Wednesday, 2020-07-08

« Tuesday, 2020-07-07 Index Thursday, 2020-07-09 »
*** hoonetorg has quit IRC00:10
*** rcernin has quit IRC00:42
*** rcernin has joined #openstack-oslo00:46
*** rcernin has quit IRC02:13
*** rcernin has joined #openstack-oslo02:15
*** rcernin has quit IRC02:33
*** dave-mccowan has quit IRC02:41
*** dave-mccowan has joined #openstack-oslo02:48
*** rcernin has joined #openstack-oslo02:55
*** dave-mccowan has quit IRC04:19
*** trident has quit IRC06:39
*** trident has joined #openstack-oslo06:42
*** rcernin has quit IRC06:59
*** rcernin has joined #openstack-oslo07:06
*** lbragstad_ has joined #openstack-oslo07:19
*** lbragstad has quit IRC07:21
*** tosky has joined #openstack-oslo07:33
*** rcernin has quit IRC07:41
*** ralonsoh has joined #openstack-oslo07:47
*** dtantsur|afk is now known as dtantsur08:10
*** sum12 has quit IRC08:14
*** tkajinam has quit IRC08:23
openstackgerritElod Illes proposed openstack/oslo.messaging stable/queens: Simplify tools/test-setup.sh  https://review.opendev.org/73992208:27
*** sum12 has joined #openstack-oslo09:01
*** rcernin has joined #openstack-oslo09:26
*** rcernin has quit IRC09:41
openstackgerritDmitry Tantsur proposed openstack/tooz master: hashring: allow choosing hash function  https://review.opendev.org/73972509:51
openstackgerritMerged openstack/oslo.messaging stable/train: Print warning message when connection running out  https://review.opendev.org/73474011:13
*** raildo has joined #openstack-oslo11:37
*** rcernin has joined #openstack-oslo12:08
*** rcernin has quit IRC12:16
*** odjdtn2 has joined #openstack-oslo12:19
*** hoonetorg has joined #openstack-oslo12:25
odjdtn2Hello, I would like to enable CADF auditing, trying right now with glance and nova. I saw the available drivers are "messaging, messagingv2, routing, log, test, noop" for [audit_middleware_notifications]. I managed to use the "log" driver, but I'm wondering, is a standard way to send those event through http? Should I write a driver or is there already a driver which achieve this?12:26
*** kgiusti has joined #openstack-oslo12:35
*** adriant has quit IRC13:05
*** adriant has joined #openstack-oslo13:05
dansmithbnemec: do you happen to know the magic config incantation that would let me enable debug logging for oslo policy?13:38
dansmithah log_config_append is what I want I think13:49
*** geguileo has joined #openstack-oslo13:54
*** dave-mccowan has joined #openstack-oslo14:24
*** moguimar has joined #openstack-oslo14:28
elodhberaud: can you have a quick look at this patch? https://review.opendev.org/#/c/739490/14:29
*** odjdtn2 has quit IRC14:31
*** dave-mccowan has quit IRC14:31
*** hamalq has joined #openstack-oslo15:44
*** hamalq_ has joined #openstack-oslo15:45
*** hamalq has quit IRC15:49
*** dtantsur is now known as dtantsur|afk16:01
bnemecdansmith: It's probably because of https://github.com/openstack/oslo.log/blob/master/oslo_log/_options.py#L3016:23
bnemecYou could override https://github.com/openstack/oslo.log/blob/master/oslo_log/_options.py#L175 and remove oslo_policy from the list.16:23
*** moguimar has quit IRC16:25
*** gouthamr has quit IRC16:26
dansmithbnemec: yeah that's what I'm trying now.. I thought there was a way to tweak just one without overriding all the defaults, but I guess not16:29
bnemecUnfortunately not. :-/16:30
dansmithbnemec: so on this: https://pastebin.com/mdDRPZgv16:35
dansmithbnemec: does that "cannot format data" message mean that it got an exception while trying to str() the target object, or what?16:35
bnemecdansmith: Looks like there are a couple of places that could come from: https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L923 and https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L93316:40
bnemecMy guess would be that's coming from one of the deepcopy calls.16:40
dansmithhas to be 933 because it's target= I think16:41
bnemecAh, right16:42
dansmithbut yeah that helps, thanks16:43
dansmithso I was failing a policy check that should have worked,16:44
dansmithso I turned on debug to see that,16:44
dansmithI'm guessing that the copy also fails for real which means the policy rule doesn't have any target object to actually look at, hence the failure right?16:44
*** whoami-rajat has quit IRC16:46
bnemecIt looks like the target only gets deepcopied on the debug path, unfortunately.16:46
bnemecSo that may be unrelated to the actual failure.16:46
dansmithokay16:47
dansmithit's weird, I'm actually passing it a dict() which is pretty flat, AFAICT16:49
bnemecI wonder if we actually need a deepcopy there. It doesn't look like mask_dict_password modifies the passed in object. It just iterates it and builds a new one.16:50
dansmithwell, that may be, but I still don't know what's killing it with what I'm giving to that function16:50
