*** dave-mccowan has quit IRC | 00:22 | |
*** ricolin has joined #openstack-sdks | 01:03 | |
openstackgerrit | Merged openstack/keystoneauth master: add support for auth_receipts and multi-method auth https://review.opendev.org/675049 | 01:44 |
---|---|---|
adriant | mordred, dtroyer: I assume the two of you are who I need to bug about MFA in the sdk and osc? | 02:04 |
adriant | I'm thinking, if I can focus on Horizon, I can probably get that done before Train release (hopefully) | 02:06 |
adriant | so I don't know if I can do the sdk and osc work, but I can review it | 02:06 |
*** bobh has joined #openstack-sdks | 02:55 | |
*** altlogbot_3 has quit IRC | 03:16 | |
*** altlogbot_1 has quit IRC | 03:16 | |
*** altlogbot_2 has joined #openstack-sdks | 03:18 | |
*** bobh has quit IRC | 03:47 | |
*** gkadam has joined #openstack-sdks | 04:07 | |
*** gkadam has quit IRC | 04:08 | |
*** bobh has joined #openstack-sdks | 04:27 | |
adriant | dtroyer, mordred: I kind of am imagining we eventually do something like this: | 04:34 |
adriant | http://paste.openstack.org/show/757171/ | 04:34 |
adriant | which maybe even generates and saves (based on an option) a clouds.yaml file with the values you enter | 04:34 |
adriant | additionally we may want to think about how we want to handle the MFA error from keystoneauth when it gets raised | 04:35 |
adriant | and... lastly I don't think we have any SDK or CLI ways to enable MFA for a user and manage their auth rules? | 04:35 |
adriant | but I'm not 100% sure on that | 04:36 |
*** bobh has quit IRC | 05:00 | |
*** bobh has joined #openstack-sdks | 05:02 | |
*** bobh has quit IRC | 05:07 | |
adriant | yeah, doesn't look like the SDK supports user options as a value on the user object | 05:18 |
adriant | but user options lets you patch a dict so i think you can update them | 05:18 |
adriant | https://github.com/openstack/openstacksdk/blob/master/openstack/identity/v3/_proxy.py#L673 | 05:19 |
adriant | ^ I think. I'm not 100% sure if that will fail because options doesn't exist as an option on the user object | 05:19 |
*** ricolin_ has joined #openstack-sdks | 07:03 | |
*** ricolin has quit IRC | 07:05 | |
*** ricolin_ is now known as ricolin | 07:33 | |
*** noama has joined #openstack-sdks | 07:34 | |
*** e0ne has joined #openstack-sdks | 08:15 | |
openstackgerrit | Rabi Mishra proposed openstack/keystoneauth master: Allow initializing session with connection retries https://review.opendev.org/676648 | 08:43 |
*** cdent has joined #openstack-sdks | 08:52 | |
*** bobh has joined #openstack-sdks | 09:06 | |
*** ricolin has quit IRC | 09:07 | |
*** bobh has quit IRC | 09:10 | |
*** zbr|flu is now known as zbr | 09:33 | |
*** jangutter has joined #openstack-sdks | 09:51 | |
*** jangutter has quit IRC | 10:41 | |
mordred | adriant: yeah- I've actually wanted a login command for a while - I think if we do it right it could also be used to add a clouds.yaml entry - like from openrc values - or maybe like kubectl setcontext to set a "default" flag in the clouds.yaml (*waves hands*) | 10:45 |
*** jangutter has joined #openstack-sdks | 10:57 | |
*** jangutter has quit IRC | 11:01 | |
*** bobh has joined #openstack-sdks | 12:21 | |
*** ricolin has joined #openstack-sdks | 12:37 | |
openstackgerrit | Monty Taylor proposed openstack/openstacksdk master: Make block-storage work with proxies https://review.opendev.org/675382 | 12:37 |
mordred | Shrews, dtantsur|afk: ^^ I think that should work now - but we might need to squash it with the previous patch to make it all work happily. I figure reviewing separate before the squash would be friendlier | 12:38 |
*** bobh has quit IRC | 12:50 | |
Shrews | mordred: okie dokie. will take a peek shortly | 12:53 |
mordred | Shrews: you're going to "love" it | 12:54 |
Shrews | like i "love" getting punched in the face? | 12:55 |
mordred | Shrews: yeah. pretty much just like that | 13:01 |
*** mriedem has joined #openstack-sdks | 13:18 | |
*** bobh has joined #openstack-sdks | 13:25 | |
*** bobh has quit IRC | 13:30 | |
openstackgerrit | Monty Taylor proposed openstack/openstacksdk master: Make block-storage work with proxies https://review.opendev.org/675382 | 14:14 |
mordred | stupid pep8 | 14:16 |
*** bobh has joined #openstack-sdks | 14:44 | |
*** bobh has quit IRC | 14:51 | |
Shrews | mordred: i left you a question/comment on that | 14:52 |
openstackgerrit | David Shrewsbury proposed openstack/openstacksdk master: Add header to auto-delete image upload objects https://review.opendev.org/676714 | 15:01 |
