)]}'
{"specs/ussuri/approved/action-event-fault-details.rst":[{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":19,"context_line":"Currently, the instance action event details that a non-admin owner of a\r"},{"line_number":20,"context_line":"server sees do not contain any useful information about what caused the\r"},{"line_number":21,"context_line":"failure of the action. For example, if we failed to cold migrate a server,\r"},{"line_number":22,"context_line":"show the server\u0027s event info by ``openstack server event show foo_vm_name``\r"},{"line_number":23,"context_line":"that will be recorded as:\r"},{"line_number":24,"context_line":"\r"},{"line_number":25,"context_line":"  .. code-block:: json\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_d52f0df3","line":22,"range":{"start_line":22,"start_character":34,"end_line":22,"end_character":61},"updated":"2019-12-18 16:28:06.000000000","message":"nit: technically this command takes two args, a server and request ID:\n\nhttps://docs.openstack.org/python-openstackclient/latest/cli/command-objects/server-event.html#server-event-show","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":19,"context_line":"Currently, the instance action event details that a non-admin owner of a\r"},{"line_number":20,"context_line":"server sees do not contain any useful information about what caused the\r"},{"line_number":21,"context_line":"failure of the action. For example, if we failed to cold migrate a server,\r"},{"line_number":22,"context_line":"show the server\u0027s event info by ``openstack server event show foo_vm_name``\r"},{"line_number":23,"context_line":"that will be recorded as:\r"},{"line_number":24,"context_line":"\r"},{"line_number":25,"context_line":"  .. code-block:: json\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_0677b6d3","line":22,"range":{"start_line":22,"start_character":34,"end_line":22,"end_character":61},"in_reply_to":"3fa7e38b_d52f0df3","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":43,"context_line":"\r"},{"line_number":44,"context_line":"Obviously, from the response of the server event action, the user cannot\r"},{"line_number":45,"context_line":"obtain the actual useful information.\r"},{"line_number":46,"context_line":"\r"},{"line_number":47,"context_line":"Use Cases\r"},{"line_number":48,"context_line":"---------\r"},{"line_number":49,"context_line":"\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_d5cb8d1a","line":46,"updated":"2019-12-18 16:28:06.000000000","message":"I think it\u0027s important to note that if the server status is not ERROR but some operation failed, the user cannot get the fault details either because server faults are only shown for servers in ERROR or DELETED status:\n\nhttps://docs.openstack.org/api-guide/compute/faults.html#instance-faults\n\nBut instance actions can be shown for a server in any status (and even for deleted servers since microversion 2.21).","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":43,"context_line":"\r"},{"line_number":44,"context_line":"Obviously, from the response of the server event action, the user cannot\r"},{"line_number":45,"context_line":"obtain the actual useful information.\r"},{"line_number":46,"context_line":"\r"},{"line_number":47,"context_line":"Use Cases\r"},{"line_number":48,"context_line":"---------\r"},{"line_number":49,"context_line":"\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_616bf4b8","line":46,"in_reply_to":"3fa7e38b_d5cb8d1a","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":47,"context_line":"Use Cases\r"},{"line_number":48,"context_line":"---------\r"},{"line_number":49,"context_line":"\r"},{"line_number":50,"context_line":"As a non-admin user, I would like to know the details of what caused the\r"},{"line_number":51,"context_line":"server\u0027s ``ERROR`` status. Although I can\u0027t see the exact ``traceback``,\r"},{"line_number":52,"context_line":"at least I can do other attempts based on the details.