Wednesday, 2020-11-18

« Tuesday, 2020-11-17 Index Thursday, 2020-11-19 »
*** jkulik has quit IRC00:02
*** jkulik has joined #openstack-meeting00:02
*** jmasud has joined #openstack-meeting00:04
*** egallen has quit IRC00:06
*** pescobar has quit IRC00:07
*** pescobar has joined #openstack-meeting00:08
*** jmasud has quit IRC00:10
*** jmasud has joined #openstack-meeting00:14
*** jmasud has quit IRC00:16
*** eharney has quit IRC00:29
*** jmasud has joined #openstack-meeting00:35
*** jmasud has quit IRC00:41
*** vishalmanchanda has quit IRC00:41
*** eharney has joined #openstack-meeting00:43
*** jmasud has joined #openstack-meeting01:11
*** jmasud has quit IRC01:12
*** jawad_axd has quit IRC01:19
*** mlavalle has quit IRC01:35
*** rcernin has quit IRC01:43
*** armstrong has quit IRC02:02
*** rcernin has joined #openstack-meeting02:20
*** rcernin has quit IRC02:24
*** rcernin has joined #openstack-meeting02:28
*** rcernin has quit IRC02:31
*** rcernin has joined #openstack-meeting02:32
*** bcafarel has quit IRC02:37
*** armax has quit IRC03:14
*** armax has joined #openstack-meeting03:23
*** armax has quit IRC03:27
*** bcafarel has joined #openstack-meeting03:33
*** yamamoto has quit IRC04:14
*** yamamoto has joined #openstack-meeting04:14
*** yamamoto has quit IRC04:19
*** yamamoto has joined #openstack-meeting04:19
*** yamamoto has quit IRC04:30
*** yamamoto has joined #openstack-meeting04:43
*** jmasud has joined #openstack-meeting04:47
*** yamamoto has quit IRC04:59
*** yamamoto has joined #openstack-meeting05:03
*** yamamoto has quit IRC05:03
*** yamamoto has joined #openstack-meeting05:03
*** jmasud has quit IRC05:05
*** yamamoto has quit IRC05:08
*** jmasud has joined #openstack-meeting05:24
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-meeting05:33
*** dsariel has joined #openstack-meeting05:44
*** ociuhandu has joined #openstack-meeting05:44
*** ociuhandu has quit IRC05:49
*** vishalmanchanda has joined #openstack-meeting06:00
*** gyee has quit IRC06:08
*** jmasud has quit IRC06:14
*** servagem has quit IRC06:18
*** servagem has joined #openstack-meeting06:33
*** mahatic has joined #openstack-meeting06:48
*** rpittau|afk is now known as rpittau06:49
*** icey has quit IRC06:52
*** icey has joined #openstack-meeting06:54
*** yamamoto has joined #openstack-meeting07:07
*** yamamoto has quit IRC07:18
*** yamamoto has joined #openstack-meeting07:21
*** yamamoto has quit IRC07:22
*** ralonsoh has joined #openstack-meeting07:31
*** clayg has quit IRC07:35
*** dklyle has quit IRC07:35
*** clayg has joined #openstack-meeting07:35
*** yasufum has joined #openstack-meeting07:37
*** zbr4 has quit IRC07:38
*** slaweq has joined #openstack-meeting07:43
*** yamamoto has joined #openstack-meeting07:58
*** yamamoto has quit IRC08:12
*** lbragstad_ has joined #openstack-meeting08:18
*** lbragstad has quit IRC08:22
*** jmasud has joined #openstack-meeting08:25
*** zbr has joined #openstack-meeting08:26
*** tosky has joined #openstack-meeting08:45
*** ociuhandu has joined #openstack-meeting08:47
*** rcernin has quit IRC08:52
*** rcernin has joined #openstack-meeting09:15
*** slaweq has quit IRC09:17
*** slaweq has joined #openstack-meeting09:19
*** ociuhandu has quit IRC09:32
*** e0ne has joined #openstack-meeting09:38
*** rcernin has quit IRC09:45
*** ociuhandu has joined #openstack-meeting09:49
*** ociuhandu has joined #openstack-meeting09:49
*** yoctozepto has quit IRC09:50
*** yoctozepto has joined #openstack-meeting09:51
*** ykatabam has joined #openstack-meeting09:54
*** rcernin has joined #openstack-meeting09:55
*** ykatabam has quit IRC10:11
*** kevinz has quit IRC10:26
*** icey has quit IRC10:31
*** icey has joined #openstack-meeting10:32
*** yasufum has quit IRC10:40
*** yasufum has joined #openstack-meeting10:43
*** belmoreira has joined #openstack-meeting10:46
*** oneswig has joined #openstack-meeting10:49
oneswig#startmeeting scientific-sig11:00
openstackMeeting started Wed Nov 18 11:00:36 2020 UTC and is due to finish in 60 minutes.  The chair is oneswig. Information about MeetBot at http://wiki.debian.org/MeetBot.11:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.11:00