*** dave-mccowan has joined #openstack-sdks | 15:22 | |
*** dave-mccowan has quit IRC | 15:30 | |
mordred | corvus: ^^ might be the rare SDK patch you want to review | 15:30 |
corvus | mordred, Shrews: ++ | 15:33 |
openstackgerrit | Monty Taylor proposed openstack/openstacksdk master: Make block-storage work with proxies https://review.opendev.org/675382 | 15:33 |
mordred | corvus: I don't know why it took us so long to think of that :) | 15:33 |
*** efried has quit IRC | 15:46 | |
*** efried has joined #openstack-sdks | 15:50 | |
*** cdent has quit IRC | 15:53 | |
openstackgerrit | David Shrewsbury proposed openstack/openstacksdk master: Avoid unnecessary object meta prefix in proxy https://review.opendev.org/676726 | 15:59 |
edleafe | Shout out to all the API-SIG Offcie Hour people! Take a number and queue politely! | 16:00 |
*** slaweq has joined #openstack-sdks | 16:00 | |
* mriedem pushes and shoves | 16:06 | |
edleafe | ok, mriedem, back of the line! | 16:06 |
*** slaweq has quit IRC | 16:14 | |
*** ricolin has quit IRC | 16:17 | |
*** e0ne has quit IRC | 16:28 | |
*** slaweq has joined #openstack-sdks | 16:30 | |
*** slaweq has quit IRC | 16:38 | |
*** slaweq has joined #openstack-sdks | 16:48 | |
*** cdent has joined #openstack-sdks | 17:10 | |
mordred | Shrews: zomg. https://review.opendev.org/#/c/675382 worked | 17:11 |
*** cdent has quit IRC | 17:19 | |
mordred | Shrews: there's also two patches before the fixture patch - https://review.opendev.org/#/c/675178 and https://review.opendev.org/#/c/675130 that are ready whenever | 17:20 |
*** bobh has joined #openstack-sdks | 17:39 | |
*** e0ne has joined #openstack-sdks | 17:52 | |
*** bobh has quit IRC | 17:55 | |
openstackgerrit | Monty Taylor proposed openstack/openstacksdk master: Replace catalog-v3.json with keystoneauth fixture https://review.opendev.org/675187 | 18:10 |
mordred | Shrews: thanks! ^^ merged the block-storage patch into the catalog fixture patch | 18:11 |
mordred | (which is still a net-reduction in LOC) | 18:11 |
*** e0ne has quit IRC | 18:36 | |
efried | mordred: Still that first ironic-sdk-in-nova patch succeeds but the second one fails. Do you have a minute to help me debug? | 19:14 |
openstackgerrit | Merged openstack/openstacksdk master: Avoid unnecessary object meta prefix in proxy https://review.opendev.org/676726 | 19:24 |
openstackgerrit | Merged openstack/openstacksdk master: Add header to auto-delete image upload objects https://review.opendev.org/676714 | 19:24 |
*** camelCaser has quit IRC | 19:28 | |
openstackgerrit | Merged openstack/openstacksdk master: Validate that connect_as connects as the project https://review.opendev.org/675178 | 19:36 |
*** noama has quit IRC | 19:40 | |
*** gouthamr is now known as gouthamr|brb | 20:02 | |
*** gouthamr|brb is now known as gouthamr | 20:30 | |
*** camelCaser has joined #openstack-sdks | 20:38 | |
*** slaweq has quit IRC | 20:50 | |
mordred | efried: poop - was AFK - can you point me at the failng patch? | 20:55 |
efried | https://zuul.opendev.org/t/openstack/build/fcf71dbb7bd743249b69c83c8f2ba72a/log/controller/logs/screen-n-cpu.txt.gz?severity=3 | 20:56 |
efried | mordred: From what I can tell, we're (correctly) getting a conn error while the service is still coming up | 20:56 |
efried | BUT | 20:56 |
efried | because allow_version_hack=True we're actually returning an adapter rather than raising an exception. | 20:56 |
mordred | efried: cool thanks | 20:56 |
mordred | oh | 20:56 |
mordred | that's ... | 20:57 |
efried | I noticed there's a few places we explicitly set allow_version_hack=True, but afaict that's the default in ksa anyway. | 20:57 |
mordred | this is really a behavior design issue that I think we're going to need to fix - and is an actual valid usecase for wanting the other behavior | 20:57 |
mordred | sdk is assuming that an end-user is wanting to talk to a cloud, and that the cloud exists, so it does what it can to get them _something_ | 20:58 |
mordred | but for nova - you want the inverse - you *want* an error when there is an issue with the remote servie | 20:58 |
mordred | beause you're more assured that you know what you're doing so if you get an error it's because there is an error | 20:58 |
efried | I don't think this is one of the sdk paths where we explicitly set allow_version_hack=True. I think we're not setting that, but getting True because that's the default. | 20:58 |
