← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #21208

[Bug 1369581] [NEW] compute-trust.json provides invalid data for trust filter

  Thread PreviousDate PreviousThread Next 
Public bug reported:

compute-trust.json provides such properties for trust filter:

"properties": {
	"trust:trusted_host": {
		"title": "Intel® TXT attestation",
		"description": "Select to ensure that node has been attested by Intel® Trusted Execution Technology (Intel® TXT).",
		"type": "boolean"
	}
}

This means that actually we require True/False values for trust levels.
This does not match with how Trust Filter works (comment from trust
filter):

Filter that only schedules tasks on a host if the integrity (trust)
of that host matches the trust requested in the ``extra_specs`` for the
flavor.  The ``extra_specs`` will contain a key/value pair where the
key is ``trust``.  The value of this pair (``trusted``/``untrusted``) must
match the integrity of that host (obtained from the Attestation
service) before the task can be scheduled on that host.

There is also level 'unknown' available:

    def _init_cache_entry(self, host):
        self.compute_nodes[host] = {
            'trust_lvl': 'unknown',
            'vtime': timeutils.normalize_time(
                        timeutils.parse_isotime("1970-01-01T00:00:00Z"))}

This means that compute-trust.json should be changed to match trust
levels that are expected by Trust Filter.

** Affects: glance
     Importance: Undecided
     Assignee: Pawel Koniszewski (pawel-koniszewski)
         Status: New

** Changed in: glance
     Assignee: (unassigned) => Pawel Koniszewski (pawel-koniszewski)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1369581

Title:
  compute-trust.json provides invalid data for trust filter

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  compute-trust.json provides such properties for trust filter:

  "properties": {
  	"trust:trusted_host": {
  		"title": "Intel® TXT attestation",
  		"description": "Select to ensure that node has been attested by Intel® Trusted Execution Technology (Intel® TXT).",
  		"type": "boolean"
  	}
  }

  This means that actually we require True/False values for trust
  levels. This does not match with how Trust Filter works (comment from
  trust filter):

  Filter that only schedules tasks on a host if the integrity (trust)
  of that host matches the trust requested in the ``extra_specs`` for the
  flavor.  The ``extra_specs`` will contain a key/value pair where the
  key is ``trust``.  The value of this pair (``trusted``/``untrusted``) must
  match the integrity of that host (obtained from the Attestation
  service) before the task can be scheduled on that host.

  There is also level 'unknown' available:

      def _init_cache_entry(self, host):
          self.compute_nodes[host] = {
              'trust_lvl': 'unknown',
              'vtime': timeutils.normalize_time(
                          timeutils.parse_isotime("1970-01-01T00:00:00Z"))}

  This means that compute-trust.json should be changed to match trust
  levels that are expected by Trust Filter.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1369581/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next