*** openstack changes topic to " (Meeting topic: scientific-sig)"11:00
openstackThe meeting name has been set to 'scientific_sig'11:00
oneswiggreetings11:00
jandersg'day oneswig11:02
jandershow are things?11:02
oneswigHi janders - going well thanks.  I have again not put any thought into preparing for the SIG meeting, alas :-(11:02
oneswigWas just thinking about Lustre and Manila again - seems like a lot of people would be interested in this11:03
jandersyeah... I was never ever a fan of having NFS gateways in between11:03
verdurinMorning. We certainly would be. Some new hardware specifically for Secure Lustre testing will be arriving soon.11:04
oneswigDoes take away much of the performance advantage11:04
oneswigHello verdurin, how timely!11:04
* janders is looking up a picture that illustrates the issue very well11:04
*** icey has quit IRC11:05
oneswigWith the SIG spanning the globe, it's hard to bring every party to one place and time.11:05
oneswigjanders: your former colleagues at CSIRO were using BeeGFS, right? Were they also using Lustre?11:06
jandersparallel filesystem / native: https://www.travelweekly.com.au/wp-content/uploads/2019/05/Qantas-Dreamliner.png11:07
jandersparallel filesystem + NFS re-export: https://c8.alamy.com/comp/FJCA88/cook-transport-low-loader-truck-taking-a-wide-load-consisting-of-a-FJCA88.jpg11:08
jandersI reckon it's not far off...11:08
oneswigha ha!  Good analogy11:08
jandersoneswig I they were exploring Lustre towards the end of my time with CSIRO11:08
oneswigjanders: anyone there who would be a good contact for a discussion on this?11:09
*** yasufum has quit IRC11:10
*** lpetrut has joined #openstack-meeting11:10
oneswigThere's been some interesting talk recently about DDN Lustre and Kubernetes CSI11:12
oneswigAn improbable pairing that apparently works11:13
jandersoneswig not sure :(11:17
jandersregarding k8s + Lustre - not entirely surprised11:17
oneswigLustre's a user-space driver so may containerise well.11:18
*** rcernin has quit IRC11:18
oneswigThe question always arises, doing the development is one thing, supporting and sustaining it another matter altogether11:19
*** rcernin has joined #openstack-meeting11:19
jandersagreed11:23
jandersbut I think there is soemething in containers directly consuming filesystems, pending a reasonable security model11:23
jandersfeels like one of the ways of the future (superfast object being another one)11:24
oneswigI think it has good potential too.11:25
oneswigjanders: this might interest you: https://www.stackhpc.com/sc20-top500.html11:26
*** icey has joined #openstack-meeting11:26
*** rcernin has quit IRC11:27
oneswigWe got a machine deployed with 1274 bare metal nodes using Ironic, and into the top 100 (just)11:27
jandersthat is awesome! :)11:27
janderscan I re-post this on #openstack-ironic? :)11:28
oneswigIt's getting redeployed for production now.  There's going to be some mixed baremetal and virt, which will be implemented *somewhat* like SuperCloud11:28
oneswigjanders: of course :-)11:28
janders...and the idea lives on - fantastic!11:28
jandersI am very glad to hear this11:28
oneswigThe method isn't an exact copy of your approach, but hypervisors will exist in the overcloud Ironic.11:28
verdurinLooks nice. Does the main text refer to the machine at the Other Place?11:30
verdurinNot the UM6P one?11:30
*** baojg has quit IRC11:30
oneswigverdurin: They are somewhat similar and borrow from each other.11:31
*** baojg has joined #openstack-meeting11:31
oneswigThe telemetry graph, I don't think it says, is from a day of LINPACK benchmarking.  You can see the carbon footprint of HPC11:32
*** rcernin has joined #openstack-meeting11:33
*** slaweq has quit IRC11:39
*** yamamoto has joined #openstack-meeting11:39
*** icey has quit IRC11:41
oneswigI got the free pass to Supercomputing but must admit I've yet to use it.  Anyone followed the keynotes or other parts?11:42
*** icey has joined #openstack-meeting11:43
verdurinI watched a few bits last week, have lacked the time to look at anything this week.11:43
*** e0ne has quit IRC11:44
*** slaweq has joined #openstack-meeting11:45
*** rcernin has quit IRC11:46
oneswigalas a similar situation here.11:48
