| opendevreview | Bui Doan Dang proposed openstack/heat master: handle senlin error msg https://review.opendev.org/c/openstack/heat/+/878857 | 01:03 |
|---|---|---|
| opendevreview | Bui Doan Dang proposed openstack/heat master: handle senlin error msg https://review.opendev.org/c/openstack/heat/+/878857 | 01:41 |
| opendevreview | Takashi Kajinami proposed openstack/heat master: Clear implementations for neutron LBaaS v1 https://review.opendev.org/c/openstack/heat/+/878318 | 02:26 |
| opendevreview | Bui Doan Dang proposed openstack/heat master: handle senlin error msg https://review.opendev.org/c/openstack/heat/+/878857 | 03:27 |
| opendevreview | Takashi Kajinami proposed openstack/heat master: WIP: Add CentOS 9 Stream job https://review.opendev.org/c/openstack/heat/+/879011 | 04:06 |
| opendevreview | Merged openstack/heat master: db: Remove unused util methods https://review.opendev.org/c/openstack/heat/+/878327 | 04:15 |
| opendevreview | Merged openstack/heat master: db: Add initial alembic configuration https://review.opendev.org/c/openstack/heat/+/878328 | 04:18 |
| opendevreview | Merged openstack/heat master: db: Wire up for auto-generation https://review.opendev.org/c/openstack/heat/+/878329 | 04:24 |
| opendevreview | Takashi Kajinami proposed openstack/heat master: WIP: Add CentOS 9 Stream job https://review.opendev.org/c/openstack/heat/+/879011 | 05:05 |
| opendevreview | Takashi Kajinami proposed openstack/heat master: DNM: Re-enable a few flaky tests https://review.opendev.org/c/openstack/heat/+/879014 | 05:37 |
| opendevreview | Takashi Kajinami proposed openstack/heat master: Add Python 3.10 to supported runtime. https://review.opendev.org/c/openstack/heat/+/879015 | 05:42 |
| opendevreview | Takashi Kajinami proposed openstack/python-heatclient master: Add Python 3.10 to supported runtime. https://review.opendev.org/c/openstack/python-heatclient/+/879016 | 05:42 |
| opendevreview | Takashi Kajinami proposed openstack/heat-dashboard master: Add Python 3.10 to supported runtime. https://review.opendev.org/c/openstack/heat-dashboard/+/879020 | 05:55 |
| opendevreview | Bui Doan Dang proposed openstack/heat master: handle senlin error msg https://review.opendev.org/c/openstack/heat/+/878857 | 06:41 |
| opendevreview | Takashi Kajinami proposed openstack/heat stable/xena: DNM: Pin tempest https://review.opendev.org/c/openstack/heat/+/878610 | 06:58 |
| opendevreview | Takashi Kajinami proposed openstack/heat stable/xena: DNM: Pin tempest https://review.opendev.org/c/openstack/heat/+/878610 | 07:45 |
| opendevreview | Takashi Kajinami proposed openstack/heat stable/xena: DNM: Pin tempest https://review.opendev.org/c/openstack/heat/+/878610 | 09:51 |
| noonedeadpunk | hey folks. I have a question regarding heat logic with regards to stack owners. I see in policies, that eventually actions, like stack update, should be allowed to any user in the project. At the same time I see a `username` in the tables. And I think that when that user is deleted, heat would update field to `null`. So eventually once the user, that has created stack is deleted, you can't perform stack operations anymore | 10:16 |
| noonedeadpunk | Can you either confirm or not this and any idea on how to recover operations on stack whose owner has been deleted, while there're other users in the project with member privileges? | 10:17 |
| tkajinam | noonedeadpunk, which version are you using. I guess that is what we recently fixed in https://storyboard.openstack.org/#!/story/1752347 . | 12:21 |
| noonedeadpunk | it's somewhere on xena | 12:21 |
| noonedeadpunk | So yeah... I think that's exactly it | 12:22 |
| noonedeadpunk | But I can assume that stack in topic hes break before X - these are clusters back from 2018 | 12:23 |