\r"},{"line_number":53,"context_line":"\r"},{"line_number":54,"context_line":"Proposed change\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_95fe7537","line":51,"range":{"start_line":50,"start_character":57,"end_line":51,"end_character":26},"updated":"2019-12-18 16:28:06.000000000","message":"As mentioned above, if the server status is ERROR then you can get this information via the fault details. The problem is when the server is *not* in ERROR status and you want details about the failure.","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":47,"context_line":"Use Cases\r"},{"line_number":48,"context_line":"---------\r"},{"line_number":49,"context_line":"\r"},{"line_number":50,"context_line":"As a non-admin user, I would like to know the details of what caused the\r"},{"line_number":51,"context_line":"server\u0027s ``ERROR`` status. Although I can\u0027t see the exact ``traceback``,\r"},{"line_number":52,"context_line":"at least I can do other attempts based on the details.\r"},{"line_number":53,"context_line":"\r"},{"line_number":54,"context_line":"Proposed change\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_015a401d","line":51,"range":{"start_line":50,"start_character":57,"end_line":51,"end_character":26},"in_reply_to":"3fa7e38b_95fe7537","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":58,"context_line":"Action Details API:\r"},{"line_number":59,"context_line":"\r"},{"line_number":60,"context_line":"* GET /servers/{server_id}/os-instance-actions/{request_id}\r"},{"line_number":61,"context_line":"\r"},{"line_number":62,"context_line":"Alternatives\r"},{"line_number":63,"context_line":"------------\r"},{"line_number":64,"context_line":"\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_95ac3537","line":61,"updated":"2019-12-18 16:28:06.000000000","message":"This is pretty sparse on details. For example, you should explain what the event \"details\" are actually going to be. In my PoC they are the same as the fault.message that the user would see when the server is in ERROR status. For NovaExceptions that would be the actual exception message but for non-NovaExceptions it\u0027s just the exception class name:\n\nhttps://github.com/openstack/nova/blob/56fc3f28e48bd9c6faf72d2a8bfdf520cc3e60d0/nova/compute/utils.py#L60","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":58,"context_line":"Action Details API:\r"},{"line_number":59,"context_line":"\r"},{"line_number":60,"context_line":"* GET /servers/{server_id}/os-instance-actions/{request_id}\r"},{"line_number":61,"context_line":"\r"},{"line_number":62,"context_line":"Alternatives\r"},{"line_number":63,"context_line":"------------\r"},{"line_number":64,"context_line":"\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_e1c4c462","line":61,"in_reply_to":"3fa7e38b_95ac3537","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":69,"context_line":"Data model impact\r"},{"line_number":70,"context_line":"-----------------\r"},{"line_number":71,"context_line":"\r"},{"line_number":72,"context_line":"None. The ``details`` column was already in the ``instance_actions_events``\r"},{"line_number":73,"context_line":"table.\r"},{"line_number":74,"context_line":"\r"},{"line_number":75,"context_line":"REST API impact\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_75ff3902","line":72,"updated":"2019-12-18 16:28:06.000000000","message":"It\u0027s probably worth noting that nothing is populating that column today even though it exists, and it\u0027s a TEXT size column so it should be large enough to hold exception fault messages.","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":69,"context_line":"Data model impact\r"},{"line_number":70,"context_line":"-----------------\r"},{"line_number":71,"context_line":"\r"},{"line_number":72,"context_line":"None. The ``details`` column was already in the ``instance_actions_events``\r"},{"line_number":73,"context_line":"table.\r"},{"line_number":74,"context_line":"\r"},{"line_number":75,"context_line":"REST API impact\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_d3e71b45","line":72,"in_reply_to":"3fa7e38b_75ff3902","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":89,"context_line":"           \"start_time\": \"2019-11-13T16:18:26.000000\",\r"},{"line_number":90,"context_line":"           \"event\": \"cold_migrate\",\r"},{"line_number":91,"context_line":"           \"result\": \"Error\",\r"},{"line_number":92,"context_line":"           \"details\": \"NoValidHost\"\r"},{"line_number":93,"context_line":"         },\r"},{"line_number":94,"context_line":"         {\r"},{"line_number":95,"context_line":"           \"finish_time\": \"2019-11-13T16:18:27.000000\",\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_3028ef83","line":92,"range":{"start_line":92,"start_character":23,"end_line":92,"end_character":34},"updated":"2019-12-18 16:28:06.000000000","message":"As I mentioned above, technically if you use the same utility code to generate the fault message, this would be \"No valid host was found\" because it\u0027s a NovaException. If the fault was due to some libvirtError for example, then it would just be the class name, i.e. \"libvirtError\".","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":89,"context_line":"           \"start_time\": \"2019-11-13T16:18:26.000000\",\r"},{"line_number":90,"context_line":"           \"event\": \"cold_migrate\",\r"},{"line_number":91,"context_line":"           \"result\": \"Error\",\r"},{"line_number":92,"context_line":"           \"details\": \"NoValidHost\"\r"},{"line_number":93,"context_line":"         },\r"},{"line_number":94,"context_line":"         {\r"},{"line_number":95,"context_line":"           \"finish_time\": \"2019-11-13T16:18:27.000000\",\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_c18d082a","line":92,"range":{"start_line":92,"start_character":23,"end_line":92,"end_character":34},"in_reply_to":"3fa7e38b_3028ef83","updated":"2019-12-19 06:08:28.000000000","message":"That\u0027s true.","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":108,"context_line":"Security impact\r"},{"line_number":109,"context_line":"---------------\r"},{"line_number":110,"context_line":"\r"},{"line_number":111,"context_line":"None\r"},{"line_number":112,"context_line":"\r"},{"line_number":113,"context_line":"Notifications impact\r"},{"line_number":114,"context_line":"--------------------\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_702d078e","line":111,"updated":"2019-12-18 16:28:06.000000000","message":"Clearly there is a chance for a security impact with this change because we could be leaking sensitive information about the deployment to a non-admin end user, but we already do through server faults so this shouldn\u0027t be *worse*. Note this bug about faults: https://bugs.launchpad.net/nova/+bug/1851587","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":108,"context_line":"Security impact\r"},{"line_number":109,"context_line":"---------------\r"},{"line_number":110,"context_line":"\r"},{"line_number":111,"context_line":"None\r"},{"line_number":112,"context_line":"\r"},{"line_number":113,"context_line":"Notifications impact\r"},{"line_number":114,"context_line":"--------------------\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_01a3209d","line":111,"in_reply_to":"3fa7e38b_702d078e","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Developer impact\r"},{"line_number":134,"context_line":"----------------\r"},{"line_number":135,"context_line":"\r"},{"line_number":136,"context_line":"None\r"},{"line_number":137,"context_line":"\r"},{"line_number":138,"context_line":"Upgrade impact\r"},{"line_number":139,"context_line":"--------------\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_903be3c7","line":136,"updated":"2019-12-18 16:28:06.000000000","message":"Well, like faults I guess developers have to be careful about what information they put into NovaExceptions which could leak sensitive information to a non-admin end user.","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":133,"context_line":"Developer impact\r"},{"line_number":134,"context_line":"----------------\r"},{"line_number":135,"context_line":"\r"},{"line_number":136,"context_line":"None\r"},{"line_number":137,"context_line":"\r"},{"line_number":138,"context_line":"Upgrade impact\r"},{"line_number":139,"context_line":"--------------\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_132cd391","line":136,"in_reply_to":"3fa7e38b_903be3c7","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"7608aa3733ac445b29ba67466ee8bfbec15ee297","unresolved":false,"context_lines":[{"line_number":152,"context_line":"---------------\r"},{"line_number":153,"context_line":"\r"},{"line_number":154,"context_line":"Feature liaison:\r"},{"line_number":155,"context_line":"  mriedem\r"},{"line_number":156,"context_line":"\r"},{"line_number":157,"context_line":"Work Items\r"},{"line_number":158,"context_line":"----------\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_4f7953f9","line":155,"range":{"start_line":155,"start_character":2,"end_line":155,"end_character":9},"updated":"2019-12-18 11:50:24.000000000","message":"This idea comes from matt, and he was already pushed the PoC codes, I think matt is suitable as the feature liaison.