Sunday, 2019-09-01

« Saturday, 2019-08-31 Index Monday, 2019-09-02 »
*** jamesmcarthur has joined #openstack-infra00:03
*** jamesmcarthur has quit IRC00:35
*** dims has joined #openstack-infra00:39
*** markvoelker has joined #openstack-infra00:46
*** markvoelker has quit IRC00:50
*** jamesmcarthur has joined #openstack-infra01:51
*** jamesmcarthur has quit IRC02:16
*** rmcallis has joined #openstack-infra02:44
*** rmcallis has quit IRC02:45
*** rmcall has quit IRC02:46
*** jamesmcarthur has joined #openstack-infra03:04
*** jamesmcarthur has quit IRC03:09
*** jamesmcarthur has joined #openstack-infra03:10
*** jamesmcarthur has quit IRC03:14
*** markvoelker has joined #openstack-infra03:15
*** jamesmcarthur has joined #openstack-infra03:15
*** markvoelker has quit IRC03:20
*** harlowja has quit IRC03:44
*** jamesmcarthur has quit IRC03:49
*** jamesmcarthur has joined #openstack-infra03:59
*** jamesmcarthur has quit IRC04:19
*** jamesmcarthur has joined #openstack-infra04:20
*** jamesmcarthur has quit IRC04:41
*** jamesmcarthur has joined #openstack-infra04:44
*** jamesmcarthur has quit IRC04:48
*** jamesmcarthur has joined #openstack-infra04:49
*** jamesmcarthur has quit IRC04:52
*** markvoelker has joined #openstack-infra05:30
*** markvoelker has quit IRC05:35
*** dosaboy has quit IRC07:01
*** dosaboy has joined #openstack-infra07:14
*** markvoelker has joined #openstack-infra07:30
*** markvoelker has quit IRC07:35
*** jtomasek has joined #openstack-infra07:40
*** yamamoto has joined #openstack-infra07:44
*** yamamoto has quit IRC07:48
*** jtomasek has quit IRC08:12
*** yamamoto has joined #openstack-infra08:17
*** zbr has joined #openstack-infra08:28
*** zbr_ has quit IRC08:30
*** e0ne has joined #openstack-infra08:36
*** yamamoto has quit IRC08:42
*** yamamoto has joined #openstack-infra08:56
*** xenos76 has joined #openstack-infra09:01
*** yamamoto has quit IRC09:07
*** yamamoto has joined #openstack-infra09:15
*** markvoelker has joined #openstack-infra09:30
*** xeno_os76_xyz has joined #openstack-infra09:34
*** markvoelker has quit IRC09:35
*** xenos76 has quit IRC09:37
*** trident has quit IRC10:09
*** trident has joined #openstack-infra10:28
*** dchen has joined #openstack-infra10:28
zbrdoes anyone have a working example of quering opendev gerrit using python with credentials inside netrc? somehow i failed trying pygerrit2 and even requests directly.10:33
zbri mention that I do want to make use of netrc, as I do not like to deal with credentials  in my code.10:33
zbrin fact is much easier: basic auth is broken, even testing it with curl does not work.10:41
zbrcurl -vn "https://review.opendev.org/changes/?q=owner:self%20status:open" --- should work and not return "Must be signed-in to use owner:self" when you have credentials saved in .netrc10:42
*** yolanda has joined #openstack-infra10:50
fungizbr: i believe you have to use digest auth, not basic auth11:14
zbrfungi: but probably you know that netrc does work only with basic-auth11:15
*** yamamoto has quit IRC11:16
zbrafaik, digest was a way to make non-https bit more secure, but since https became wild-spread, basic-auth became... secure.11:16
fungiwell, i've always had to use digest auth with the gerrit rest api11:17
*** yamamoto has joined #openstack-infra11:18
fungihttps://review.opendev.org/Documentation/rest-api.html#authentication11:18
fungiBy default Gerrit uses HTTP digest authentication with the HTTP password from the user’s account settings page. HTTP basic authentication is used if auth.gitBasicAuth is set to true in the Gerrit configuration.11:18
fungiso i'm guessing we haven't enabled that nonstandard option11:18
zbrfungi: i find it bit weird because apparently that is what pygerrit2 is trying to use too, same with requests.11:19
zbri am not saying that we had it wrongly configured, maybe that is the default.11:20
zbrat least the experience seems consistent with review.gerrithub.io11:20
fungii don't find that weird. i find that it's documented default behavior11:21
funginot sure why you say "maybe" since the documentation definitely says it's the default11:21
zbrthis explains current behavior. now the question is, can we enable basic-auth?11:22
fungiit seems like it might be a reasonable thing to change though11:22
fungibut will require a gerrit restart11:22
fungiand some rough consensus11:22
zbri guess basic-auth is not enable for security, as it would be a pretty bad idea with non-HTTPS.11:23