| tkajinam | hmm. the fix was merged during wallaby so it should be fixed in xena | 12:24 |
| tkajinam | what's the value set to [DEFAULT] deferred_auth_method ? | 12:24 |
| noonedeadpunk | deferred_auth_method = trusts | 12:25 |
| noonedeadpunk | But would it affect clusters that are already "broken" by that? | 12:26 |
| noonedeadpunk | I've double checked and we do have https://review.opendev.org/c/openstack/heat/+/557337 in tree | 12:27 |
| tkajinam | it should regenerate the credential from the context of the new users updating the stack. | 12:27 |
| tkajinam | we probably need actual heat-engine logs to find out how it is failing | 12:28 |
| noonedeadpunk | well. We have this traceback in heat-api https://paste.openstack.org/show/bwGFPm3opDL8qRwYTDts/ | 12:28 |
| noonedeadpunk | I'm not sure it's even reaching heat-engine | 12:29 |
| tkajinam | it should reach to heat-engine | 12:29 |
| tkajinam | I expec you can find the similar traceback in heat-engine side as well | 12:29 |
| noonedeadpunk | Ok, let me try to find it | 12:29 |
| tkajinam | ok so problem seems to be that it can't obtain the original context because the original user was deleted | 12:30 |
| noonedeadpunk | yes, exactly, original user does not exist anymore | 12:31 |
| tkajinam | it's failing at this point https://github.com/openstack/heat/blob/master/heat/engine/stack.py#L553 | 12:31 |
| noonedeadpunk | yup | 12:31 |
| tkajinam | the ugly hack to fix it immediately is to return True there | 12:31 |
| noonedeadpunk | And trustor_user_id in heat.user_creds does not exist | 12:32 |
| tkajinam | while we have to find out how we catch the error raised when the user no longer exists and force regenerating the trust | 12:32 |
| tkajinam | I mean, you can just comment out that line and do "return True" | 12:32 |
| tkajinam | then heat should forcefully regenerate the trust | 12:32 |
| noonedeadpunk | So... If I'll update heat.user_creds and set trustor_user_id to current user - should it re-generate trust as well? | 12:33 |
| tkajinam | I guess no, because then heat does not regenerate the trust | 12:33 |
| tkajinam | which is tied to that "deleted" user | 12:33 |
| noonedeadpunk | mhm, I see | 12:33 |
| tkajinam | If you have any other "active" user in the project then you can use it but it's as tricky as modifying the code, IMO | 12:34 |
| noonedeadpunk | Well, I think we kind of need to sort out issue for 1 customer now, and we can see what can be done to evaluate this scenario for the future | 12:35 |
| tkajinam | noonedeadpunk, do you mind creating a bug in storyboard if you've not yet created one ? | 12:35 |
| noonedeadpunk | Nope, I haven't yet. Decided to ask first as might be it's smth stupid in my config or old shitty version | 12:36 |
| noonedeadpunk | You're still in storyboard, right? | 12:36 |
| tkajinam | yeah I'm hoping we can switch back to lp but that means we've lost plenty of items there | 12:37 |
| tkajinam | https://storyboard.openstack.org/#!/project/openstack/heat | 12:37 |
| noonedeadpunk | well, you will restore older ones :D | 12:37 |
| noonedeadpunk | I wonder how bad would be to import keystone.exceptions and catch Unauthorized, then return True | 12:39 |
| tkajinam | That would be an option, but I'm hoping that we can catch more specific case | 12:41 |
| tkajinam | or trigger regeneration for any error | 12:41 |
| noonedeadpunk | created https://storyboard.openstack.org/#!/story/2010675 | 12:49 |
| noonedeadpunk | I'm more an operator then a dev, so my python kung-fu is quite limited unfortunatelly to help out with really proper fix of that | 12:50 |
| tkajinam | thx. I'll try to take some time to look into this because the scenario sounds quite general and issue would be legit. | 12:55 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!