\n\nPoC code:\nhttps://review.opendev.org/#/c/694430/\nhttps://review.opendev.org/#/c/694428/","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":152,"context_line":"---------------\r"},{"line_number":153,"context_line":"\r"},{"line_number":154,"context_line":"Feature liaison:\r"},{"line_number":155,"context_line":"  mriedem\r"},{"line_number":156,"context_line":"\r"},{"line_number":157,"context_line":"Work Items\r"},{"line_number":158,"context_line":"----------\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_70b0a741","line":155,"range":{"start_line":155,"start_character":2,"end_line":155,"end_character":9},"in_reply_to":"3fa7e38b_4f7953f9","updated":"2019-12-18 16:28:06.000000000","message":"Normally yes I\u0027d be a good person to add here but I\u0027m starting a new job in January which doesn\u0027t involve OpenStack so I\u0027m not really going to be around after the holiday break to be helping with this in nova so you\u0027d be better off finding someone else.\n\nNote that this is more for new contributors so if you\u0027re comfortable with your abilities to get code changes through nova (which you probably should be by now, you\u0027ve worked on a few blueprints), you can just put yourself here or another core that is committing to reviewing this.\n\nhttps://specs.openstack.org/openstack/nova-specs/readme.html#feature-liaison-faq","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":152,"context_line":"---------------\r"},{"line_number":153,"context_line":"\r"},{"line_number":154,"context_line":"Feature liaison:\r"},{"line_number":155,"context_line":"  mriedem\r"},{"line_number":156,"context_line":"\r"},{"line_number":157,"context_line":"Work Items\r"},{"line_number":158,"context_line":"----------\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_b3485f62","line":155,"range":{"start_line":155,"start_character":2,"end_line":155,"end_character":9},"in_reply_to":"3fa7e38b_70b0a741","updated":"2019-12-19 06:08:28.000000000","message":"\u003e but I\u0027m starting a new job in January **which doesn\u0027t involve OpenStack**\n\nI was shocked to hear the news, and please let me thank you anyway. Your contribution in OpenStack is huge, and I know that whatever you do, you will be outstanding. I believe nova is strong and look forward to your joining again :)","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":6873,"name":"Matt Riedemann","email":"mriedem.os@gmail.com","username":"mriedem"},"change_message_id":"f7ad5af4ba9d85bcc746835ff7deabb8bc21eb10","unresolved":false,"context_lines":[{"line_number":157,"context_line":"Work Items\r"},{"line_number":158,"context_line":"----------\r"},{"line_number":159,"context_line":"\r"},{"line_number":160,"context_line":"* Add ``details`` to the ``InstanceActionEvent`` object.\r"},{"line_number":161,"context_line":"* Modify the API to expose the ``details`` field in GET responses that expose\r"},{"line_number":162,"context_line":"  instance action event.\r"},{"line_number":163,"context_line":"* Add related tests\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_70b74723","line":160,"updated":"2019-12-18 16:28:06.000000000","message":"Well, it\u0027s a bit more than that - it\u0027s adding the field and populating it, and the populating part requires some work:\n\nhttps://review.opendev.org/#/c/694428/1/nova/objects/instance_action.py@201\n\nSpecifically the serialize_args decorator serializes all exceptions so we can\u0027t distinguish between stringifying NovaExceptions and non-NovaExceptions. So the serialize_args decorator needs to be smarter. You can see the results of some of that in here too:\n\nhttps://review.opendev.org/#/c/694428/1/nova/tests/unit/objects/test_instance_action.py","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"1e8bdb494ec70f8c8b17fb1aabfb0dcb353107fd","unresolved":false,"context_lines":[{"line_number":157,"context_line":"Work Items\r"},{"line_number":158,"context_line":"----------\r"},{"line_number":159,"context_line":"\r"},{"line_number":160,"context_line":"* Add ``details`` to the ``InstanceActionEvent`` object.