fungiright, or with https where the client is trusting untrustworthy certificate authorities (which is... almost all the certificate authorities in the typical browser trust set)11:24
openstackgerritSorin Sbarnea proposed zuul/zuul-jobs master: add-build-sshkey: add centos/rhel-8 support  https://review.opendev.org/67409211:35
fungizbr: out of curiosity, is "self" the only thing you need auth for? if so, it may be simpler just to expect the user to configure their username and use that in anonymous queries instead11:37
zbrfungi: nope, my final query is going to be more complex than that, using other features that require a current user.11:37
zbrbut i can wait, there is no pressure on that one.11:39
zbrfungi: btw, the auto-complete in gerrit query is aread PITA. I am trying to type owner:ssbarnea and it seems impossible... either way it will replace it with an email address.11:40
zbrhe clearly knows better than me what I want to type ;)11:40
*** jonher has quit IRC11:49
*** jonher has joined #openstack-infra11:49
*** eyalb has joined #openstack-infra11:57
*** eyalb has left #openstack-infra11:58
fungiyeah, the typeahead matching in gerrit wants to prefer a name or e-mail address because usernames are usually not known by other users (not that they're considered particularly secret, just that they're typically not displayed)12:09
clarkbhttps://2.python-requests.org/en/master/user/authentication/#digest-authentication use that for pygerri2 digest auth12:22
clarkbno gerrit restart required12:22
fungiclarkb: zbr indicated the underlying challenge is that he wants to also be able to use ~/.netrc and https://2.python-requests.org/en/master/user/authentication/#netrc-authentication implies that only works for basic auth12:35
zbrand I think that this is not a limitation of requests library, is. moreof "netrc", everyone using netrc seems to assume basic-auth.12:36
clarkbfungi: you can always read the file yourself I guess12:36
zbrclarkb: please...not. The file systax is more complex that what you would think. it supports multiline!12:37
clarkbzbr I think if you tell curl to digest auth it will do so with the netrc contents12:37
zbri do not want to write a parser.12:37
clarkb--digest +.netrc I mean12:37
fungihttps://python-forum.io/Thread-requests-digest-auth-with-netrc12:38
fungithat's an example of using the netrc module to parse it12:39
fungizbr: ^ is that a reasonable compromise?12:40
clarkbdoes enabling basic auth disable digest auth too? because that will break many existing users I expect12:40
fungiit's hard to tell from the config option description12:40
fungii assumed we'd test it on review-dev first before changing production anyway12:41
clarkb++12:41
fungii definitely had the same question after reading the vague and brief docs for it12:41
zbrso mainly if I want to use https://pypi.org/project/pygerrit2 with our gerrit, i need to patch the library? or is a better python library for talking with it?12:42
clarkbyou dont patch the library12:42
clarkbyou pass an auth object to the library12:42
clarkbtheir first example in the library docs shows how to do this12:43
*** tosky_ has joined #openstack-infra12:43
clarkber I was looking at pypi description but ya first example there12:43
zbrI guess this sensece clarifies it: Also note that in Gerrit version 2.14, support for HTTP Digest authentication was removed and only HTTP Basic authentication is supported12:44
zbrmaybe I only need to wait for us to upgrade from 2.13 to 2.14 :D12:44
zbrwhy to bother implementing digest, when it will be removed at next upgrade.12:44
zbrnow i kinda feel stupid for not reading the entire readme.12:45
fungibut that forum post does show how by calling the netrc module directly you can extract the credentials and pass them to the requests object12:47
fungiif you decided you did want to be able to do digest12:47
zbri do remember that on jira python library I wrote some code that was identifying which auth to use at runtime, working with kerberos/digest/basic12:47
