)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"7dc089e57392e277e96b40a0188fccd5a0467a79","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"This reverts commit e40759c15bb224671398f7142afe12fa0c3ac336."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Reason for revert: This is a bug in how cinder was calling glance not in the glance policy."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The service to service APIs in https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#isolate-service-to-service-apis-to-the-service-role do not use the service token for validation the should assert the existing of the service role on the standard token which is what glance did previously"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"Change-Id: Ifaf4b083218071f4706989f2931d0b40bc588afc"},{"line_number":16,"context_line":"Signed-off-by: Sean Mooney \u003cwork@seanmooney.info\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"44b7e21f_15a0ea36","line":13,"range":{"start_line":11,"start_character":0,"end_line":13,"end_character":318},"updated":"2025-08-27 02:12:12.000000000","message":"Can we wrap these lines like;\n\n```\nReason for revert:\nThis is a bug in how cinder was calling glance not in the glance\npolicy.\n\nThe service to service APIs in [1] do not use the service token for \nvalidation but should assert the existing of the service role on\nthe standard token which is what glance did previously.\n\n[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#isolate-service-to-service-apis-to-the-service-role\n```","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"eac106685a4635e3ba87b7969ac3592f0ad373f5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b10b81df_68525806","updated":"2025-08-26 18:45:19.000000000","message":"+1 on removing the service token role. That is what we discussed in nova change and this is ref from there (very good point made by Sean) - https://review.opendev.org/c/openstack/nova/+/957578/comment/a097d558_fee01375/","commit_id":"3ce5b2cba13062f4e4f4074a322c66719cc24666"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"dce0e06216211afb7a9943df1d25fc4c2ddeb714","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b961587b_7854d8e0","updated":"2025-08-26 19:03:19.000000000","message":"cinder seam to incorerctly beuing the service_user config option to create the token it uses to talk to glance\n\nhttps://github.com/openstack/cinder/blob/master/cinder/service_auth.py#L43-L47\nhttps://github.com/openstack/cinder/blob/master/cinder/image/glance.py#L110-L140\n\nwhen creatign a glanceclient cinder is first creting a session object \n\n            config_options \u003d {\u0027insecure\u0027: CONF.glance_api_insecure,\n                              \u0027cacert\u0027: CONF.glance_ca_certificates_file,\n                              \u0027timeout\u0027: CONF.glance_request_timeout,\n                              \u0027cert\u0027: CONF.glance_certfile,\n                              \u0027key\u0027: CONF.glance_keyfile,\n                              \u0027split_loggers\u0027: CONF.split_loggers\n                              }\n            _SESSION \u003d ks_session.Session().load_from_options(**config_options)\n\nthen creatign an auth context\n\n        auth \u003d service_auth.get_auth_plugin(context)\n\nget_auth_plugin \n\nhttps://github.com/openstack/cinder/blob/master/cinder/service_auth.py#L80\n\ncalls get_service_auth_plugin()\nhttps://github.com/openstack/cinder/blob/master/cinder/service_auth.py#L56\n\nwhich then uses the service_user group to create the auth object.\n\nif we compare this to nova we first create the seeion object form the dedicate glance group and call \n\nhttps://github.com/openstack/nova/blob/master/nova/image/glance.py#L62-L66\n\nand then the actully way we create the tokens is pretty similar\n\nhttps://github.com/openstack/nova/blob/master/nova/service_auth.py#L33\n\nthe only real delta i see is nova will have the username and password ectra in our config option when we constoucti the session form config\n\nhttps://github.com/openstack/nova/blob/master/nova/image/glance.py#L63-L64\n\nwhere as cidner does not when it constuct the session form options\n\nso it think the issue in cider is  here \n\nhttps://github.com/openstack/cinder/blob/master/cinder/image/glance.py#L125-L132\n\nit shoudl use the credials form ideally a glance config section \nhttps://docs.openstack.org/nova/latest/configuration/config.html#glance\nor failing that use keystone_authtoken section.\n\nim not 100% sure about that but i think that is the corect fix.","commit_id":"3ce5b2cba13062f4e4f4074a322c66719cc24666"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"d58ccd506fe8364a4351ae47c8d6f013ddc55f7f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"37c4390c_90f23c9d","updated":"2025-08-27 05:00:23.000000000","message":"I\u0027m not convinced with the notion of role:service vs service_roles:service.\nFirstly, we document the service to service interaction in cinder docs[1] which is how Cinder is configured and it has no mention of using separate [nova] [glance] sections to communicate with these services. Not even the SRBAC doc mentions it anywhere.\nThe same logic is followed when doing nova\u003c-\u003ecinder interaction when deleting attachments[2] which is part of a CVE 2023-2088[3] (It\u0027s really hard to believe that none of the cinder or nova devs caught this during development).\nEven if i assume that the above is incorrect, configuring a separate section for each service is very redundant instead of a common [service_user] section so we really need to change something here.