Friday, 2016-02-05

« Thursday, 2016-02-04 Index Saturday, 2016-02-06 »
openstackgerritMerged openstack/python-searchlightclient: Support token based auth options for osc  https://review.openstack.org/27448000:03
*** TravT has quit IRC00:51
*** TravT has joined #openstack-searchlight00:53
*** RickA-HP_ has quit IRC04:50
*** openstackgerrit has quit IRC09:17
*** openstackgerrit has joined #openstack-searchlight09:18
*** TravT_ has joined #openstack-searchlight11:09
*** TravT has quit IRC11:11
*** pkarikh has quit IRC11:12
*** pkarikh has joined #openstack-searchlight11:20
*** krotscheck has joined #openstack-searchlight13:01
openstackgerritBrian Rosmaita proposed openstack/searchlight: Update home page URL in setup.cfg  https://review.openstack.org/27674113:59
*** sigmavirus24_awa is now known as sigmavirus2415:10
*** RickA-HP_ has joined #openstack-searchlight15:11
*** nikhil_k is now known as nikhil15:17
*** sjmc7 has joined #openstack-searchlight15:23
*** david-lyle has joined #openstack-searchlight15:47
openstackgerritSteve McLellan proposed openstack/searchlight: Add plugin options to generated config  https://review.openstack.org/26546915:52
openstackgerritMerged openstack/searchlight: Update home page URL in setup.cfg  https://review.openstack.org/27674116:02
*** david-lyle has quit IRC16:23
sjmc7TravT_: i’m looking at https://review.openstack.org/#/c/265396/4/etc/api-paste.ini; the only header i think we use is x-auth-token?16:23
TravT_smc7: ok, let me see16:24
*** TravT_ is now known as TravT16:24
sjmc7not urgent, trying to clear the review list16:24
TravTwe don't use X-OpenStack-Request-ID16:24
TravT?16:24
TravTis that not used by OSLO or something?16:25
TravTfor tracing origin of calls16:25
sjmc7i don’t think we pass it in? ah, i guess horizon or something might16:25
sjmc7ok, let’s leave that16:25
sjmc7the rest i don’t think so? they look like keystone headers16:26
TravTthe other ones don't ring a bell16:26
TravTguess i need to google each one16:26
sjmc7ok, no worries right now16:27
TravTwould be nice to clear it through16:27
sjmc7i’ll go through them in a bit and make an executive decision16:27
TravTlooks like X-Subject-Token is keystone only?16:28
TravTTokens have IDs, which the Identity API returns in the X-Subject-Token response header.16:28
TravThttp://developer.openstack.org/api-ref-identity-v3.html16:28
*** david-lyle has joined #openstack-searchlight16:29
sjmc7yeah, i think identity-status, user-id, tenant-id, roles are all keystoney ones16:29
TravTnothing keystone middleware uses?16:30
sjmc7perhaps the root of my problem is i’m misunderstanding what CORS does :)16:30
sjmc7i thought these controlled the headers between SL and the client?16:31
TravTyeah, they control what is allowed.16:31
TravTi don' t know if it rejects if those headers are there and not allowed16:32
TravTor if it strips them16:32
TravTor what, though16:32
sjmc7so KS middleware’s not going to be affected? n/m, i’ll fire it up and have a play around16:32
TravTkrotscheck: are you around?16:35
krotscheckTravT: Yeah, waht's up?16:35
TravTmaybe you can enlighten us a bit on how the cors middleware works16:35
TravTsee above^16:35
* krotscheck is reading16:37
krotscheckOk, so the CORS middleware either adds headers or not, based on the headers it receives from the client.16:37
krotscheckThe headers it adds are ones that indicate which properties the client (browser) is allowed to read.16:37
krotscheckIt never interrupts the request.16:37
krotscheckThere's a preflight contract that requires - of the browser - that a request is terminated if the OPTIONS request doesn't permit the things it wants to do.16:38
krotscheckSo, really, CORS is a two step process.16:38
krotscheck1- Hey am I allowed to do this.16:38
krotscheck2- I'm gonna do it.16:38
krotscheckThe first is the OPTIONS request, where a browser just tells the API, "Hey I am coming from this domain, with these headers, can I do that".16:39
krotscheckAnd if true, additional ehaders are added to the response indicating: "Yep, you're allowed to".16:39