\r"},{"line_number":161,"context_line":"* Modify the API to expose the ``details`` field in GET responses that expose\r"},{"line_number":162,"context_line":"  instance action event.\r"},{"line_number":163,"context_line":"* Add related tests\r"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_73ee6722","line":160,"in_reply_to":"3fa7e38b_70b74723","updated":"2019-12-19 06:08:28.000000000","message":"Done","commit_id":"ada252e89bfa4bcb00962ec82315a5b0f604b680"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"18a3f38716a895ed35a9b664d13ed86a94ba55a1","unresolved":false,"context_lines":[{"line_number":55,"context_line":"---------\r"},{"line_number":56,"context_line":"\r"},{"line_number":57,"context_line":"As a non-admin user, I would like to know the details about the failure when\r"},{"line_number":58,"context_line":"the server is not in **ERROR** status. Although I can\u0027t see the exact\r"},{"line_number":59,"context_line":"``traceback``, at least I can do other attempts based on the details.\r"},{"line_number":60,"context_line":"\r"},{"line_number":61,"context_line":"Proposed change\r"},{"line_number":62,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_e16ad615","line":59,"range":{"start_line":58,"start_character":38,"end_line":59,"end_character":69},"updated":"2020-01-10 13:03:00.000000000","message":"tracebacks could be a security issue so we should never show those to the user. im not sure about other excpetions. there are cases when they are exposed to the user already but im not sure how involved it woudl be to add good user facing messages that would be actionable by a non admin.","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"18a3f38716a895ed35a9b664d13ed86a94ba55a1","unresolved":false,"context_lines":[{"line_number":66,"context_line":"\r"},{"line_number":67,"context_line":"* GET /servers/{server_id}/os-instance-actions/{request_id}\r"},{"line_number":68,"context_line":"\r"},{"line_number":69,"context_line":"The event \"details\" are the same as the ``fault.message`` that the user would\r"},{"line_number":70,"context_line":"see when the server is in **ERROR** status. For NovaExceptions that would be\r"},{"line_number":71,"context_line":"the actual exception message but for non-NovaExceptions it\u0027s just the\r"},{"line_number":72,"context_line":"`exception class name`_.\r"},{"line_number":73,"context_line":"\r"},{"line_number":74,"context_line":"Alternatives\r"},{"line_number":75,"context_line":"------------\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_81ed228f","line":72,"range":{"start_line":69,"start_character":0,"end_line":72,"end_character":24},"updated":"2020-01-10 13:03:00.000000000","message":"alot of the time that would not be something the user could act on and fix.\n\nin principal if the api accepted the request then it was valid and the action should be completed. now there are some error like exceeding quota that the user might be able to respond to but if it was a no valid host error or the action triggered a stack trace im not sure how useful this would be.\n\nthat said yes we could use the fault.message and exception class name for non nova exceptions.\n\nim not realy sure if we should expose non nova messages at all as it would be leaking info about the deployment.\n\nfor example unless told by the operator some way you should not really know what cinder or virt driver backend is being used by the cloud but if we include a ceph or libivrt exception name that kind of tells you. you could find out the cinder backend for the attachmetns and you will normally know the virt driver but in principal that is not the type if info that a tenant is expected to know when using openstack.\n\nin partice they do have to look behind the curtain a bit to know what features they can uses but in principal they are not ment too.","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"18a3f38716a895ed35a9b664d13ed86a94ba55a1","unresolved":false,"context_lines":[{"line_number":102,"context_line":"           \"start_time\": \"2019-11-13T16:18:26.000000\",\r"},{"line_number":103,"context_line":"           \"event\": \"cold_migrate\",\r"},{"line_number":104,"context_line":"           \"result\": \"Error\",\r"},{"line_number":105,"context_line":"           \"details\": \"No valid host was found.