\nThis needs more discussion since we have different ways of adapting the same behavior and we need a common documentation for operators on how we can achieve it.\nIn the meantime, if we want to have compatibility, we can use \"role: service OR service_roles: service\" as the policy but otherwise I don\u0027t support this revert since this is the current way how Cinder and Glance interact currently.\n\n[1] https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html\n[2] https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L908-L910\n[3] https://nvd.nist.gov/vuln/detail/cve-2023-2088","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"9937712c1769b13b91d758ffed38f54c088291b4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a962cffe_9452dcb9","updated":"2025-08-27 01:56:12.000000000","message":"Updated the commit message so that it is wrapped at 79 chars.","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e90623da32c5ecb4a1309e297e56adb0138b4f68","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"746513ff_1a53c2be","updated":"2025-08-27 02:06:59.000000000","message":"lgtm, thanks","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"ae31ec9461fd69b7f3c4478647cca53ab3879b69","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"8a95177b_0cf6c1bd","updated":"2025-08-28 20:24:22.000000000","message":"yeah, I squashed it in https://review.opendev.org/c/openstack/glance/+/958715  + allow admin role.","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"06945b8e6b363ec9dc68c6e50c8698d7a4014f42","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"434c46fd_ca2caf28","in_reply_to":"37c4390c_90f23c9d","updated":"2025-08-27 17:02:27.000000000","message":"the logic in the cve is not impelmetint the srbac path.\n\nwe used that as a one of and that is techinally tencial debt that shoudl be eventually removed.","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"356d40b066a6a02038484c1fc3502214f608921e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"49c1f2f0_d1ca6a3e","in_reply_to":"434c46fd_ca2caf28","updated":"2025-08-27 17:20:04.000000000","message":"My main point here is, there is no official documentation (in my knowledge) on how to configure the OpenStack services in a way that the service to service interaction can be standardized. Each set of services has it\u0027s interaction mechanisms which will break if we just enforce the \"new way\" of validating if a request contains service role or not.\nTo me, this is not a trivial problem to solve and the current proposed solution of having a separate section for each service seems like an overkill for the operator.\nSuppose cinder interacts with glance and nova, it will have similar configuration info (if not the same) in:\n1. [keystone_authtoken]\n2. [service_user]\n3. [glance]\n4. [nova]\n\nThe only change i can see would be in the username field being different for different service sections but I would question why cinder:service cannot validate as a service request when it already has the service role assigned to it?\nI might not be up to date with all the latest changes in SRBAC world but certainly we are missing a standardized approach to adopt all these things.","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b76f17e5de2c4c8c9b5250ddefa390815753cf9d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5741e3e6_ad975804","in_reply_to":"49c1f2f0_d1ca6a3e","updated":"2025-08-27 23:59:54.000000000","message":"actually that an anti pattern\n\ncinder is intended to use the cinder user to talk to nova and glance.\n\nit much less secure to use the nova user to talk to nova and we generally advise against that.\n\nmost installer get this wrong.\n\nif you think about it if you were buying me coffee you woudl not hand me you card and tell me your pin\n\nthat is effectivly what you are doing it you use the nova user with its password in the cidner config.\n\n\nthis is actually an pre existing anti patteren unrelated to the  SRBAC but it is another exampel fo where we dont alwasy have good and consitent docuemntion fo how services shoudl be delployed.","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"074e94ecedaa9e786173d855707813d1aa31643e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"e9a600cb_64535843","in_reply_to":"5741e3e6_ad975804","updated":"2025-08-28 00:11:37.000000000","message":"the reason to have separate section per service si so that each serice rest endpoint cna have different CA for cert or can be in different keystone regions.\n\nyou may also use to use different auth method or timeout per service based on the performance of each ectra.\n\nyou are correct that thre is often duplication between the sections but it exsit so that the config si stnard between each serivce client and can supprot more compext dpeloyment where for exampel you have a a streached cinder across all regions btu a a per keystone region glance instnace or neutron instance.