Thursday, 2014-08-21

« Wednesday, 2014-08-20 Index Friday, 2014-08-22 »
alazarevtmckay: the only thing that I have in mind is to add refence of oozie_engine to OozieWorkflowCreator, this should simplify some things00:02
*** _mattf is now known as mattf00:08
*** ViswaV has quit IRC00:15
*** alazarev has quit IRC00:29
*** Networkn3rd has joined #openstack-sahara00:59
*** tmckay has left #openstack-sahara01:01
*** shakamunyi has joined #openstack-sahara01:17
*** witlessb has joined #openstack-sahara01:56
openstackgerritLawrence Davison proposed a change to openstack/sahara: Documentation correction for RESTAPI's convert-config along with suggestions from SL.  https://review.openstack.org/11514402:24
*** shakayumi has joined #openstack-sahara02:24
*** shakamunyi has quit IRC02:28
*** alexiz has joined #openstack-sahara02:30
*** shakayumi has quit IRC02:34
*** Networkn3rd has quit IRC03:10
*** shakamunyi has joined #openstack-sahara03:54
*** alexiz has quit IRC03:57
*** akuznetsov has joined #openstack-sahara04:15
*** ViswaV has joined #openstack-sahara05:13
*** ViswaV_ has joined #openstack-sahara05:15
*** ViswaV has quit IRC05:15
*** ViswaV has joined #openstack-sahara05:16
*** ViswaV_ has quit IRC05:20
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-saharaclient: Updated from global requirements  https://review.openstack.org/11586905:21
openstackgerritOpenStack Proposal Bot proposed a change to openstack/sahara: Updated from global requirements  https://review.openstack.org/11560905:22
openstackgerritOpenStack Proposal Bot proposed a change to openstack/sahara: Updated from global requirements  https://review.openstack.org/11560905:30
*** shakamunyi has quit IRC05:37
openstackgerritOpenStack Proposal Bot proposed a change to openstack/sahara: Imported Translations from Transifex  https://review.openstack.org/11587706:08
*** k4n0 has joined #openstack-sahara06:25
*** ViswaV has quit IRC06:39
*** shakamunyi has joined #openstack-sahara07:03
*** shakamunyi has quit IRC07:08
*** ghenriks has quit IRC07:13
*** ghenriks has joined #openstack-sahara07:14
*** skolekonov has joined #openstack-sahara07:23
openstackgerritKazuki OIKAWA proposed a change to openstack/sahara: Add Java.EDP job type  https://review.openstack.org/11588407:29
*** julienvey has joined #openstack-sahara08:03
*** shakamunyi has joined #openstack-sahara08:04
*** shakamunyi has quit IRC08:09
*** Longgeek has joined #openstack-sahara08:10
*** Longgeek has quit IRC08:11
*** Longgeek has joined #openstack-sahara08:12
*** Timotey has joined #openstack-sahara08:18
*** tnovacik has joined #openstack-sahara08:20
*** witlessb has joined #openstack-sahara08:21
*** tnovacik has quit IRC08:22
*** tnovacik has joined #openstack-sahara08:36
*** IvanBerezovskiy has joined #openstack-sahara09:00
*** shakamunyi has joined #openstack-sahara09:05
*** shakamunyi has quit IRC09:09
*** tosky has joined #openstack-sahara09:54
*** shakamunyi has joined #openstack-sahara10:06
*** shakamunyi has quit IRC10:10
*** Longgeek has quit IRC10:35
*** Longgeek has joined #openstack-sahara10:36
*** Longgeek has quit IRC10:40
*** Longgeek has joined #openstack-sahara11:06
*** shakamunyi has joined #openstack-sahara11:07
*** Longgeek has quit IRC11:09
*** Longgeek has joined #openstack-sahara11:09
*** shakamunyi has quit IRC11:11
openstackgerritSergey Lukjanov proposed a change to openstack/sahara: Fix jsonschema>=2.4.0 message assertion  https://review.openstack.org/11594611:39
*** tosky has quit IRC11:58
*** witlessb_ has joined #openstack-sahara11:58
*** witlessb has quit IRC12:00
*** witlessb_ is now known as witlessb12:00
*** Longgeek has quit IRC12:03
*** shakamunyi has joined #openstack-sahara12:07
*** shakamunyi has quit IRC12:11
*** Longgeek has joined #openstack-sahara12:12
*** Longgeek has quit IRC12:13
*** Longgeek has joined #openstack-sahara12:14
*** tosky has joined #openstack-sahara12:33
*** shakamunyi has joined #openstack-sahara13:03
*** xianghuihui has joined #openstack-sahara13:06
*** _elmiko is now known as elmiko13:07
*** xianghui has quit IRC13:09
*** xianghuihui has quit IRC13:13
*** shakamunyi has quit IRC13:19
*** openstackgerrit has quit IRC13:21
*** shakamunyi has joined #openstack-sahara13:36
*** Networkn3rd has joined #openstack-sahara13:47
*** tmckay has joined #openstack-sahara13:51
*** k4n0 has quit IRC13:55
*** openstackgerrit has joined #openstack-sahara13:58
tmckayelmiko, ping, I have an idea14:10