bnemecYeah, that's kind of an odd message.16:52
openstackgerritBen Nemec proposed openstack/oslo.policy master: Don't deepcopy objects before mask_dict_password  https://review.opendev.org/74006816:57
dansmithbnemec: so can you help me understand why this policy isn't working?17:02
dansmithhttps://pastebin.com/FC1Nq0xJ17:02
dansmithfirst line is glance/policy.json17:02
dansmithand the second is the log debug line of the check, which is raising a 40317:03
dansmithif I null out the rule, it'll pass, so I know it's checking the file17:03
bnemecdansmith: It may be necessary to quote the literal: https://github.com/openstack/oslo.policy/blob/master/oslo_policy/_checks.py#L29917:13
dansmithah damn, I had done that earlier17:13
dansmithah, my echo command is stripping those17:14
dansmithhot damn, thanks bnemec !17:15
bnemec\o/17:15
bnemecWe should document that better. That docstring is in a private function so it doesn't show up in the published docs anywhere.17:16
dansmithyeah, so,17:17
dansmithIMHO the policy docs need a thousand more examples17:17
dansmithI only figured out what I did, which seems like a super simple example, by reading a lot of oslo.policy code17:17
dansmithincluding the quotes for a literal thing17:17
dansmithlike, it seemed overly hard for me to figure out "how do I compare an attribute of the target object against a static string"17:18
bnemecYeah, none of the examples use a static value. They're all using magic attributes like role, rule, project_id, etc.17:19
dansmithand they're all context-based instead of target-based, IIRC17:19
dansmithalso not sure how you're supposed to do something like compare two values from a context and a target that are the same17:20
dansmithlike project-id=project-id17:20
dansmithseems like a scope is needed, like request.project_id:target.project_id or some such17:21
bnemecHmm, good point.17:22
dansmithI meant to go try to figure out how we implement those rules today,17:23
dansmithbecause obviously "owner" should be that, unless there's some more magical ownership checking or something17:23
bnemecI know documentation of targets has been a pain point in the past too. We don't really have any way to document what fields are available in the target passed in to a check, short of looking at the code.17:23
dansmithyeah, and that's legit hard for oslo.policy to do, which is fine17:23
dansmithif you turn on debugging policy, that's discoverable to admins (harder than it should be, but doable)17:24
dansmithbut knowing how to write the rule should be a minimum I think17:24
bnemecTrue.17:24
bnemecAs long as the debug logging doesn't blow up. :-)17:24
dansmithwell, there's that :)17:24
bnemecLot of doc bugs open against oslo.policy already. :-(17:26
dansmithbnemec: fwiw, I haven't gotten that failure to print the debug'd target in a while.. not sure what I changed, but I don't think it was anything specific17:28
bnemecOh, I think we do cover the project_id case though: "os_compute_api:servers:start" : "project_id:%(project_id)s"17:28
dansmithgot a job running in zuul now, so we'll see if that hits it, which would have less manual tinkering than I did17:28
bnemecFrom https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html17:28
dansmithbnemec: how does that work?17:29
bnemecInteresting. I proposed a patch to remove the deepcopy, so hopefully that will eliminate it completely.17:29
dansmiththat unquoted project_id is a property on what, context? why do I need to do the string-formatting for the right-hand side?17:29
bnemecThe doc just calls it an API attribute. I have to admit I'm not sure where those come from.17:31
dansmithwhatever your answer, this is the super-confusing bit I'm talking about17:31
dansmithis it like any property name comes from context, and target is the thing used for any string formatting?17:31
dansmithit was confusing for me to read rules like that because they're properties on both context and the target and I needed just the target and a string constant17:32
bnemecThere's a lot of magic that happens with policies. :-/ We had a similar discussion a while back about the roles. We document a check against role:admin, but never discussed what other roles might be available.17:37
dansmithwell, again, the debug is actually pretty good once you get it turned on,17:38
dansmithalthough it's unfortunate that there's no [oslo_policy]debug=True flag17:38
dansmithit's more the understanding of what the syntax of the rule is, at least to me17:39
dansmithbut anyway, I know I'm just whining and not helping :)17:39
bnemecIt's good feedback though. There's definitely room for improvement here.17:41
dansmithtbh, this is the first time I've had to really grok policy to write something new,17:41