\n\ncidner does not talk to neutron that im aware of but cern talk about how they scaled neturon this way in https://techblog.web.cern.ch/techblog/post/10-years-of-openstack-at-cern-part-2","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"61391016ab247ccdcae61ca6c0323fef0bf31dc7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"3462b5ba_2c9897a0","in_reply_to":"a7a51640_0bfa2e25","updated":"2025-08-28 04:18:36.000000000","message":"as discussed in IRC[1], I have proposed the changes required on cinder/glance/devstack - https://review.opendev.org/q/topic:%22glance-service-api%22\n\nand testing the complete series in https://review.opendev.org/c/openstack/cinder/+/958719\n\n[1] https://meetings.opendev.org/irclogs/%23openstack-nova/%23openstack-nova.2025-08-27.log.html#openstack-nova.2025-08-27.log.html#t2025-08-27T17:24:47","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"7dc089e57392e277e96b40a0188fccd5a0467a79","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"472a9651_2e5d60d5","in_reply_to":"a962cffe_9452dcb9","updated":"2025-08-27 02:12:12.000000000","message":"Ugh it seems I can\u0027t update the commit message due to mismatch between committer email and the one in signature...","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"0c0fbc81af667665a35141449279bf49e51be809","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a7a51640_0bfa2e25","in_reply_to":"e9a600cb_64535843","updated":"2025-08-28 04:15:48.000000000","message":"correct, agree with Sean. I will add the some use case (I commented in nova change also) for easy to understand the purpose or service_token and service users for RBAC:\n\n1. ServiceA calling ServiceB asynchronously (Neutron/cinder etc sends events to Nova):\n\n   This case does not have any actual user token coming from an external user and service (neutron/cinder etc) creates its own token with \u0027service\u0027 role. In this case, I agree with you to check the \u0027service\u0027 role on the user token coming from services. Policy default for this case will be:\n\n        \"role:service\"\n\n\n2. User calling ServiceA, then ServiceA calling ServiceB:\nThis has two cases:\n\n 2.1 ServiceA calling ServiceB with internal user token (has service role):\n \n     In this case, serviceA creates a user token with \u0027service\u0027 role (from conf). For example, Cinder here[1]. To make sure the call is from services, Nova can check the \u0027 service\u0027 role on the user token. I checked all Cinder calls and Neutron calls to Nova, and they do pass the internal user token with \u0027service\u0027 role. Policy default for this case will be:\n\n        \"role:service\"\n\n 2.2 With external user token + service token: (Here I was wrong and considered this service-to-service call)\n \n     This is a case where services call other services to complete the user operation. External user calling serviceA that does not have \u0027service\u0027 role, and if serviceA calls another service with the external user token and service token. In this case, I was considering and checking the service token in RBAC, but I was wrong. This is not the service-to-service calling, and the user token should be considered to check the permission. For example, a user creating a VM in Nova, Nova calls Neutron for network-related things. If the service checks the service token for permission, then it can be wrong and lead to information leaks/security issues.","commit_id":"17e424d2f3f18e575cbb448404bf3d0b31a8e2cf"}],"glance/policies/base.py":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"eac106685a4635e3ba87b7969ac3592f0ad373f5","unresolved":true,"context_lines":[{"line_number":89,"context_line":")"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"SERVICE \u003d \u0027rule:service_api\u0027"},{"line_number":92,"context_line":"SERVICE_ROLE \u003d \u0027service_roles:service\u0027"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"ADMIN_OR_SERVICE_ROLE \u003d f\u0027{ADMIN} or {SERVICE_ROLE}\u0027"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"04bf95cb_8dc3417e","line":92,"range":{"start_line":92,"start_character":0,"end_line":92,"end_character":38},"updated":"2025-08-26 18:45:19.000000000","message":"this is still not correct right.","commit_id":"3ce5b2cba13062f4e4f4074a322c66719cc24666"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3687b4888923861c84349765bbacdf9d2df16b28","unresolved":true,"context_lines":[{"line_number":89,"context_line":")"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"SERVICE \u003d \u0027rule:service_api\u0027"},{"line_number":92,"context_line":"SERVICE_ROLE \u003d \u0027service_roles:service\u0027"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"ADMIN_OR_SERVICE_ROLE \u003d f\u0027{ADMIN} or {SERVICE_ROLE}\u0027"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"59293612_288f20bb","line":92,"range":{"start_line":92,"start_character":0,"end_line":92,"end_character":38},"in_reply_to":"04bf95cb_8dc3417e","updated":"2025-08-26 19:05:12.000000000","message":"ok so there may have also been a bug before but a slitghly diffent one.\n\nthe ADMIN_OR_SERVICE_ROLE role woudl have been incorrect but the service_api rule would have been corect.","commit_id":"3ce5b2cba13062f4e4f4074a322c66719cc24666"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"e90623da32c5ecb4a1309e297e56adb0138b4f68","unresolved":true,"context_lines":[{"line_number":89,"context_line":")"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"SERVICE \u003d \u0027rule:service_api\u0027"},{"line_number":92,"context_line":"SERVICE_ROLE \u003d \u0027service_roles:service\u0027"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"ADMIN_OR_SERVICE_ROLE \u003d f\u0027{ADMIN} or {SERVICE_ROLE}\u0027"},{"line_number":95,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"2b9db4f2_1b1b0e1c","line":92,"range":{"start_line":92,"start_character":0,"end_line":92,"end_character":38},"in_reply_to":"59293612_288f20bb","updated":"2025-08-27 02:06:59.000000000","message":"yeah, I am not sure why two alias for service role SERVICE and SERVICE_ROLE, later one can be deleted and use former as that point to the rule.\n\nanyways that is not scope of this change so I am +1.","commit_id":"3ce5b2cba13062f4e4f4074a322c66719cc24666"}]}