efried | that being the case, a possible solution is to default allow_version_hack=False *except* in those cases where we set it explicitly. | 20:59 |
efried | Three of them, I believe. | 20:59 |
efried | efried@efried-ThinkPad-W520:~/openstack/openstacksdk$ git grep -n allow_version_hack | 20:59 |
efried | openstack/service_description.py:109: allow_version_hack=True, | 20:59 |
efried | openstack/service_description.py:205: allow_version_hack=True, | 20:59 |
efried | openstack/service_description.py:229: allow_version_hack=True, | 20:59 |
mordred | yeah - but regardless of that setting, sdk is going to, as it currently stands, try REALLY hard to not throw an exception for you | 20:59 |
*** mriedem has quit IRC | 21:00 | |
efried | mm. Then yeah, I need a way to pass an option that says "throw an exception unless what you give me is really working" | 21:00 |
mordred | I kind of think we need a connection flag "raise_on_missing_service" or something named better than that | 21:00 |
mordred | yeah | 21:00 |
mordred | because contrary to an end-user who may be trying to use a weird cloud, or one that's configured weirdly and may not know all the ins and outs - it is *expected* that an admin will have told nova about anyhting weird in their cloud | 21:01 |
mordred | and it is much better to get a hard logged error so the admin can investigate the misconfig | 21:01 |
efried | for sure. | 21:01 |
mordred | efried: I have a thought ... let me see if I can make a patch | 21:01 |
efried | fwiw, the same sequence with ironicclient looks like this: https://zuul.opendev.org/t/openstack/build/402a73a9238643c2b893d53b37a6ce27/log/controller/logs/screen-n-cpu.txt.gz?severity=3 | 21:02 |
efried | wait, sorry, that's not right. | 21:02 |
mordred | efried: you get "virtdriver not ready" when the service pointed to by the catalog is not there, yes? | 21:02 |
efried | VirtDriverNotReady is raised by the Ironic driver itself when it encounters an error trying to get the client (in whatever form) | 21:04 |
efried | This is from the previous patch, which still uses sdk, but doesn't *rely* on it really early on, for node_list: | 21:04 |
efried | https://zuul.opendev.org/t/openstack/build/402a73a9238643c2b893d53b37a6ce27/log/controller/logs/screen-n-cpu.txt.gz?severity=3 | 21:04 |
efried | You can see it's getting the same error, but eventually it succeeds. | 21:04 |
efried | actually, I think we're seeing that error for baremetal while we're building conn for a different service | 21:06 |
efried | Here's a "normal" one, from before attempting to use sdk for ironic: https://zuul.opendev.org/t/openstack/build/cbe668cd674747168ac05759e9e147f3/log/controller/logs/screen-n-cpu.txt.gz?severity=3 | 21:06 |
efried | That StrictVersion exception, which I think comes from ironicclient when the service isn't ready, is the one we're translating to VirtDriverNotReady. | 21:07 |
mordred | yeah - makes sense - you're asking what version the service is and you're getting nothing because there is no service | 21:08 |
efried | Okay, so that gels - that's raising an exception and nova is set up to deal with that and retry; but the sdk path isn't raising, so we thing things are fine and actually (probably) bounce trying to access the real thing. | 21:09 |
mordred | yeah- and what's worse, we're never going to re-try version discovery beacuse teh proxy will already be constructed | 21:10 |
*** slaweq has joined #openstack-sdks | 21:11 | |
mordred | I think I've got a good handle on what we want the behavior to be | 21:11 |
mordred | now if I can just translate that into python words | 21:11 |
*** slaweq has quit IRC | 21:17 | |
efried | mordred: FWIW, I think I'm going to want to use this option universally from nova. | 21:31 |
efried | I just did some local twiddling with a placement service | 21:31 |
efried | and (as expected, I think) I get a Proxy both times. | 21:31 |
efried | here's the diff in the logs (< is service down) http://paste.openstack.org/raw/757499/ | 21:32 |
efried | I tried setting allow_version_hack=False but it still returns the proxy | 21:36 |
openstackgerrit | Monty Taylor proposed openstack/openstacksdk master: WIP Add a strict_proxies option for services https://review.opendev.org/676829 | 21:36 |
mordred | efried: ^^ how about something liek this | 21:36 |
efried | mordred: does it need to be on top of those other patches? | 21:37 |
mordred | efried: no - that's just my local working state - that's a very unclean patch | 21:39 |
