)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"eff7bf862a875a5d875936e1f73342dbf2b85783","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"b04fa58e_3864b970","updated":"2025-12-08 18:40:37.000000000","message":"Note we are pass the spec approval freeze deadline for this cyle\nNova Spec Freeze¶\n\nAll Nova Specs for features to be implemented in 2026.1 Gazpacho must be approved by 4 December 2025 (23:59 UTC).\n\nhttps://releases.openstack.org/gazpacho/schedule.html#g-nova-spec-freeze","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"}],"specs/backlog/approved/improve-nova-image-caching.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"15674670e6b7a101fe9369c45a4b769bdf3236d4","unresolved":true,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* As an user, I should be informed that I am not able to boot a"},{"line_number":61,"context_line":"  particular image rather than it simply going in to error state"},{"line_number":62,"context_line":"  without details."},{"line_number":63,"context_line":"* As an operator, I expect Nova image caching behavior to be consistent"},{"line_number":64,"context_line":"  based on the policies defined."},{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"95666cc1_cf34b466","line":62,"updated":"2025-11-24 17:39:23.000000000","message":"so this check shoudl be dont at the api layer today.\n\nim surpsied we are not doing that but that is the correct place to reject the boot request with a 400","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11302,"name":"Phillip Toohill","email":"phillip.toohill@rackspace.com","username":"ptoohill1"},"change_message_id":"e5f8a80843d8a29a0678bf9ada13773d76a32c01","unresolved":true,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"* As an user, I should be informed that I am not able to boot a"},{"line_number":61,"context_line":"  particular image rather than it simply going in to error state"},{"line_number":62,"context_line":"  without details."},{"line_number":63,"context_line":"* As an operator, I expect Nova image caching behavior to be consistent"},{"line_number":64,"context_line":"  based on the policies defined."},{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ae845fc7_6045fc51","line":62,"in_reply_to":"95666cc1_cf34b466","updated":"2025-11-25 15:28:57.000000000","message":"Agreed, the check needs to be adjusted to the right place to provide proper behavior.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"15674670e6b7a101fe9369c45a4b769bdf3236d4","unresolved":true,"context_lines":[{"line_number":61,"context_line":"  particular image rather than it simply going in to error state"},{"line_number":62,"context_line":"  without details."},{"line_number":63,"context_line":"* As an operator, I expect Nova image caching behavior to be consistent"},{"line_number":64,"context_line":"  based on the policies defined."},{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"},{"line_number":66,"context_line":"  boot an instance from an image that they aren\u0027t allowed to download"},{"line_number":67,"context_line":"  directly."}],"source_content_type":"text/x-rst","patch_set":3,"id":"40290737_311563aa","line":64,"updated":"2025-11-24 17:39:23.000000000","message":"so in gneeral nova only supprot default policy not custom policy.\neffectivly we require that operator provide suffient end to end policy to allow a user to downlaod an image form glance if we are going to allow them to boot form it.\n\nso nova cannot escalate to a hgher pvidaged token to donwload the image for them if the user toke does not have the role required to download it.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11302,"name":"Phillip Toohill","email":"phillip.toohill@rackspace.com","username":"ptoohill1"},"change_message_id":"e5f8a80843d8a29a0678bf9ada13773d76a32c01","unresolved":true,"context_lines":[{"line_number":61,"context_line":"  particular image rather than it simply going in to error state"},{"line_number":62,"context_line":"  without details."},{"line_number":63,"context_line":"* As an operator, I expect Nova image caching behavior to be consistent"},{"line_number":64,"context_line":"  based on the policies defined."},{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"},{"line_number":66,"context_line":"  boot an instance from an image that they aren\u0027t allowed to download"},{"line_number":67,"context_line":"  directly."}],"source_content_type":"text/x-rst","patch_set":3,"id":"c9f09a21_98e71635","line":64,"in_reply_to":"40290737_311563aa","updated":"2025-11-25 15:28:57.000000000","message":"The ask/expectation here is that the behavior is consistent. If Nova is going to block the request on download the same behavior should be applied to the cached image.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"15674670e6b7a101fe9369c45a4b769bdf3236d4","unresolved":true,"context_lines":[{"line_number":64,"context_line":"  based on the policies defined."},{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"},{"line_number":66,"context_line":"  boot an instance from an image that they aren\u0027t allowed to download"},{"line_number":67,"context_line":"  directly."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Proposed change"},{"line_number":70,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"662e7332_a250e945","line":67,"updated":"2025-11-24 17:39:23.000000000","message":"this is not somethign we can supprot by default so if we were to allwo privdage escaltion by defualt we woudl have to retisct ti to nobody or admin by defalt.