oneswigAny other business to raise?11:48
janderssame here with Kubecon :(11:48
*** jmasud has quit IRC11:48
jandersI think we're good11:48
jandersit was great to chat! :)11:48
oneswigLikewise, thanks janders verdurin11:49
verdurinYes, bye.11:49
*** icey has quit IRC11:49
oneswigI will follow up with ideas on Lustre11:49
oneswiguntil next time11:49
oneswig#endmeeting11:49
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"11:49
janderstill then!11:49
openstackMeeting ended Wed Nov 18 11:49:48 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)11:49
openstackMinutes:        http://eavesdrop.openstack.org/meetings/scientific_sig/2020/scientific_sig.2020-11-18-11.00.html11:49
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/scientific_sig/2020/scientific_sig.2020-11-18-11.00.txt11:49
janders93584811:49
openstackLog:            http://eavesdrop.openstack.org/meetings/scientific_sig/2020/scientific_sig.2020-11-18-11.00.log.html11:49
*** rcernin has joined #openstack-meeting11:52
*** ociuhandu has quit IRC11:52
*** rcernin has quit IRC11:55
*** icey has joined #openstack-meeting11:55
*** ociuhandu has joined #openstack-meeting11:58
*** e0ne has joined #openstack-meeting12:18
*** icey has quit IRC12:23
*** icey has joined #openstack-meeting12:24
*** oneswig has quit IRC12:25
*** ociuhandu has joined #openstack-meeting12:30
*** yamamoto has quit IRC12:43
*** baojg has quit IRC12:48
*** baojg has joined #openstack-meeting12:49
*** icey has quit IRC12:50
*** masahito has joined #openstack-meeting13:03
*** yamamoto has joined #openstack-meeting13:05
*** yamamoto has quit IRC13:05
*** yamamoto has joined #openstack-meeting13:05
*** yamamoto has quit IRC13:10
*** yamamoto has joined #openstack-meeting13:26
*** yamamoto has quit IRC13:26
*** yamamoto has joined #openstack-meeting13:27
*** yasufum has joined #openstack-meeting13:27
*** yasufum has quit IRC13:31
*** yamamoto has quit IRC13:31
*** yasufum has joined #openstack-meeting13:32
*** ociuhandu has quit IRC13:32
*** e0ne has quit IRC13:51
*** masahito has quit IRC13:52
*** abishop has joined #openstack-meeting13:57
*** abishop has left #openstack-meeting13:58
*** masahito has joined #openstack-meeting13:58
*** e0ne has joined #openstack-meeting14:01
*** thgcorrea has joined #openstack-meeting14:04
*** lajoskatona has joined #openstack-meeting14:05
*** macz_ has joined #openstack-meeting14:08
*** macz_ has quit IRC14:12
*** mbuil has quit IRC14:12
*** ociuhandu has joined #openstack-meeting14:23
*** ociuhandu has quit IRC14:28
*** ociuhandu has joined #openstack-meeting14:28
*** TrevorV has joined #openstack-meeting14:32
*** yasufum has quit IRC14:34
*** yasufum has joined #openstack-meeting14:43
*** yasufum has quit IRC14:52
*** yasufum has joined #openstack-meeting14:53
*** lbragstad_ is now known as lbragstad14:59
*** bcafarel has quit IRC14:59
*** bcafarel has joined #openstack-meeting15:04
*** dsariel has quit IRC15:05
*** dsariel has joined #openstack-meeting15:05
*** dsariel has quit IRC15:10
*** ociuhandu has quit IRC15:11
*** dsariel has joined #openstack-meeting15:11
*** yasufum has joined #openstack-meeting15:19
*** lpetrut has quit IRC15:21
*** mlavalle has joined #openstack-meeting15:25
*** dklyle has joined #openstack-meeting15:37
*** armax has joined #openstack-meeting15:39
*** ociuhandu has joined #openstack-meeting15:40
*** ociuhandu_ has joined #openstack-meeting15:59
*** ociuhandu has quit IRC16:02
*** jmasud has joined #openstack-meeting16:12
*** macz_ has joined #openstack-meeting16:13
*** ociuhandu_ has quit IRC16:22
*** ociuhandu has joined #openstack-meeting16:22
*** belmoreira has quit IRC16:27
*** jmasud has quit IRC16:28
*** masahito has quit IRC16:33
*** ociuhandu has quit IRC16:37
*** yasufum has quit IRC16:37
*** ociuhandu has joined #openstack-meeting16:45
*** lajoskatona has left #openstack-meeting17:02
*** ociuhandu_ has joined #openstack-meeting17:03
*** ociuhandu has quit IRC17:06
*** ociuhandu_ has quit IRC17:07
*** e0ne has quit IRC17:21
*** e0ne has joined #openstack-meeting17:22
*** e0ne has quit IRC17:33
*** yamamoto has joined #openstack-meeting17:33
*** yamamoto has quit IRC17:37
*** baojg has quit IRC17:44