elmikotmckay: hey14:11
tmckayelmiko, hey.  On the soft failure theme, what if validation for the creation of job binaries and data sources checks the existence of the proxy domain at that point, and fails if the object requires the proxy but the proxy is not defined or can't be found?  Error returned to the UI, "Sorry, you can't do that because the proxy is missing"14:13
tmckaytrigger would be no user/pass in the object14:13
elmikotmckay: that's kinda what i'm working towards14:13
tmckayelmiko, aweseome.  Because at that point, you can take action if you want to, or use the old scheme14:14
tmckayelmiko, then of course we check again at job execution launch, and error out the job with a similar message14:14
elmikoso, if the user doesn't provide a username/pass, and they have requested use of the proxy, but the proxy detect fails, then error in UI14:14
tmckay++14:14
elmikocurrently though, i'm trying to fix my devstack... :(14:14
tmckaygreat way to gracefully degrade.  And in the edge case, the admin can just create the proxy at that point, problem solved14:15
tmckaygah, pain14:15
tmckayelmiko, okay +2.  I can't wait to see the rest of it :)14:18
elmikosomeone really needs to containerize devstack14:18
elmikotmckay: i'm working on the proxy user creation/deletion now. when i start to plumb through the job binaries and whatnot, i'll start to get into the form validations coming from horizon. i figure that's where we'll want to put the checks in place.14:20
elmikotmckay: so, if the user is creating a DataSource or JobBinary, when they attempt to create with no username/pass, sahara can quickly check the proxy_domain_name config and if it's blank throw an error14:20
tmckayyes, exactly14:23
tmckayeither blank, or not created, or multi-domain (None or Exception)14:24
tmckayyou could argue that the exception case could pass validation, because external action could still be taken, but until it is the object is unusable, and I think that would be a good time to add pressure to the admin :)14:25
elmikotmckay: you think it should attempt to acquire the domain at that point to ensure it's created?14:25
tmckayelmiko, we probably need a different error message ^^14:25
tmckayOne says "no config set" and you have to restart Sahara, one says "dude, your domain is wrecked"14:25
tmckayelmiko, if it's not a lot of overhead, yeah14:26
elmikoif no domain is set, and the user attempts to create a binary without username/pass, it should just say "enter a username/pass to use this swift source"14:26
elmikolike, what if the stack admin purposely doesn't want to use a proxy domain14:27
elmiko?14:27
tmckayagreed.  The "None" check is really simple.14:28
*** Networkn3rd has quit IRC14:28
tmckayI suppose we could fail on job launch if the domain is not retrievable14:28
elmikoi think we have to assume that if proxy_domain_name is None that the admin is attempting to not use the proxy14:28
tmckayagreed14:28
elmikoso, error conditions for DataSource/JobBinary would be:14:29
tmckayfailing on job launch still gets the message across, and if the config is non-Null, then the intent was to set it up.  but something happened to ti14:29
elmiko1. no username/pass + proxy_domain_name=None, "please enter username/pass"14:29
tmckayand the test could be done in job_execution validation14:29
elmiko2. no username/pass + proxy_domain_name=Set + can't find proxy domain, "error, please talk to stack admin"14:29
tmckayelmiko, agreed.  But I could see doing #2 only on job submission.14:30
elmikoi think it's a nice shortcut to do the error check when the user attempts to create a binary14:30
elmikoi'll bring it up in the meeting today14:30
tmckayokay.  Is it a lot of overhead?14:30
elmikoit's just a rest call to the keystone server14:30
elmikoit would be a pain to setup a bunch of binaries, then find out the proxy is misconfigured14:31
tmckayprobably good then to check in both places (you've got to get it on job launch anyway)14:31
tmckayminor point though, I think the overall approach is good14:32
elmikoyea, there is check by default on job execution as it will be attemting to create the proxy user14:32
*** Networkn3rd has joined #openstack-sahara14:34
elmikotmckay: so here's a question, if the proxy domain is active and the user enters a username/pass for a binary, should sahara just silently drop the creds?14:53
tmckayhmmm14:54
dmitrymeelmiko: as an option, I thnk Sahara can create proxy user and trust using these provided credentials14:55
