a spec and code that needs to be reviewd on the nova side for this i can review it but as dan said this will be more invasive then this suggest.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ba085f8aa0e05998bb789c722cebcea6599c354f","unresolved":true,"context_lines":[{"line_number":255,"context_line":"----------------"},{"line_number":256,"context_line":""},{"line_number":257,"context_line":"Consumers like Cinder, Nova and HTTP store need to modify code to call the"},{"line_number":258,"context_line":"new client functions to access the API."},{"line_number":259,"context_line":""},{"line_number":260,"context_line":"Implementation"},{"line_number":261,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"4916503f_46dc093f","line":258,"in_reply_to":"fa960126_b5eeae70","updated":"2022-12-15 13:16:40.000000000","message":"the nova change likely will have to be defered to B cycle at this point.\n\nmost of the nova core team will be on PTO form monday and wont return until after spec freeze. we are considring extending spec freeze by one week so form january 5th to january 12th but  im not sure we will have time to draft, review and approve a nova spec by then.","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"d073ee9dd44df39a202c1656c5a0118143816427","unresolved":true,"context_lines":[{"line_number":280,"context_line":"* Add a releasenote mentioning that we will remove the config option"},{"line_number":281,"context_line":"  ``show_multiple_locations`` when the consumers (nova/cinder/http store)"},{"line_number":282,"context_line":"  shift to using new location APIs."},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"Dependencies"},{"line_number":285,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":286,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"099ac945_7f5b1c76","line":283,"updated":"2022-11-29 19:45:08.000000000","message":"I note that \"Testing\" includes \"every possible thing\", but... there\u0027s clearly a work item to write complete tempest tests for this API, I hope. Since we had none for the existing API until I wrote them a couple months ago, I surely hope we won\u0027t be repeating that mistake :)","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"1891780d094bdc21cb16cbd0fd1dc9cf0026e8a0","unresolved":false,"context_lines":[{"line_number":280,"context_line":"* Add a releasenote mentioning that we will remove the config option"},{"line_number":281,"context_line":"  ``show_multiple_locations`` when the consumers (nova/cinder/http store)"},{"line_number":282,"context_line":"  shift to using new location APIs."},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"Dependencies"},{"line_number":285,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":286,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"d870cec9_58907f8b","line":283,"in_reply_to":"099ac945_7f5b1c76","updated":"2022-12-02 13:38:27.000000000","message":"Done","commit_id":"30ed65d25e7d80f83d9cec1cce1379e66a73b33b"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ba085f8aa0e05998bb789c722cebcea6599c354f","unresolved":true,"context_lines":[{"line_number":128,"context_line":"to provide admin credentials during add or get of an image to get the"},{"line_number":129,"context_line":"location."},{"line_number":130,"context_line":"This was the original proposal but due to the disagreement here [4]_, we"},{"line_number":131,"context_line":"changed the design to the current proposal."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"Data model impact"},{"line_number":134,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"05b4afc8_3c585e8f","line":131,"updated":"2022-12-15 13:16:40.000000000","message":"i still think this is likely the better solution from a complxity point of view.\n\nim not sure i agree that normal users should be allowed ot lset the location.\ni really do think that shoudl be hidden behind the store concept and be settable only be admins or service accoutns.\n\ni.e. cinder woudl set it for BFV snapshots using teh service accounts.\n\nin any case thanks for at least including this in the alternitives.\n\nfrom a nova spercitive this alternitve would have been less work and i suspect the same is ture for cinder but if we think a new api is cleaner longterm that is proably for the best.\n\ni do think the new api should be admin_or_service however.\n\ni understand that thre are some complications with teh web/http location but we liekly shoudl consider that speratly as it sound like there are degin gaps in how that is workign today.","commit_id":"b1765493273c9351cfbf53c65436b43e262ccafe"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":true,"context_lines":[{"line_number":128,"context_line":"to provide admin credentials during add or get of an image to get the"},{"line_number":129,"context_line":"location."},{"line_number":130,"context_line":"This was the original proposal but due to the disagreement here [4]_, we"},{"line_number":131,"context_line":"changed the design to the current proposal."},{"line_number":132,"context_line":""},{"line_number":133,"context_line":"Data model impact"},{"line_number":134,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"e1174048_8bfac3e9","line":131,"in_reply_to":"05b4afc8_3c585e8f","updated":"2022-12-19 18:46:17.000000000","message":"Thanks for the feedback Sean. Since I\u0027ve mentioned before that was my original idea when proposing this feature. As the glance team doesn\u0027t agree with the idea that is a good approach, I had to modify it. Also eventually the glance team will be implementing and maintaining those APIs so I would incline to their decision. I think all these complexity will go away once we\u0027ve the service role in-place which plays a key role in these service-service interactions.","commit_id":"b1765493273c9351cfbf53c65436b43e262ccafe"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"c4a146a01aae968d6bb0941dee293da0ae182660","unresolved":true,"context_lines":[{"line_number":34,"context_line":"users is a side-effect, not the goal.  We currently recommend that operators"},{"line_number":35,"context_line":"who want to use optimized data access use a specialized Glance instance for"},{"line_number":36,"context_line":"services, and only expose glance-api to end users with show_multiple_locations"},{"line_number":37,"context_line":"set False.  This is inconvinient for certain users."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"Proposed change"},{"line_number":40,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":8,"id":"b426c4e6_bf34a4cc","line":37,"range":{"start_line":37,"start_character":20,"end_line":37,"end_character":32},"updated":"2023-01-17 12:54:09.000000000","message":"If you need another patchset: inconvenient.","commit_id":"67e61b00c1ea75aaf774f0b9a5b7d4c7067e1821"}],"specs/zed/approved/glance/new-location-info-apis.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"ba085f8aa0e05998bb789c722cebcea6599c354f","unresolved":true,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":" This work is licensed under a Creative Commons Attribution 3.0 Unported"},{"line_number":3,"context_line":" License."},{"line_number":4,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"6bec234f_bdca6457","side":"PARENT","line":1,"updated":"2022-12-15 13:16:40.000000000","message":"is this a glance convention?\n\nwe leave the old specs where tehy are and move the implmeted ones to an implemted dir with a simlink in the approve dir.","commit_id":"2d0d8c2b7c8d4017190c0c3383350ce1d8a4fb88"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"503198d44c972bcc41e7791ff2b7495e89c40f34","unresolved":false,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":" This work is licensed under a Creative Commons Attribution 3.0 Unported"},{"line_number":3,"context_line":" License."},{"line_number":4,"context_line":""}],"source_content_type":"text/x-rst","patch_set":5,"id":"fe48cb84_21d46021","side":"PARENT","line":1,"in_reply_to":"6bec234f_bdca6457","updated":"2022-12-19 18:46:17.000000000","message":"I remember discussing this with glance team before the reproposal so i can say yes.","commit_id":"2d0d8c2b7c8d4017190c0c3383350ce1d8a4fb88"}]}