*** baojg has joined #openstack-meeting17:45
*** dsariel has quit IRC17:46
*** e0ne has joined #openstack-meeting17:57
*** ralonsoh has quit IRC18:31
*** e0ne has quit IRC18:36
*** rpittau is now known as rpittau|afk18:39
*** bbowen has quit IRC19:25
*** sluna has quit IRC19:27
*** sluna has joined #openstack-meeting19:27
*** baojg has quit IRC19:46
*** baojg has joined #openstack-meeting19:47
*** vishalmanchanda has quit IRC19:49
*** gyee has joined #openstack-meeting20:10
*** jmasud has joined #openstack-meeting20:13
*** ykatabam has joined #openstack-meeting20:23
*** jmasud has quit IRC20:26
*** acoles has joined #openstack-meeting20:27
*** jmasud has joined #openstack-meeting20:28
*** jmasud has quit IRC20:35
*** jmasud has joined #openstack-meeting20:36
*** jmasud has quit IRC20:36
*** ricolin has quit IRC20:40
*** TrevorV has quit IRC20:54
*** alecuyer has joined #openstack-meeting20:55
*** zaitcev has joined #openstack-meeting20:56
*** slaweq has quit IRC20:58
timburke#startmeeting swift21:00
openstackMeeting started Wed Nov 18 21:00:15 2020 UTC and is due to finish in 60 minutes.  The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot.21:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.21:00
*** openstack changes topic to " (Meeting topic: swift)"21:00
openstackThe meeting name has been set to 'swift'21:00
timburkewho's here for the swift meeting?21:00
zaitcevo/21:00
alecuyero/21:00
rledisezhi o/21:00
acoleso/21:00
*** bbowen has joined #openstack-meeting21:00
mattoliverauo/21:01
timburkeagenda's at https://wiki.openstack.org/wiki/Meetings/Swift21:02
timburke#topic no meeting next week21:02
*** openstack changes topic to "no meeting next week (Meeting topic: swift)"21:02
timburkethanksgiving is next week in the US and i know i'm going to be out all week. i expect things will probably be pretty quiet anyway21:03
mattoliverauKk21:03
claygthis is where the party is?!21:03
timburkeso unless someone else would like to chair it, i propose we skip next week's meeting21:03
claygyeah, party somewhere else next week21:04
mattoliverauSkipping is fine for me21:04
timburkeclayg, iirc you'll be around much of the start of the week; would you mind dropping a reminder in -swift on the end of your Tuesday (and maybe again early Wednesday)?21:05
mattoliverauI'll do it if you like21:06
timburkethat works too! thanks mattoliverau21:06
timburke(mainly i proposed clayg do it because i know his timezone offset better ;-)21:06
timburke#topic RBAC community effort21:07
*** openstack changes topic to "RBAC community effort (Meeting topic: swift)"21:07
timburkezaitcev, you added this; what should we know/discuss?21:07
claygi set a reminder!  (but I mean.. I had a reminder go off fo this meeting this afternoon too)21:07
mattoliverauLol21:07
zaitcevtimburke: mainly ask if you know about it along the TC/PTL communications and what your thoughts are, and let you know that I am going to do something about it, most likely add a reader role.21:08
zaitcevtimburke: there's a group called "Pop-Up Something Or Other", officially formed at OpenStack (or Open Infra now?).21:09
zaitcevI started looking at keystoneauth.py and found that our unit tests are not water-tight. I was able to add obvious bugs and tests still passed.21:10
timburkei've not had much communication about it, but if i do i'll be sure to direct them your way. i love the idea of a dedicated reader role21:10
zaitcevWhat, you do? I thought it was some meaningless make-do invented by Keystone people.21:11
zaitcevOkay, tell me one thing. If a token with a reader role tries to GET an object with _no_ ACLs, is it permitted or not?21:11
*** rcernin has joined #openstack-meeting21:13
timburkenow that i've got an ops hat i occasionally put on, i'd love to have something like a read-only reseller admin role. i don't think *this* is *that*, but it seems like a start21:13
zaitcevok. I thought so.21:14
zaitcevThanks.21:14
zaitcevWe can move on to the next item, as far as I'm concerned.21:14
timburkeas to the specific question, i'm inclined to say yeah -- it seems similar to the account acls tempauth allows (if less fine-grained)21:16
zaitcevgot it21:16
