Monday, 2016-08-08

openstackgerritSergey Skripnick proposed openstack/app-catalog: [wip] Glare v1.0 API
sskripnickdocaedo around? Your opinion needed16:11
docaedosskripnick: hey there, I'm around16:12
sskripnickthe question is should we let Glare listen on subdomain, and let client to send queries directly to Glare16:13
sskripnickadditional info like user comments, stars etc can be obtained by querying app catalog api16:13
sskripnickdocaedo ^ here is some thoughts on app catalog API16:14
sskripnickbtw current implementation is working with Glare directly16:14
kzaitsev_mbI'd vote for having routed to glare,{comments,assets,votes,etc} handeled by app cat python code16:15
docaedosskripnick: I'm taking a look now, but I think having glare listen on a subdomain seems reasonable, though the app catalog should always defer to it's own API so it's not permanently tied to glare16:15
kzaitsev_mbI don't like the idea of exposing direct glare API (at the very least for security reasons)16:15
docaedokzaitsev_mb: I think that was always the plan actually, glad you are reminding me :)  I also don't understand why we would need/want to expose glare directly?16:16
kzaitsev_mbbut we can have a glare.a.o.o subdomain, that has glare api itself if that is needed by someone16:16
sskripnickok i agreed with not be tied to glare16:17
docaedoWhat is the case where someone would need to access glare directly?16:17
kzaitsev_mbalso you would still have the "almost direct" access to glare anyway16:17
sskripnickthis is not literally needed, but there is some overhead16:17
kzaitsev_mbmy guts tell me that in case there would be a security vulnerability with some part of the API — it's better to have a thin proxy in front of it to patch it fast and prevent anyone from accessing the api directly16:19
sskripnickwe can fix issue in Glare in the same way16:19
sskripnickand it better to fix it in Glare, not in proxy16:20
kzaitsev_mbsskripnick: it's not always easy to fix a security issue. having a way to restrice access to some part of the API seems favorable to me16:20
kzaitsev_mbsskripnick: I'm talking about temporary hotfix16:20
sskripnickGlare users will be glad to have temporary hotfix too16:21
docaedoI would worry about scaling, it's a lot easier to set up caching in front of glare, vs. having to fix glare if performance becomes an issue16:21
kzaitsev_mband messing with glare api for that part seems like waay too hard, then meddling with glare internals16:22
docaedoalso if we directly expose glare, it becomes an easy target for ddos? But I guess any end point can be ddos'd and would require the same remediation16:22
kzaitsev_mbgot distracted =)16:22
kzaitsev_mbanyway — from where I look at — having a thin proxy (think nginx) is a very small overhead16:23
sskripnickI think scaling and not tying with glare is enough16:25
sskripnickkzaitsev_mb: proxying by nginx === glare direct access16:25
kzaitsev_mbsskripnick: I think you and I are not on the same page then )16:26
sskripnickkzaitsev_mb: I talking about python proxy which will modify glare responses16:26
kzaitsev_mbsskripnick: nginx can also modify requests/responses ) or make it require an internal redirect for example16:27
sskripnickactually Im talking about modifying Glare reposes in general16:27
kzaitsev_mbI'm not sure we'd need modifying glare responses right now16:27
sskripnickso with python proxy we can not be tied to glare backend16:28
sskripnickkzaitsev_mb: please take a look
sskripnickline 1316:28
kzaitsev_mbsskripnick: btw, can we safely abandon our commits with v0.1? =)16:28
sskripnick* with python "proxy" we are not tied to glare backend16:29
kzaitsev_mbdo you need any of them anymore? =)16:29
sskripnickkzaitsev_mb: i dunno. i have copied all what i can %)16:29
kzaitsev_mbsskripnick: well if you've got everything from them I'm going to abandon them in favor of yours
docaedooh sskripnick since you were out sick during the meeting last week, you missed a question I had for you16:31
docaedoI want to re-create the server you're running so I can start working on the puppet modules for deployment16:32
sskripnickoh I was looking on puppet while I was sick16:33
docaedoso wondering if this is the right topic: and if there are any specific instructions or requirements16:33
kzaitsev_mbok, I'm not sure we really need to modify glare responses right now. But having that ability would certainly be benefitial, as at some point we will16:34
docaedosskripnick: puppet is not too hard, but there are some requirements to make sure things integrate with infra16:34
docaedosskripnick: and the way app catalog is being deployed now is here:
docaedosskripnick: thanks, I'll read through that README.rst and ping you if I have questions16:35
sskripnickdocaedo: yeah, I have found this repo16:35
kzaitsev_mbalso here is a nice article with an angular style-guide. Horizon adopted it some time ago. It's a bit tiresome to rewrite everithing into it. I'm not sure if we want to follow16:36
sskripnickdocaedo great. so I don't need to do this %)16:36
kzaitsev_mbbut it's something to consider16:36
sskripnickkzaitsev_mb: oh, thanks a lot. Ill read it right now16:36
docaedosskripnick: yeah I hope to tackle that puppet stuff ;)16:37
mfedosindocaedo: it's a small picture I made, that describes two possible reference architectures of app-catalog: with proxy application and without
mfedosinme and sskripnick prefer first version (without proxy), kzaitsev_ws likes the second18:42
mfedosinkzaitsev_ws: please correct me if I got you wrong18:43
kfox1111mfedosin: my preference is closer to the one on the bottom, whith s/
kfox1111if we go with the top one, and glare looses all its steam, but we want to support our v2 api for a long time, we will have many more options with the bottom one.18:57
kfox1111if glare's a huge success and we never need to add any new stuff, we can make a v3 that just removes the proxy and wait for v2 to die off.18:58
kfox1111I'd rather hedge our bets at this point.18:59
mfedosinkfox1111: it makes sense indeed! tomorrow there will be more detailed documentation and we'll be able to compare pros and cons of two approaches more consciously19:01
docaedoas usual, I agree with kfox1111 on this :)19:11