*** udesale has joined #openstack-infra13:13
*** bobh has joined #openstack-infra13:25
*** markvoelker has joined #openstack-infra13:30
*** markvoelker has quit IRC13:35
*** noama has joined #openstack-infra13:49
*** e0ne has quit IRC14:22
*** udesale has quit IRC14:30
*** udesale has joined #openstack-infra14:31
*** e0ne has joined #openstack-infra14:39
*** udesale has quit IRC14:52
*** jtomasek has joined #openstack-infra14:59
*** jtomasek has quit IRC15:00
*** jamesmcarthur has joined #openstack-infra15:12
*** smarcet has joined #openstack-infra15:14
*** psachin has joined #openstack-infra15:30
*** jamesmcarthur has quit IRC15:42
*** jamesmcarthur has joined #openstack-infra15:43
*** psachin has quit IRC15:43
*** jamesmcarthur has quit IRC15:45
*** jamesmcarthur has joined #openstack-infra15:45
*** psachin has joined #openstack-infra15:50
*** jamesmcarthur has quit IRC15:51
*** ricolin has joined #openstack-infra15:54
*** jamesmcarthur has joined #openstack-infra15:56
*** EvilienM is now known as Emilienm15:58
*** Emilienm is now known as EmilienM15:59
*** psachin has quit IRC16:00
*** e0ne has quit IRC16:03
*** jamesmcarthur has quit IRC16:19
fungias paladox has pointed out to me, the switch to only supporting basic auth in 2.14 is related to no longer storing http passwords on the server. as of 2.14 it stores password hashes in notedb, which means it no longer has the information it needs to be able to perform digest auth16:24
fungibasically the same change which fixed clarkb's many-years-old bug report ;)16:24
*** jamesmcarthur has joined #openstack-infra16:34
*** dave-mccowan has joined #openstack-infra16:37
*** ricolin has quit IRC16:39
*** dave-mccowan has quit IRC16:42
*** jamesmcarthur has quit IRC16:52
*** tosky_ has quit IRC17:01
*** bobh has quit IRC17:09
*** Goneri has joined #openstack-infra17:13
*** Goneri has quit IRC17:17
*** Goneri has joined #openstack-infra17:25
*** ralonsoh has joined #openstack-infra17:29
*** smarcet has quit IRC17:31
*** Goneri has quit IRC17:41
ralonsohhello folks17:59
ralonsohis happening something with http://mirror.regionone.fortnebula.opendev.org:8080/rdo/centos7-master/current/delorean.repo17:59
ralonsoh?17:59
ralonsohin the networking-ovn repo we are trying to retrieve this repo18:00
ralonsohbut is failing for the last 3 days18:00
ralonsohwll, only 2 days18:00
fungiralonsoh: have a job log we can look at?18:09
ralonsohsure, one sec18:10
ralonsohfungi,18:10
ralonsohhttps://c3308e17743765936b80-6c7fec3fffbf24afb7394804bcdecfae.ssl.cf2.rackcdn.com/678599/1/check/networking-ovn-tripleo-ci-centos-7-containers-multinode/2e13989/job-output.txt18:10
clarkbtrunk.rdoproject.org is not responding18:12
clarkbhttps://trunk.rdoproject.org/centos7-master/current/delorean.repo backs that file and you can't get it either18:12
clarkb(remember these are just proxies, if the backend is not responding then the proxy will eventually expire its cached data and do the same)18:12
ralonsohahhhh ok18:12
ralonsohI'll ping the guys in RDO to check what is happening18:12
ralonsohthanks!18:13
clarkbralonsoh: https://opendev.org/opendev/system-config/src/branch/master/modules/openstack_project/templates/mirror.vhost.erb is the proxy config if you want ot look up what a backend is for a url18:18
clarkbI usually find the vhost based on port number then look at the first path entry prefix to find the backend18:18
ralonsohclarkb, ahhh I got it now, good info!18:20
*** coreycb has quit IRC18:24
*** coreycb has joined #openstack-infra18:27
*** csatari has quit IRC18:27
*** jamesmcarthur has joined #openstack-infra18:28
*** portdirect has quit IRC18:28
*** sdoran has quit IRC18:28
*** csatari has joined #openstack-infra18:29
*** portdirect has joined #openstack-infra18:30
*** sdoran has joined #openstack-infra18:30
*** bobh has joined #openstack-infra18:39
*** jamesmcarthur has quit IRC19:08
*** e0ne has joined #openstack-infra19:35
*** ralonsoh has quit IRC20:18
*** kjackal has joined #openstack-infra20:18
*** xek has joined #openstack-infra20:26
*** rkukura has quit IRC20:26
*** e0ne has quit IRC20:27
*** markvoelker has joined #openstack-infra20:49
*** markvoelker has quit IRC20:54
*** kjackal has quit IRC21:08
*** dchen has quit IRC21:31
*** rcernin has joined #openstack-infra21:45
*** tobberydberg has quit IRC22:05
*** tobberydberg has joined #openstack-infra22:05
*** sshnaidm|off is now known as sshnaidm|pto22:06
*** kukacz has quit IRC22:16
*** smarcet has joined #openstack-infra22:20
*** kukacz has joined #openstack-infra22:25
*** kukacz has quit IRC22:26
*** smarcet has left #openstack-infra22:34
*** xeno_os76_xyz has quit IRC22:57
*** tkajinam has joined #openstack-infra22:57
*** xek has quit IRC23:23
*** bobh has quit IRC23:31
*** rcernin has quit IRC23:35
*** dchen has joined #openstack-infra23:37
*** dchen has quit IRC23:53
*** dchen has joined #openstack-infra23:53
*** smarcet has joined #openstack-infra23:57
*** xenos76 has joined #openstack-infra23:59
*** rcernin has joined #openstack-infra23:59
« Saturday, 2019-08-31 Index Monday, 2019-09-02 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!