Bug#988828: marked as done (unblock: cloudkitty/13.0.0-6)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 21 May 2021 06:29:42 +0000
with message-id <E1ljyfG-0002ZS-OW@respighi.debian.org>
and subject line unblock cloudkitty
has caused the Debian Bug report #988828,
regarding unblock: cloudkitty/13.0.0-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988828: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988828
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: cloudkitty/13.0.0-6
• From: Thomas Goirand <zigo@debian.org>
• Date: Thu, 20 May 2021 09:24:25 +0200
• Message-id: <[🔎] 162149546538.20819.16915944501660167493.reportbug@zbuz.infomaniak.ch>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package cloudkitty

Cloudkitty is the "rating" module of OpenStack. With it, operators can
set prices on resources, and Cloudkitty aggregates what's spent.

In this context, the command:

cloudkitty summary get -t <ID-of-the-project>

This results of something like this:

+----------------------------------+---------------+-------------+---------------------+---------------------+
| Tenant ID                        | Resource Type | Rate        | Begin Time          | End Time            |
+----------------------------------+---------------+-------------+---------------------+---------------------+
| b18351dc53464a7cadb0c002b8b2a0da | ALL           | 80890.32918 | 2021-05-01T00:00:00 | 2021-06-01T00:00:00 |
+----------------------------------+---------------+-------------+---------------------+---------------------+

where "Rate" is what has been spent by the project
b18351dc53464a7cadb0c002b8b2a0da.

Unfortunately, the -t option doesn't work, unless the patch (included in
the attached debdiff). The result is that an admin of an OpenStack
deployment cannot know the rating for the administered users.

I had this patch (from upstream) ready for the last 2 months, but I was
not able to properly test it until last week. We tested it in a real
production environment, and it repaired the -t option of "summary get"
as expected.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock cloudkitty/13.0.0-6

Cheers,

Thomas Goirand (zigo)

diff -Nru cloudkitty-13.0.0/debian/changelog cloudkitty-13.0.0/debian/changelog
--- cloudkitty-13.0.0/debian/changelog	2021-03-10 09:43:01.000000000 +0100
+++ cloudkitty-13.0.0/debian/changelog	2021-05-20 09:10:18.000000000 +0200
@@ -1,3 +1,10 @@
+cloudkitty (13.0.0-6) unstable; urgency=medium
+
+  * Tune cloudkitty-api-uwsgi.ini for performance.
+  * Add Fix-default-admin_or_owner-policy-expression.patch.
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 20 May 2021 09:10:18 +0200
+
 cloudkitty (13.0.0-5) unstable; urgency=medium
 
   * Add rate-everyone.patch.
diff -Nru cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini
--- cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini	2021-03-10 09:43:01.000000000 +0100
+++ cloudkitty-13.0.0/debian/cloudkitty-api-uwsgi.ini	2021-05-20 09:10:18.000000000 +0200
@@ -12,11 +12,6 @@
 # This is running standalone
 master = true
 
-# Threads and processes
-enable-threads = true
-
-processes = 8
-
 # uwsgi recommends this to prevent thundering herd on accept.
 thunder-lock = true
 
@@ -34,6 +29,23 @@
 # exit instead of brutal reload on SIGTERM
 die-on-term = true
 
+##########################
+### Performance tuning ###
+##########################
+# Threads and processes
+enable-threads = true
+
+# For max perf, set this to number of core*2
+processes = 8
+
+# This was benchmarked as a good value
+threads = 32
+
+# This is the number of sockets in the queue.
+# It improves a lot performances. This is comparable
+# to the Apache ServerLimit/MaxClients option.
+listen = 100
+
 ##################################
 ### OpenStack service specific ###
 ##################################
diff -Nru cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch
--- cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch	1970-01-01 01:00:00.000000000 +0100
+++ cloudkitty-13.0.0/debian/patches/Fix-default-admin_or_owner-policy-expression.patch	2021-05-20 09:10:18.000000000 +0200
@@ -0,0 +1,47 @@
+Description: Fix default admin_or_owner policy expression
+ By default not even an admin can use the get_summary endpoint with
+ all_tenants=True or using a tenant_id parameter. This commit fixes that.
+ .
+ This rule is now the same as how cinder defines admin_or_owner.
+From: Jonathan Herlin <jonathan.herlin@elits.com>
+Date: Thu, 01 Apr 2021 18:17:08 +0200
+Change-Id: I3e34927e8ab88f25d2975b4dbac89b52a7d94c98
+Origin: upstream, https://review.opendev.org/c/openstack/cloudkitty/+/784444
+Last-Update: 2021-04-23
+
+diff --git a/cloudkitty/common/policies/base.py b/cloudkitty/common/policies/base.py
+index 99591ec..0fe4847 100644
+--- a/cloudkitty/common/policies/base.py
++++ b/cloudkitty/common/policies/base.py
+@@ -25,7 +25,9 @@
+         check_str='role:admin'),
+     policy.RuleDefault(
+         name='admin_or_owner',
+-        check_str='is_admin:True or project_id:%(project_id)s'),
++        check_str='is_admin:True or '
++                  '(role:admin and is_admin_project:True) or '
++                  'project_id:%(project_id)s'),
+     policy.RuleDefault(
+         name='default',
+         check_str=UNPROTECTED)
+diff --git a/doc/source/_static/cloudkitty.policy.yaml.sample b/doc/source/_static/cloudkitty.policy.yaml.sample
+index 26abee2..37d3e28 100644
+--- a/doc/source/_static/cloudkitty.policy.yaml.sample
++++ b/doc/source/_static/cloudkitty.policy.yaml.sample
+@@ -1,6 +1,6 @@
+ #"context_is_admin": "role:admin"
+ 
+-#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
++#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
+ 
+ #"default": ""
+ 
+@@ -45,7 +45,7 @@
+ # GET  /v1/info/config
+ #"info:get_config": ""
+ 
+-# Reture the list of loaded modules in Cloudkitty.
++# Return the list of loaded modules in Cloudkitty.
+ # LIST  /v1/rating/modules
+ #"rating:list_modules": "role:admin"
+ 
diff -Nru cloudkitty-13.0.0/debian/patches/series cloudkitty-13.0.0/debian/patches/series
--- cloudkitty-13.0.0/debian/patches/series	2021-03-10 09:43:01.000000000 +0100
+++ cloudkitty-13.0.0/debian/patches/series	2021-05-20 09:10:18.000000000 +0200
@@ -4,3 +4,4 @@
 log-how-many-tenants-fetched.patch
 add-force-granularity-300-for-cpu.patch
 rate-everyone.patch
+Fix-default-admin_or_owner-policy-expression.patch

--- End Message ---

--- Begin Message ---

• To: 988828-done@bugs.debian.org
• Subject: unblock cloudkitty
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Fri, 21 May 2021 06:29:42 +0000
• Message-id: <E1ljyfG-0002ZS-OW@respighi.debian.org>

Unblocked.

--- End Message ---