timburke#topic async deletes of SLO segments21:16
*** openstack changes topic to "async deletes of SLO segments (Meeting topic: swift)"21:16
timburkeso we merged this recently; i just wanted to give an update now that i've actually seen it in use21:17
timburketl;dr: it looks to be working great!21:17
zaitcevGood21:18
timburkemax delete request time went down from something like 25mins to generally around 10s21:18
mattoliveraunice21:18
mattoliverauare things getting deleted in a timely manner async wise? hows the general task queue size?21:19
timburkethe expirer queue would fill and drain in pretty nice waves21:19
zaitcevI'm amazed. Often bumping things to be async does nothing because you still need to use the same amount of resources over long term.21:19
*** thgcorrea has quit IRC21:19
timburkeheh. *client* delete request timing ;-)21:19
zaitcevAlso, I thought you were looking for a better compatibility with S3. Although maybe I confuse it with some other segment-deletion patch.21:20
claygand it seems like the expirer's ratelimiting tasks_per_second give us all the knob we need - we can stuff tombstones fast enough they go to async_pending, or slow enough to barely keep up with the next wave of DELETEs21:21
timburkeso the queue depth definitely got larger than i was expecting, but the expirers could generally keep up. there was certainly some fairly linear growth during the 48hrs or so worth of deletes, but once the client requests stopped, it cleared pretty quickly21:21
zaitcevAww21:21
zaitcevTo me it does not sound good. There's still a chance for clients to kill clusters. Well, it can be disable on public clouds.21:22
zaitcevAnyway, seems like a net positive.21:22
timburkezaitcev, it's tied to s3api, but somewhat loosely. certainly, i don't expect most s3 clients to have a 25min timeout for deletes, where they likely would at least have a 30s timeout21:22
claygzaitcev: I dont' think that generally s3 clients expect MPU deletes to be pretty fast even with a bunch a bunch of segments in the original MPU - pretty sure AWS is totally async in this regard - and we're close with the +segments container, but not exactly the same in that we still count your segment bytes until we're all cleared out21:23
zaitcevI see.21:23
zaitcevI'm a little curious what we do if clusters can't keep up. But let's kick this can down the road.21:23
claygzaitcev: you can disable the option and it shows up in /info - that would put backpressure to clients again same as before21:24
timburketurn on ratelimit and only let clients send so many deletes at a time ;-)21:24
timburkethat's all i really had there, just wanted to share ('cause it was pretty cool to see it work so well!)21:25
timburke#topic audit watchers21:26
*** openstack changes topic to "audit watchers (Meeting topic: swift)"21:26
mattoliverauthanks for sharing!21:26
claygtimburke's next crazy idea is to queue s3api async mpu deletes on overwrite!21:26
timburke#link https://review.opendev.org/#/c/706653/21:26
patchbotpatch 706653 - swift - Let developers/operators add watchers to object au... - 40 patch sets21:26
zaitcevThere was no change. I think watchers are ready to go, in the sense that I see no show-stopers. We may want to fine-tune it.21:26
mattoliverauI'll be reviewing this patch today. I've been a little distracted as of late21:26
zaitcevI've not yet shipped them, but I ran some tests.21:27
timburkei know i meant to loop around to doing another review, too. hopefully we'll have it merged by the next meeting :-)21:27
zaitcevmattoliverau: many thanks and sharding is of course more important for Swift overall, but this is just so close. I want this monkey off my back.21:27
timburkezaitcev, how'd the tests go? anything interesting to fall out of them?21:27
zaitcevtimburke: I found that my cluster would be absolutely, 100% clean of dark data, if not for garbage that I created when testing broken PUT+POST.21:28
mattoliverautotally understand, this is higher priority in my opinion, still a bunch of sharding to do, this is  so close, we should land it :) And you've done awesome work here21:28
timburke🎉21:29
timburkeall right, mattoliverau and i will plan to review it over the next couple weeks21:29