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11302,"name":"Phillip Toohill","email":"phillip.toohill@rackspace.com","username":"ptoohill1"},"change_message_id":"e5f8a80843d8a29a0678bf9ada13773d76a32c01","unresolved":true,"context_lines":[{"line_number":64,"context_line":"  based on the policies defined."},{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"},{"line_number":66,"context_line":"  boot an instance from an image that they aren\u0027t allowed to download"},{"line_number":67,"context_line":"  directly."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Proposed change"},{"line_number":70,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"d2f84a3c_26ca19cd","line":67,"in_reply_to":"662e7332_a250e945","updated":"2025-11-25 15:28:57.000000000","message":"That\u0027s what we\u0027re hoping to work through in order to provide the ability to allow users to boot images they aren\u0027t allowed to download directly.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"fc36119e65274aa3d45a99a88ad15ca0e91375b6","unresolved":true,"context_lines":[{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"},{"line_number":66,"context_line":"  boot an instance from an image that they aren\u0027t allowed to download"},{"line_number":67,"context_line":"  directly."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Proposed change"},{"line_number":70,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"f5da4af7_3cf81e47","line":68,"updated":"2025-11-25 12:41:07.000000000","message":"* It is strange that the user can read the metadata of the image from glance but cannot download the image. That is a very strange policy config. I would say that is a policy configuration issue to be fixed on the given deployment.\n\n* If nova allows starting a VM from a cached image where the user has no access to the image in glance (neither GET nor download) then that is a security bug. But if the user has GET access but not download access to the image then I would say that is an inconsistent policy and not a bug.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11302,"name":"Phillip Toohill","email":"phillip.toohill@rackspace.com","username":"ptoohill1"},"change_message_id":"e5f8a80843d8a29a0678bf9ada13773d76a32c01","unresolved":true,"context_lines":[{"line_number":65,"context_line":"* As an operator, I desire the ability to allow a user the ability to"},{"line_number":66,"context_line":"  boot an instance from an image that they aren\u0027t allowed to download"},{"line_number":67,"context_line":"  directly."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Proposed change"},{"line_number":70,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":71,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"b429465e_3d8f9c22","line":68,"in_reply_to":"f5da4af7_3cf81e47","updated":"2025-11-25 15:28:57.000000000","message":"- That is a desired policy that we\u0027d like to implement. It seems reasonable enough, a user can view metadata and even boot images but we don\u0027t want them to actually be able to directly download the image. \n\n- I agree, the current behavior is a bug. If we\u0027re going to block booting from the image on download then we should also block for images in the cache. I wouldn\u0027t say it\u0027s inconsistent policy though. The user should be able to view what they\u0027re allowed to use we just don\u0027t want them to be able to also directly download the image.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"15674670e6b7a101fe9369c45a4b769bdf3236d4","unresolved":true,"context_lines":[{"line_number":82,"context_line":"---------------------------------------"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"One way to get around the issue here is to utilize the service user"},{"line_number":85,"context_line":"instead of the user\u0027s auth context to download the image."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"As it stands now, if the image is cached a user can boot the image"},{"line_number":88,"context_line":"regardless of their permissions to download the image. Using the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c6e9f4d7_2d088709","line":85,"updated":"2025-11-24 17:39:23.000000000","message":"no this is a security bug vulternablity.\n\nwe could nto support that as a standard behaviour in my opinion.\n\nthe service_user exist sole to extend the lifetime of the user token\n\nit roles cannot be used in anyway to evlevate the providates of a users request.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11302,"name":"Phillip Toohill","email":"phillip.toohill@rackspace.com","username":"ptoohill1"},"change_message_id":"e5f8a80843d8a29a0678bf9ada13773d76a32c01","unresolved":true,"context_lines":[{"line_number":82,"context_line":"---------------------------------------"},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"One way to get around the issue here is to utilize the service user"},{"line_number":85,"context_line":"instead of the user\u0027s auth context to download the image."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"As it stands now, if the image is cached a user can boot the image"},{"line_number":88,"context_line":"regardless of their permissions to download the image. Using the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"99c407d6_c3d05605","line":85,"in_reply_to":"c6e9f4d7_2d088709","updated":"2025-11-25 15:28:57.000000000","message":"I believe the service user is used in this manner in other services, though I don\u0027t have those recipts offhand. But that was discussed in the linked etherpad/irc notes. \n\nIn this particular case it makes even more sense. The service, Nova, is what is putting the image in to its own cache. The service should be doing the operation. The user is not downloading it here. So this actually sorta breaks the log tracing as it would seem like the user is doing these operations but in reality it\u0027s the Nova service. So using the service user to do a service operation does make some sense. We\u0027d just have to work through the other concerns around using it.