bnemecLike I see we overloaded the term "target" in that doc. The doc uses it to refer to the rule name, while internally it refers to the target object.17:41
dansmithit's always been applying an example someone else gave me or just making someone else figure it out17:42
dansmithso I guess it's shocking to me that it's this cryptic as I expect users really need to be able to make these changes, and it seems like reading the code is the only way17:42
dansmithyeah17:42
dansmithand the debug calls the "action" the "rule"17:42
openstackgerritMary Camp proposed openstack/openstackdocstheme master: Add version dropdown on docs.starlingx.io  https://review.opendev.org/74007217:43
openstackgerritMerged openstack/oslo.messaging stable/rocky: Simplify tools/test-setup.sh  https://review.opendev.org/73949017:51
openstackgerritBen Nemec proposed openstack/oslo.policy master: Include example of literal comparison policy rule  https://review.opendev.org/74007317:52
bnemecOops, forgot to use a permalink.17:53
openstackgerritBen Nemec proposed openstack/oslo.policy master: Include example of literal comparison policy rule  https://review.opendev.org/74007317:53
bnemecdansmith: I tried to capture the basics in https://bugs.launchpad.net/oslo.policy/+bug/1886857 Feel free to add your thoughts.18:03
openstackLaunchpad bug 1886857 in oslo.policy "Improve documentation of what data is used in checks" [High,Triaged]18:03
bnemecraildo: ^Might be relevant to your interests as well.18:03
raildobnemec, ack, thanks for the heads up, I'll take a look on it18:03
dansmithbnemec: seems good, thanks18:05
*** ralonsoh has quit IRC18:07
smcginnisbnemec: Can you ack https://review.opendev.org/#/c/738833/ if you are OK with it? hberaud removed the automatic PTL-Approved vote. I think that was to have you approve it. Though I'm not sure then if hberaud should be removed as the release liaison for oslo if that's the case.18:11
bnemecsmcginnis: lgtm. I certainly don't want to remove hberaud as release liaison so maybe we just need to discuss with him why he did that.18:14
smcginnis++18:18
hberaudsmcginnis, bnemec: o/ I did that just to be sure18:51
hberaudsmcginnis, bnemec: I just prefer double check things18:52
hberaudsmcginnis, bnemec: but if you want I can leave the PTL approved auto validation and only follow the classic release process, as you prefer. Sean already caught issues on my previous patches and he have a good vision about oslo, so I think we can continue by leaving the auto validation18:58
*** gmann_ has joined #openstack-oslo19:17
*** gmann_ is now known as gmann19:18
*** geguileo has quit IRC19:21
*** mnaser has joined #openstack-oslo19:32
*** dougwig has joined #openstack-oslo19:33
*** jberg-dev has joined #openstack-oslo19:33
*** TheJulia has joined #openstack-oslo19:35
*** jungleboyj_ has joined #openstack-oslo19:35
*** rpittau has joined #openstack-oslo19:40
*** jrosser has joined #openstack-oslo19:48
*** csatari has joined #openstack-oslo19:49
*** hemna has quit IRC19:52
*** rm_work has joined #openstack-oslo19:53
*** andrewbogott has joined #openstack-oslo19:54
*** gagehugo has joined #openstack-oslo19:57
*** hemna has joined #openstack-oslo19:59
*** knikolla has joined #openstack-oslo20:05
*** kgiusti has left #openstack-oslo20:09
*** johnsom_ has joined #openstack-oslo20:10
*** coreycb has joined #openstack-oslo20:13
*** samueldmq has joined #openstack-oslo20:16
*** lbragstad_ is now known as lbragstad20:42
*** vdrok has joined #openstack-oslo20:44
*** mnaser is now known as mnaser|ic20:52
openstackgerritnorman shen proposed openstack/oslo.messaging stable/stein: Print warning message when connection running out  https://review.opendev.org/74011520:55
*** raildo has quit IRC21:01
*** mnaser|ic has quit IRC21:08
*** mnaser|ic has joined #openstack-oslo21:08
*** mnaser|ic has quit IRC21:08
*** mnaser|ic has joined #openstack-oslo21:08
*** mnaser|ic is now known as vexxhost21:08
*** gouthamr has joined #openstack-oslo21:11
*** vexxhost is now known as mnaser21:14
*** mnaser is now known as mnaser|ic21:14
*** gouthamr_ has joined #openstack-oslo21:15
*** johnsom_ is now known as johnsom21:19
*** johnsom has joined #openstack-oslo21:19
*** tosky has quit IRC22:30
*** tkajinam has joined #openstack-oslo22:58
*** rcernin has joined #openstack-oslo23:01
*** hamalq_ has quit IRC23:09
*** hamalq has joined #openstack-oslo23:10
*** Dmitrii-Sh has quit IRC23:14
*** Dmitrii-Sh has joined #openstack-oslo23:21
*** mnaser|ic has quit IRC23:38
*** mnaser|ic has joined #openstack-oslo23:38
*** mnaser|ic has quit IRC23:38
*** mnaser|ic has joined #openstack-oslo23:38
*** mnaser|ic is now known as mnaser23:38
« Tuesday, 2020-07-07 Index Thursday, 2020-07-09 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!