krotscheckIf the client is _not_ allowed, nothing is added to the response.16:39
krotscheck(Mostly to conceal who is _actually_ allowed to talk to the domain)16:39
krotscheckThe second then is the actual GET/PUT/POST request.16:40
krotscheckAll the same rules apply there - headers are added or not based on what the client requests.16:40
krotscheckThe only notable exception is that the response includes the access-control-expose-headers header.16:40
krotscheckAnd that tells the browser which headers (in addition to the body) it's allowed to read.16:41
krotscheckThat was verbose.16:41
krotscheckAnyway16:41
sjmc7:)  no, that’s helpful, thanks16:41
krotscheckThe middleware is just an intermediary passthrough.16:41
krotscheckOnly in one case does it change the response, and that is if an OPTIONS request is sent to the underlying API and comes back as unhandled.16:41
TravTso, with the cors middleware, i don't see latent_* config options specifically described16:42
TravThttp://docs.openstack.org/developer/oslo.middleware/cors.html#configuration-for-pastedeploy16:42
krotscheck(In that chase it switches it from a 4xx to a 200)16:42
TravTwhat is the latent_ prefix16:42
sjmc7so in our case, i think we send and receive very few headers; i think x-auth-token (incoming) and x-openstack-request-id possibly in either direction16:42
krotscheckIt's described (a bit vaguely, I admit) in the paragraph before that section.16:43
krotscheckBasically, the "latent" prefix is there so that a piece of software can hardcode certain headres that are required for successful operation, which an operator might not be aware of.16:43
krotscheckIt circumvents the "Oh and I need magic configuration properties that aren't documented"16:44
krotscheckproblem.16:44
sjmc7ok, i think that answer my question16:44
TravTyeah, okay.  well, i guess sjmc7 is just wanting to limit that patch to headers we know we need...16:45
TravTsjmc7, you could use that handy website you were using the other day16:45
sjmc7yep, just did16:46
TravTokay, well if you want to post that into a review, krotscheck can probably do an inline edit and we can push this on through16:47
TravTi see you just did. :)16:47
krotscheckCan do can do :)16:47
*** bpokorny has joined #openstack-searchlight16:51
sjmc7thanks for the explanation, krotscheck , things are much clearer now16:54
krotschecksjmc7: no prob17:01
krotscheckOne dangerous thing about CORS that people don't realize is that a passing OPTIONS request, followed by a malformed GET/POST/ETC, will still cause the latter request to execute.17:01
krotscheckThat's why having the middleware be well tested is critical.17:01
krotscheckWe've got a pretty elaborate suite for it over in oslo.middleware, so if you run into a problem just ping me and I'll add a test.17:02
sjmc7will do, thanks17:06
*** david-lyle has quit IRC17:14
*** david-lyle has joined #openstack-searchlight17:21
*** david-lyle has quit IRC17:25
openstackgerritSteve McLellan proposed openstack/searchlight: Add plugin options to generated config  https://review.openstack.org/26546917:27
*** sigmavirus24 is now known as sigmavirus24_awa17:39
*** nikhil_k has joined #openstack-searchlight18:11
openstackgerritSteve McLellan proposed openstack/searchlight: Separate documents by role  https://review.openstack.org/25751618:13
*** nikhil has quit IRC18:14
*** sigmavirus24_awa is now known as sigmavirus2419:14
*** sjmc7 has quit IRC19:19
*** krotscheck is now known as krotscheck_dcm19:39
*** sigmavirus24 is now known as sigmavirus24_awa19:52
*** sjmc7 has joined #openstack-searchlight19:54
*** david-lyle has joined #openstack-searchlight20:39
*** RickA-HP_ has quit IRC20:48
*** david-lyle has quit IRC20:55
*** david-lyle_ has joined #openstack-searchlight20:55
*** david-lyle_ is now known as david-lyle21:00
*** briancli1e is now known as briancline23:28
« Thursday, 2016-02-04 Index Saturday, 2016-02-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!