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"15674670e6b7a101fe9369c45a4b769bdf3236d4","unresolved":true,"context_lines":[{"line_number":113,"context_line":"can do its usual ``get_image`` checks(assuming those are still desired)"},{"line_number":114,"context_line":"and attempt to download the image as the user. If the user\u0027s"},{"line_number":115,"context_line":"permissions have the ``is_bootable`` policy the image can then be"},{"line_number":116,"context_line":"downloaded and stored in the cache."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"The problem with this option would be that Glance would need to know"},{"line_number":119,"context_line":"that the request was initiated by Nova. It would be treated as a"}],"source_content_type":"text/x-rst","patch_set":3,"id":"a103a222_ebd13836","line":116,"updated":"2025-11-24 17:39:23.000000000","message":"if we were to go this route i think we would just have the api try and download the image with the user token and abort it afte say 1MB if we are able to start the download.\n\n\nthis is the only thing i thnk we coudl possibely do. move the check of \"can this users token download the image\" to the api or conductor instead fo doign that on the compute node.\n\nif we cant download it we will get a 403 imideatly and we can return a 400 to the user with an error message\n\nif we can start streaming the image we can abort it and porced after we get the first n bytes.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11302,"name":"Phillip Toohill","email":"phillip.toohill@rackspace.com","username":"ptoohill1"},"change_message_id":"e5f8a80843d8a29a0678bf9ada13773d76a32c01","unresolved":true,"context_lines":[{"line_number":113,"context_line":"can do its usual ``get_image`` checks(assuming those are still desired)"},{"line_number":114,"context_line":"and attempt to download the image as the user. If the user\u0027s"},{"line_number":115,"context_line":"permissions have the ``is_bootable`` policy the image can then be"},{"line_number":116,"context_line":"downloaded and stored in the cache."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"The problem with this option would be that Glance would need to know"},{"line_number":119,"context_line":"that the request was initiated by Nova. It would be treated as a"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3985ade9_ff1bba82","line":116,"in_reply_to":"a103a222_ebd13836","updated":"2025-11-25 15:28:57.000000000","message":"I certainly agree that we need to move the checks up to avoid error\u0027d instances. But I think we\u0027d still need to muck with the policy or behavior somehow to achieve the desired outcome here which i\u0027m trying to figure the best way to do.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"15674670e6b7a101fe9369c45a4b769bdf3236d4","unresolved":true,"context_lines":[{"line_number":129,"context_line":"This option would require a bit effort from the previous two I believe."},{"line_number":130,"context_line":"For this, an operator could tag the images that are allowed to be"},{"line_number":131,"context_line":"booted as something similar to the previous policy such as"},{"line_number":132,"context_line":"``is_bootable``."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"With that, Nova can then proceed with its usual ``get_image``"},{"line_number":135,"context_line":"checks(assuming those are still desired) and continue to the download."}],"source_content_type":"text/x-rst","patch_set":3,"id":"d20adf86_6dc43b85","line":132,"updated":"2025-11-24 17:39:23.000000000","message":"this does not correspond to the normal concept of bootablity\n\nwhen we say an image is bootable today we mean it has a gpt partion table and could be use as tbe boot disk fo a nova instanc, ironic server or zun container.\n\nit does not mape to can a service like not download the image on an end users behalf.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"},{"author":{"_account_id":11302,"name":"Phillip Toohill","email":"phillip.toohill@rackspace.com","username":"ptoohill1"},"change_message_id":"e5f8a80843d8a29a0678bf9ada13773d76a32c01","unresolved":true,"context_lines":[{"line_number":129,"context_line":"This option would require a bit effort from the previous two I believe."},{"line_number":130,"context_line":"For this, an operator could tag the images that are allowed to be"},{"line_number":131,"context_line":"booted as something similar to the previous policy such as"},{"line_number":132,"context_line":"``is_bootable``."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"With that, Nova can then proceed with its usual ``get_image``"},{"line_number":135,"context_line":"checks(assuming those are still desired) and continue to the download."}],"source_content_type":"text/x-rst","patch_set":3,"id":"5e2bb6d5_e375a303","line":132,"in_reply_to":"d20adf86_6dc43b85","updated":"2025-11-25 15:28:57.000000000","message":"the \u0027is_bootable\u0027 name was just an example. We could call it \u0027allow_to_use\u0027 or anything really here. The concept in this option is to give Nova a way to realize that the image can be used to boot instances despite the download policy blocking direct downloads.","commit_id":"2a95966b88782ffbe5a096e4c56c5b2cf2ad345a"}]}