dmitrymethis could be useful in case current user does not have access to swift data, but provided creds do grant such access14:56
dmitrymeor, possibly, user wants to process data stored in different tenant14:57
dmitrymein that case tenant_name must be part of creds14:57
tmckayelmiko, that's a tough one.  I think I would probably drop them, leaning toward better security.  Even in the case dmitryme is citing, there is no need to store them in the database14:59
dmitrymeok, I was talking about data sources, but the same could be applied to job binaries as well14:59
tmckayIf the proxy domain is active, and a user can be created, the creds should be tossed14:59
dmitrymetmckay: agree, there is no need to store the cred15:00
dmitryme*creds15:00
elmikousing the provided credentials to create the trust does add a layer of complexity15:00
elmikowe would still need to store the creds temporarily, as the trust won't be created when the DataSource/JobBinaries are created15:00
tmckayelmiko, I would skip it first pass and revisit once it all works.  for now, show them the garbage can :)15:00
openstackgerritOpenStack Proposal Bot proposed a change to openstack/sahara: Updated from global requirements  https://review.openstack.org/11560915:00
elmikodmitryme: also, on the topic of multi-tenant swift objects. there will need to be much work done to accomplish that.15:01
elmikothe hadoop-swiftfs plugin assumes the object store is within the tenant provided by the credentials, and that all the objects are in that tenant.15:01
dmitrymeelmiko: yes, I see, for current user, we will create proxy user/trust right at the time the job is launched, right?15:03
elmikodmitryme: yes15:06
elmikoalso, when we start to allow sources from multiple tenants we will need multiple trusts as well15:06
*** skolekonov has quit IRC15:08
dmitrymeelmiko: seems like it is more complicated than I thought :-)15:12
elmikoyea15:12
*** mattf is now known as _mattf15:14
*** Networkn3rd has quit IRC15:35
openstackgerritArtem Osadchiy proposed a change to openstack/sahara: MapR FS datasource  https://review.openstack.org/11601715:39
openstackgerritArtem Osadchiy proposed a change to openstack/sahara-dashboard: MapR FS datasource  https://review.openstack.org/11602015:49
*** julienvey has quit IRC15:53
*** Timotey has quit IRC16:08
*** IvanBerezovskiy has left #openstack-sahara16:10
elmikohave you guys ever seen a JSONDecodeError when using the saharaclient to do a job_executions.list() ?16:14
elmikodo i just have an old saharaclient?16:14
elmikolooks like maybe i have the service catalog misconfigured16:17
openstackgerritA change was merged to openstack/sahara: Fix jsonschema>=2.4.0 message assertion  https://review.openstack.org/11594616:18
*** Networkn3rd has joined #openstack-sahara16:50
*** tnovacik is now known as tnovacik|gone16:53
*** tnovacik|gone has quit IRC16:57
*** Networkn3rd has quit IRC17:01
*** Networkn3rd has joined #openstack-sahara17:01
*** julienvey has joined #openstack-sahara17:09
*** tosky has quit IRC17:25
*** tosky has joined #openstack-sahara17:52
*** ViswaV has joined #openstack-sahara17:59
*** alazarev has joined #openstack-sahara17:59
elmikowe having a meeting today?18:00
elmikoSergeyLukjanov: ^^18:00
SergeyLukjanovyup, sure18:01
SergeyLukjanovand it's meeting time18:01
elmiko=)18:01
*** ViswaV_ has joined #openstack-sahara18:02
SergeyLukjanovelmiko, it's fixed in latest client version AFAIAK18:02
tmckaylate for the meeting!18:02
*** ViswaV has quit IRC18:04
*** alazarev_ has joined #openstack-sahara18:07
*** ViswaV has joined #openstack-sahara18:09
*** ViswaV__ has joined #openstack-sahara18:09
*** alazarev has quit IRC18:10
*** alazarev_ is now known as alazarev18:10
*** ViswaV_ has quit IRC18:11
*** ViswaV has quit IRC18:13
*** shakamunyi has quit IRC18:27
*** Longgeek has quit IRC18:44
toskyso, quickly19:02
toskythe goal was sahara/horizon tests, but he had to write also with more "building block" patches19:03
tmckayelmiko, even in the bob/alice scenario, is it possible for bob to have different credentials in different tenants?19:03
toskyas you know, the review time for horizon is quite... slow19:04
dmitrymetmckay: it is my understanding that one user has exactly one password19:04
tmckayk19:04
elmikotmckay: i don't think so. a user has one set of creds, that gets auth'd by the backend, then keystone provides a list of projects that user is in19:04