\"\r"},{"line_number":106,"context_line":"         },\r"},{"line_number":107,"context_line":"         {\r"},{"line_number":108,"context_line":"           \"finish_time\": \"2019-11-13T16:18:27.000000\",\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_41e3aaa0","line":105,"range":{"start_line":105,"start_character":9,"end_line":105,"end_character":48},"updated":"2020-01-10 13:03:00.000000000","message":"right so as a non admin user how woudl i handel a no valid host error?\n\ncan you provide another example where the details filed would provide info that is useful to a non admin? this is potentially leaking capacity information to the tenant which some operator will not like.","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"18a3f38716a895ed35a9b664d13ed86a94ba55a1","unresolved":false,"context_lines":[{"line_number":123,"context_line":"\r"},{"line_number":124,"context_line":"There is a chance for a security impact with this change because we could be\r"},{"line_number":125,"context_line":"leaking sensitive information about the deployment to a non-admin end user,\r"},{"line_number":126,"context_line":"but we already do through server faults so this shouldn\u0027t be *worse*.\r"},{"line_number":127,"context_line":"Note `bug 1851587` about faults.\r"},{"line_number":128,"context_line":"\r"},{"line_number":129,"context_line":"Notifications impact\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_a1be1e61","line":126,"range":{"start_line":126,"start_character":47,"end_line":126,"end_character":69},"updated":"2020-01-10 13:03:00.000000000","message":"ya thats fair. its not better either so im not sure we shoudl add more instance of something we consider to be a bug but its not worse.","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"784f73a5abaac55c4675651f957236bb3721cb4a","unresolved":false,"context_lines":[{"line_number":124,"context_line":"There is a chance for a security impact with this change because we could be\r"},{"line_number":125,"context_line":"leaking sensitive information about the deployment to a non-admin end user,\r"},{"line_number":126,"context_line":"but we already do through server faults so this shouldn\u0027t be *worse*.\r"},{"line_number":127,"context_line":"Note `bug 1851587` about faults.\r"},{"line_number":128,"context_line":"\r"},{"line_number":129,"context_line":"Notifications impact\r"},{"line_number":130,"context_line":"--------------------\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_7e5e71e9","line":127,"range":{"start_line":127,"start_character":5,"end_line":127,"end_character":18},"updated":"2020-01-13 07:27:36.000000000","message":"Invalid reference, instead of `bug 1851587`_","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"8bf1bc2efb0ff9414131bbf5fd2e5a27d8a633d0","unresolved":false,"context_lines":[{"line_number":125,"context_line":"leaking sensitive information about the deployment to a non-admin end user,\r"},{"line_number":126,"context_line":"but we already do through server faults so this shouldn\u0027t be *worse*.\r"},{"line_number":127,"context_line":"Note `bug 1851587` about faults.\r"},{"line_number":128,"context_line":"\r"},{"line_number":129,"context_line":"Notifications impact\r"},{"line_number":130,"context_line":"--------------------\r"},{"line_number":131,"context_line":"\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_ee34f0e2","line":128,"updated":"2020-01-13 10:46:35.000000000","message":"I think we should guard this new feature with a new policy so that the deployer can decide if she wants to expose these faults information to the end user.","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"509cd7e799922462c0600e61b4f57c2053ce3d20","unresolved":false,"context_lines":[{"line_number":125,"context_line":"leaking sensitive information about the deployment to a non-admin end user,\r"},{"line_number":126,"context_line":"but we already do through server faults so this shouldn\u0027t be *worse*.\r"},{"line_number":127,"context_line":"Note `bug 1851587` about faults.\r"},{"line_number":128,"context_line":"\r"},{"line_number":129,"context_line":"Notifications impact\r"},{"line_number":130,"context_line":"--------------------\r"},{"line_number":131,"context_line":"\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_6b6b03f0","line":128,"in_reply_to":"3fa7e38b_3fc55091","updated":"2020-01-14 08:06:48.000000000","message":"Yes, we can add a new policy when the deployer can decide if she wants to expose these faults information to the end user.