efried | mordred: Okay. | 21:39 |
efried | So right off the bat: I just tried allow_version_hack=False locally and it still returns the proxy. | 21:39 |
mordred | efried: (wanted to get the first stab down so I didn't lose thinking context during dinner) | 21:39 |
efried | so I think that path should still have a check and raise, maybe on that get_endpoint() | 21:40 |
mordred | efried: yeah - I think there are some other code paths in there that will return you something | 21:40 |
efried | no, this was for placement, which doesn't have a shim, so it should be hitting that code path. | 21:40 |
efried | which is actually confirmed by the logging - I don't see that "Fallback" message, which is only emitted when allow_version_hack=True. | 21:40 |
mordred | ah - gotit. so maybe check that get_endpoint() actually returns something? | 21:41 |
efried | yeah, exactly | 21:42 |
mordred | what if ... | 21:42 |
mordred | if self._strict_proxies - we do temp_client.get_endpoint_data() instead of get_endpoint() - and check to make sure endpoint_data has a version? | 21:42 |
efried | do all services have a version? | 21:43 |
mordred | everything except swift I think | 21:45 |
mordred | but I'm not 100% sure if that's the right thing to test | 21:45 |
openstackgerrit | Monty Taylor proposed openstack/openstacksdk master: WIP Add a strict_proxies option for services https://review.opendev.org/676829 | 21:46 |
mordred | efried: ^^ shotgun to see if we can get one of the things to trigger :) | 21:46 |
mordred | and then figure out which one is the RIGHT one to trigger on when the brain has more available brainjuice | 21:46 |
efried | mordred: What's weird is, I'm making sure that get_endpoint[_data] should fail, but the proxy is still returning. | 21:46 |
efried | is there a try/except somewhere up above? | 21:47 |
mordred | there shouldn't be | 21:47 |
mordred | and that is weird | 21:47 |
efried | I'm not getting an actual exception until I try to use the thing. | 21:47 |
mordred | you don't have that patch that added a placement service_description in do you? | 21:47 |
mordred | efried: (I'm probably going to want to construct a bunch of weird tests for this one so we can be sure we've got this covered) | 21:48 |
efried | mordred: Well, yes, I have the commit that added placement service_description, but that only happens in a test fixture, when you setUp the fixture, which I'm not doing locally. | 21:49 |
mordred | weird | 21:50 |
mordred | efried: I unfortunately have to adjourn to the dinner - if you find anything, let me know - otherwise I'll pick it up first thing in the morning and see if I can't construct some catalogs/request_mock tests we can use | 21:51 |
efried | mordred: Thank you sir. I'll noodle with it for a few more minutes before I, too, have to run (and choke some people) | 21:52 |
efried | mordred: a couple of typos notwithstanding, strict_proxies is a success. | 21:59 |
mordred | efried: yes? SWEET | 22:00 |
mordred | efried: then in the morning I'll work on tests and cleaning it up | 22:01 |
efried | mordred: Sweet, then we'll need 0.35.0 pretty quick. | 22:01 |
efried | I'll mark up the typos (at least the ones I saw), least I can do :P | 22:01 |
efried | mordred: It works for placement... I'm not sure it'll work for ironic. I need to dig more. | 22:03 |
*** slaweq has joined #openstack-sdks | 22:11 | |
*** slaweq has quit IRC | 22:16 | |
*** goldyfruit has quit IRC | 22:35 | |
*** goldyfruit has joined #openstack-sdks | 22:38 | |
adriant | mordred: how/when do we want to do the MFA work? | 22:54 |
*** goldyfruit has quit IRC | 22:56 | |
*** goldyfruit has joined #openstack-sdks | 22:56 | |
openstackgerrit | Eric Fried proposed openstack/openstacksdk master: WIP: Connection(strict_proxies) https://review.opendev.org/676837 | 23:01 |
efried | mordred: there's my spin on it ^ | 23:01 |
adriant | I don't know your timetable, but wanna organise a meeting time and I can stay up late so we can discuss and plan? | 23:02 |
adriant | mordred: ^ | 23:02 |
openstackgerrit | Eric Fried proposed openstack/openstacksdk master: WIP: Connection(strict_proxies) https://review.opendev.org/676837 | 23:09 |
*** slaweq has joined #openstack-sdks | 23:11 | |
*** slaweq has quit IRC | 23:16 | |
openstackgerrit | Eric Fried proposed openstack/openstacksdk master: WIP: Connection(strict_proxies) https://review.opendev.org/676837 | 23:16 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!