zaitcevBut I think maybe we can find good uses for the watchers that I am not foreseeing, like checking if SLOs are missing segments or whatnot.21:29
timburkethat is *definitely* one of the use-cases i want to try out. and even going the other way, at least for s3api segments21:30
timburke#topic ssync tracebacks21:30
zaitcevoh, right. segments what miss manifests21:31
*** slaweq has joined #openstack-meeting21:31
*** openstack changes topic to "ssync tracebacks (Meeting topic: swift)"21:31
*** jmasud has joined #openstack-meeting21:31
timburkeso i noticed today that something like 75% of the tracebacks i'm seeing in prod are ssync receiver bombing out trying to read a chunked request body21:32
timburkeacoles pushed up https://review.opendev.org/763205 and it's working its way through the gate now21:32
patchbotpatch 763205 - swift - ssync: don't log tracebacks for client disconnects - 2 patch sets21:32
zaitcevInteresting reviews for ssync, I think I can take a look. It's a targeted SsyncClientDisconnected, not "except Exception" :-)21:33
timburkei've also (more rarely) seen issues where ssync gets and unexpected blank, and proposed https://review.opendev.org/74427021:33
patchbotpatch 744270 - swift - ssync: Tolerate more hang-ups - 4 patch sets21:33
timburkeas much as anything, i just wanted to point the frequent ssync errors and mention that we're working to get the noise down21:34
timburkerledisez, alecuyer i'm sure you guys have noticed this problem, too :-)21:35
rlediseztimburke: right, ssync is by far the biggest logger when it comes to error21:35
rledisezthat's good you're working on that, thx :)21:36
alecuyeryep we see these often21:36
acolesreading the comments in ssync code, I inferred that the traceback logging was originally intended to illuminate code/protocol errors, but the disconnects were getting caught and logged in the same way21:36
clayg☝️21:36
timburke#topic s3api, +segments container, and ACLs21:37
*** openstack changes topic to "s3api, +segments container, and ACLs (Meeting topic: swift)"21:37
timburkeso i've had s3api users that set up acls on a container, verify that other users can upload ok, but then get very confused when the acl-allowed user can't do multipart uploads21:39
timburkei proposed https://review.opendev.org/763106 as a start, but i've still got a couple concerns21:40
patchbotpatch 763106 - swift - s3api: Clone ACLs when creating +segments container - 1 patch set21:40
timburkefirst, i think the acl-allowed user will still run into trouble if the +segments container doesn't already exist (since they won't have permission to create new containers)21:41
claygoh yeah, i had that checked out - it looked solid21:41
mattoliverauwould you also need to propergate ACL changes when ACLs are changed on the parent container/bucket?21:42
timburkei might be able to work around that by doing a auth-check first then creating the container as a pre-auth'ed request21:43
timburkeand then, yeah -- keeping the ACLs in sync is a definite problem. i'm still not sure how to approach that one21:43
timburke(fwiw, the idea for ALOs would be to have all access to the segment container pre-authed and based on the acls set for the main container)21:44
claygrather that worry about keeping ACLs in sync - can we just work on ... see timburke gets it21:44
mattoliverauyeah, another win for ALO21:45
claygtimburke: whatever the workflow that triggered this - for writing they must have had perms to create +segments - because the problem was "my ACLs were working then some s3client transparently MPU and on some downloads no worky"21:46
claygi think they have like admin workers doing ingest and then they just want them published for the ML jobs21:47
timburkeso i guess my questions are, should a user who's allowed to write objects into the container be able to create the segments container? and if i do the auth-check/pre-auth'ed request to make that possible, would that be "good enough" to merge as a band-aid until i can write ALOs?21:47
claygI think the band-aid you have is good enough until we have ALO - I think i'd actually be *more* worried about hacking in a pre-authed request - piggybacking on "don't set the wrong spid" with "don't set the wrong acls" seems totally reasonable21:48