\n\nAdd \"os_compute_api:os-extended-instance-actions-attributes\" policy to the instance action\u0027s attribute, it\u0027s default rule is admin_api. While show the instance action details that we should determine whether policy is allowed.","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"4c548630c1f294ba934e066d1337fd7174e91890","unresolved":false,"context_lines":[{"line_number":125,"context_line":"leaking sensitive information about the deployment to a non-admin end user,\r"},{"line_number":126,"context_line":"but we already do through server faults so this shouldn\u0027t be *worse*.\r"},{"line_number":127,"context_line":"Note `bug 1851587` about faults.\r"},{"line_number":128,"context_line":"\r"},{"line_number":129,"context_line":"Notifications impact\r"},{"line_number":130,"context_line":"--------------------\r"},{"line_number":131,"context_line":"\r"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_3fc55091","line":128,"in_reply_to":"3fa7e38b_ee34f0e2","updated":"2020-01-13 14:39:57.000000000","message":"14:25 \u003c brinzhang_\u003e gibi: hi, I am not very clear what did you mean, can you give me more\n                    details about this\nhttps://review.opendev.org/#/c/699669/2/specs/ussuri/approved/action-event-fault-details.rst@128\n\nSo during the review it came up multiple times that having the extra fault information in the response for the end user could leak information about the infrastructure, e.g. what virt driver is used or what cinder backend is used. As the implementation will automatically include some of the internal information of the implementation in the fault (i.e. exception message or exception type name) we cannot really control what kind of information we leak due to further development on nova or the 3rd party libs nova uses. So to give a way to the deployer to decide if she is OK to such potential leak I think we need to make this API change optional per deployment. \n\nThe way to do this is to add a new API policy that defines if \"details\" field of the API response is filled. This is similar how the GET /servers/details returns the \"OS-EXT-SRV-ATTR:host\" field (and other fields) today. By default that field is not returned for the end user just for the admin. However there is an API policy that defines this behavior called \"os_compute_api:os-extended-server-attributes\" this policy by default is \"admin_api\" but a deployer can decide to configure it in the policy.yaml file to \"admin_or_owner\" and this way nova will return such attribute for the owner of the server too. \n\nhttps://docs.openstack.org/nova/latest/configuration/policy.html","commit_id":"73108e90498218d70f3a5a80842454a3a706a8d4"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"af76e023be1106d41cc5684bed4bc20672041f79","unresolved":false,"context_lines":[{"line_number":66,"context_line":"\r"},{"line_number":67,"context_line":"* GET /servers/{server_id}/os-instance-actions/{request_id}\r"},{"line_number":68,"context_line":"\r"},{"line_number":69,"context_line":"Add a new policy to control the visibility for a set of instance action\r"},{"line_number":70,"context_line":"attributes, its default rule is \u0027rule:system_reader_api\u0027 (Legacy rule\r"},{"line_number":71,"context_line":"is \u0027rule:admin_api\u0027).\r"},{"line_number":72,"context_line":"\r"},{"line_number":73,"context_line":"The event \"details\" are the same as the ``fault.message`` that the user would\r"},{"line_number":74,"context_line":"see when the server is in **ERROR** status. For NovaExceptions that would be\r"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_d3618912","line":71,"range":{"start_line":69,"start_character":0,"end_line":71,"end_character":21},"updated":"2020-01-14 10:39:23.000000000","message":"ok so it will be admin only by default unless we have a system scoped token or the policy is updated.