| woodster_ | kfox1111: rm_work should be on containers as well, but policy is not cascaded to secrets underneath | 00:09 |
|---|---|---|
| kfox1111 | hmm... so when I create the heat resource for acl, I need to recurse and handle all the secrets too... fun. :/ Ok. | 00:10 |
| kfox1111 | would it make sense to support it as a param to the container acl? Would it just end up being a single db update that way? | 00:11 |
| *** kebray has quit IRC | 00:11 | |
| kfox1111 | IE, add this one user to the acl, and all secrets? | 00:12 |
| woodster_ | kfox1111: yeah the problem is that secrets can exist in multiple containers | 00:12 |
| kfox1111 | hmm.... then there's the reference counting issue.... | 00:12 |
| kfox1111 | hmm... but its unknownable outside of barbican. | 00:12 |
| kfox1111 | so its gota be fixed there. :/ | 00:12 |
| woodster_ | kfox1111: containers are for loose grouping of secrets | 00:13 |
| kfox1111 | I know. but If I need to create a template that takes in a container, and makes all the secrets available to the vm to use, | 00:14 |
| kfox1111 | then I need to acl the container, and all the secrets. | 00:14 |
| kfox1111 | if there's more then one container, that shares a secret, that could get ugly. | 00:14 |
| kfox1111 | hmmm... difficult issue. | 00:15 |
| woodster_ | kfox1111: well individual secret policy rules the day so just because in container doesn't mean you can retrieve it | 00:15 |
| woodster_ | kfox1111: miguelgrinberg in #openstack-api was curious about the user add/remove race condition use case in Heat that a PATCH would be good for...he's concerned it adds complexity | 00:17 |
| kfox1111 | I mean from the heat resource managing the acl's standpoint. It might get very racy since it doesn't have the whole view of things. :/ | 00:17 |
| *** SheenaG has joined #openstack-barbican | 00:18 | |
| woodster_ | kfox1111: yeah that seems like a design issue to me though...seems only one Heat engine should setup a VM at a time? | 00:18 |
| *** zz_dimtruck is now known as dimtruck | 00:36 | |
| kfox1111 | heat can run engines on multiple hosts for scaling. they are unaware of each other. | 00:46 |
| kfox1111 | otherwise heat would be really really slow on a huge cloud. :/ | 00:46 |
| *** gyee has quit IRC | 01:25 | |
| *** jkf has quit IRC | 01:33 | |
| *** david-lyle has quit IRC | 03:25 | |
| *** david-lyle has joined #openstack-barbican | 03:26 | |
| *** jamielennox is now known as jamielennox|away | 03:52 | |
| *** kebray has joined #openstack-barbican | 03:53 | |
| *** kebray has quit IRC | 03:55 | |
| *** nelsnelson has joined #openstack-barbican | 04:03 | |
| *** dimtruck is now known as zz_dimtruck | 05:34 | |
| *** jkf has joined #openstack-barbican | 06:24 | |
| *** nelsnelson has quit IRC | 06:24 | |
| *** woodster_ has quit IRC | 06:30 | |
| *** rm_you| has quit IRC | 11:11 | |
| *** rm_you has joined #openstack-barbican | 11:16 | |
| *** darrenmoffat has quit IRC | 11:39 | |
| *** darrenmoffat has joined #openstack-barbican | 11:40 | |
| *** woodster_ has joined #openstack-barbican | 12:21 | |
| *** insequent has quit IRC | 13:38 | |
| *** nelsnelson has joined #openstack-barbican | 14:27 | |
| *** pglass has joined #openstack-barbican | 15:54 | |
| *** kebray has joined #openstack-barbican | 17:21 | |
| *** openstackgerrit has quit IRC | 17:51 | |
| *** openstackgerrit has joined #openstack-barbican | 17:51 | |
| *** woodster_ has quit IRC | 18:20 | |
| *** kebray has quit IRC | 19:00 | |
| *** pglass has quit IRC | 19:29 | |
| *** jamielennox|away is now known as jamielennox | 22:17 | |
| *** SheenaG has joined #openstack-barbican | 22:54 | |
| *** SheenaG has quit IRC | 23:10 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!