timburkeclayg, maybe that was it -- for some reason, i could've sworn that i'd seen someone talking about how they were allowed to upload normal objects but not MPUs21:48
claygif there was any authz concerns with the existing code you're not making it worse21:48
timburketrue21:48
claygah, you might be right - we've probably had "the wrong ACLs" break both ways - but John said he's happy with "well set it correctly initially"21:49
mattoliveraumy initial feeling is, well that's what pre-auth would be for, so long as we're sure the user was authed (via ACLs) first. And they can't say delete the container or any objects there.21:49
mattoliveraubut this is morning Matt who is definitely under caffinated :P21:50
clayghonestly I'm amazed the +segments auto-vivify works as well as it does w/o hand-holding; and I guess maybe there's more hand holding going on than I realize (SRE is always dealing with tickets and slack messages to fix ACLs)21:50
timburkeall right, maybe i'll just leave the patch as-is then, and write a script to go compare acls between containers across the whole cluster (since we don't have *that* many containers)21:51
claygmattoliverau: you might be right - if we say "you can upload objects" you can probably create the +segments container to create the objects 🤔21:51
claygI just don't like to think to hard when it comes to s3api and swift ACLs - I feel like users are mixing metaphors because they can make it work, and not really thinking about security21:51
claygwe should work on less swift ACLs and more s3api compatible security policies!21:52
claygzaitcev: amirite!?21:52
timburkemy biggest worry is how it smells like a privilege escalation21:53
timburkeall right, that's all i've got21:54
timburke#topic open discussion21:54
*** openstack changes topic to "open discussion (Meeting topic: swift)"21:54
*** jmasud has quit IRC21:55
timburkeanything else we ought to bring up this week?21:55
timburkeif anybody feels like reviewing some client code, https://review.opendev.org/#/c/758500/ seems like a nice usability improvement21:57
patchbotpatch 758500 - python-swiftclient - Allow tempurl times to have units - 1 patch set21:57
timburkei don't really feel like memorizing how may seconds are i a day ;-)21:57
acolesnever enough I feel ;)21:57
timburkeall right21:59
timburkethank you all for coming, and thank you for working on swift!21:59
timburke#endmeeting22:00
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings/"22:00
openstackMeeting ended Wed Nov 18 22:00:03 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:00
clayg🎉22:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/swift/2020/swift.2020-11-18-21.00.html22:00
acolesbye22:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/swift/2020/swift.2020-11-18-21.00.txt22:00
openstackLog:            http://eavesdrop.openstack.org/meetings/swift/2020/swift.2020-11-18-21.00.log.html22:00
*** patchbot has left #openstack-meeting22:00
*** acoles has left #openstack-meeting22:00
*** yamamoto has joined #openstack-meeting22:01
*** baojg has quit IRC22:03
*** baojg has joined #openstack-meeting22:03
*** jmasud has joined #openstack-meeting22:08
*** zaitcev has left #openstack-meeting22:10
*** yamamoto has quit IRC22:10
*** yamamoto has joined #openstack-meeting22:11
*** slaweq has quit IRC22:16
*** rh-jlabarre has joined #openstack-meeting22:25
*** vkmc has quit IRC22:26
*** vkmc has joined #openstack-meeting22:26
*** johnsom has quit IRC22:27
*** tinwood_ has joined #openstack-meeting22:28
*** rh-jelabarre has quit IRC22:28
*** tinwood has quit IRC22:28
*** johnsom has joined #openstack-meeting22:29
*** jmasud has quit IRC22:38
*** manpreet has quit IRC22:43
*** jmasud has joined #openstack-meeting22:49
*** jmasud has quit IRC22:50
*** baojg has quit IRC23:08
*** baojg has joined #openstack-meeting23:09
*** number80 has quit IRC23:13
*** number80 has joined #openstack-meeting23:26
*** yamamoto has quit IRC23:32
*** raildo_ has quit IRC23:42
« Tuesday, 2020-11-17 Index Thursday, 2020-11-19 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!