\n\nya i think that makes sense","commit_id":"60fb46e3dff6ad1d0f47a748b7de9249919ab533"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"1036937fcfe530a9bb511049478ea9aa60e1b9fe","unresolved":false,"context_lines":[{"line_number":66,"context_line":"\r"},{"line_number":67,"context_line":"* GET /servers/{server_id}/os-instance-actions/{request_id}\r"},{"line_number":68,"context_line":"\r"},{"line_number":69,"context_line":"Add a new policy to control the visibility for a set of instance action\r"},{"line_number":70,"context_line":"attributes, its default rule is \u0027rule:system_reader_api\u0027 (Legacy rule\r"},{"line_number":71,"context_line":"is \u0027rule:admin_api\u0027).\r"},{"line_number":72,"context_line":"\r"},{"line_number":73,"context_line":"The event \"details\" are the same as the ``fault.message`` that the user would\r"},{"line_number":74,"context_line":"see when the server is in **ERROR** status. For NovaExceptions that would be\r"}],"source_content_type":"text/x-rst","patch_set":3,"id":"df33271e_b756c928","line":71,"range":{"start_line":69,"start_character":0,"end_line":71,"end_character":21},"in_reply_to":"3fa7e38b_d3618912","updated":"2020-03-25 02:19:47.000000000","message":"we do have policy which control the \u0027events\u0027 info for non-admin\n\n - https://review.opendev.org/#/c/694430/13/nova/policies/instance_actions.py@52","commit_id":"60fb46e3dff6ad1d0f47a748b7de9249919ab533"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"bc93457c4013c9133a9faeb32ae94fb26d90f57b","unresolved":false,"context_lines":[{"line_number":66,"context_line":"\r"},{"line_number":67,"context_line":"* GET /servers/{server_id}/os-instance-actions/{request_id}\r"},{"line_number":68,"context_line":"\r"},{"line_number":69,"context_line":"Add a new policy to control the visibility for a set of instance action\r"},{"line_number":70,"context_line":"attributes, its default rule is \u0027rule:system_reader_api\u0027 (Legacy rule\r"},{"line_number":71,"context_line":"is \u0027rule:admin_api\u0027).\r"},{"line_number":72,"context_line":"\r"},{"line_number":73,"context_line":"The event \"details\" are the same as the ``fault.message`` that the user would\r"},{"line_number":74,"context_line":"see when the server is in **ERROR** status. For NovaExceptions that would be\r"}],"source_content_type":"text/x-rst","patch_set":3,"id":"df33271e_424970ce","line":71,"range":{"start_line":69,"start_character":0,"end_line":71,"end_character":21},"in_reply_to":"df33271e_6d5c6e4b","updated":"2020-03-25 14:11:27.000000000","message":"yeah but what is the main differnce of info in \u0027details\u0027 and \u0027traceback\u0027. I think both are kind of info for admin to debug/fix or take next action.","commit_id":"60fb46e3dff6ad1d0f47a748b7de9249919ab533"},{"author":{"_account_id":26458,"name":"Brin Zhang","email":"zhangbailin@inspur.com","username":"zhangbailin"},"change_message_id":"127c83ceda5b0b4c89fb0930550781eed6c2a06e","unresolved":false,"context_lines":[{"line_number":66,"context_line":"\r"},{"line_number":67,"context_line":"* GET /servers/{server_id}/os-instance-actions/{request_id}\r"},{"line_number":68,"context_line":"\r"},{"line_number":69,"context_line":"Add a new policy to control the visibility for a set of instance action\r"},{"line_number":70,"context_line":"attributes, its default rule is \u0027rule:system_reader_api\u0027 (Legacy rule\r"},{"line_number":71,"context_line":"is \u0027rule:admin_api\u0027).\r"},{"line_number":72,"context_line":"\r"},{"line_number":73,"context_line":"The event \"details\" are the same as the ``fault.message`` that the user would\r"},{"line_number":74,"context_line":"see when the server is in **ERROR** status. For NovaExceptions that would be\r"}],"source_content_type":"text/x-rst","patch_set":3,"id":"df33271e_6d5c6e4b","line":71,"range":{"start_line":69,"start_character":0,"end_line":71,"end_character":21},"in_reply_to":"df33271e_b756c928","updated":"2020-03-25 06:21:08.000000000","message":"If we want to expose this to the non-admin user by modify the default policy, we cannot only control the \u0027details\u0027 to shown in instance action events.\n\nIf we use the BASE_POLICY_NAME% \u0027events\u0027 policy to limit populate the events \u0027details\u0027, then \u0027traceback\u0027 and \u0027details\u0027 will be on the same level and cannot be treated differently \n\nIf the administrator wants to expose \u0027details\u0027 to the non-admin, sensitive information (\u0027traceback\u0027) will also be exposed to non-admin at the same time, this is not what we want.","commit_id":"60fb46e3dff6ad1d0f47a748b7de9249919ab533"}]}