toskyso if you know horizon reviewers, especially on the test part, and you want to help pushing his patches, which will benefit sahara, well, please check them19:05
toskythere is a chain of dependencies, which makes thing more complicated19:05
tmckayk, so proxy user is still a huge improvement, and secgroup turning off port 11000 is another huge improvement.  iptables is icing.  I could add a few words about it in the doc, too -- "if you want to be really crazy, do this ...."19:05
elmikotosky: link again please19:05
toskythey are here: https://review.openstack.org/#/q/status:open+owner:%22Tom%25C3%25A1%25C5%25A1+Nov%25C3%25A1%253Fik+%253Ctnovacik%2540redhat.com%253E%22,n,z19:05
elmikotosky: thanks19:05
toskythank you!19:06
elmikotmckay: yea, that's why i think we should start putting together a general Sahara security doc. much of what we are talking about is beyond the scope of just Sahara and falls onto the stack admin/ops.19:06
dmitrymeelmiko: sounds like a good idea19:07
tmckayagreed.  I mostly wanted to figure out if I needed iptables before the freeze -- I'm thinking no.  Docs we can add beyond the freeze, I believe.19:07
elmikotmckay: it sounds like the doc fix will get wide acceptance19:08
tmckayyeah, and it's easier :)19:08
elmikoheh true that19:08
*** alazarev has quit IRC19:10
*** alazarev has joined #openstack-sahara19:29
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Implemented get_open_ports method for vanilla hadoop2  https://review.openstack.org/11051819:31
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Updated docs with security group management feature  https://review.openstack.org/11051719:31
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Added ability to create security group automatically  https://review.openstack.org/10939419:31
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Fix some of tests that rely on hash ordering  https://review.openstack.org/11513219:43
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Do not rely on hash ordering in tests  https://review.openstack.org/11273619:43
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Moved validate_edp from plugin SPI to end_engine  https://review.openstack.org/11582319:45
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Moved URI getters from plugin SPI to edp_engine  https://review.openstack.org/11540019:45
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Made EDP engine plugin specific  https://review.openstack.org/11472119:45
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Moved get_oozie_server from plugin SPI to edp_engine  https://review.openstack.org/11540319:45
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Added create_hdfs_dir method to oozie edp engine  https://review.openstack.org/11511519:46
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Removed one round trip to server for HDFS put  https://review.openstack.org/11512019:47
openstackgerritMichael McCune proposed a change to openstack/sahara: Adding configuration and check for proxy domain  https://review.openstack.org/11565420:00
*** Networkn3rd has quit IRC20:01
*** tmckay has quit IRC20:12
*** ViswaV__ has quit IRC20:15
*** ViswaV has joined #openstack-sahara20:54
*** alazarev has quit IRC20:57
*** alazarev has joined #openstack-sahara20:58
*** ViswaV has quit IRC21:03
elmikoif i need to create a new source file, do i just use the license text with no copyright?21:15
*** julienvey has quit IRC21:22
openstackgerritAndrew Lazarev proposed a change to openstack/sahara-specs: Make anti affinity working via server groups  https://review.openstack.org/11611522:01
*** elmiko is now known as _elmiko22:12
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Removed support of swift-internal prefix  https://review.openstack.org/11611922:15
*** shakamunyi has joined #openstack-sahara22:37
*** shakamunyi has quit IRC22:41
*** shakamunyi has joined #openstack-sahara22:51
*** tosky has quit IRC23:01
openstackgerritAndrew Lazarev proposed a change to openstack/sahara: Removed sqlite from docs  https://review.openstack.org/11462323:04
openstackgerritLawrence Davison proposed a change to openstack/sahara: Adjust RESTAPIs convert-config w/suggests from SL  https://review.openstack.org/11514423:29
*** alazarev has quit IRC23:37
*** witlessb has quit IRC23:44
« Wednesday, 2014-08-20 Index Friday, 2014-08-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!