Tuesday, 2016-09-06

« Monday, 2016-09-05 Index Wednesday, 2016-09-07 »
*** yingjun has joined #openstack-searchlight00:25
openstackgerritLi Yingjun proposed openstack/searchlight: Fix exceptions error for image plugin  https://review.openstack.org/36546500:32
openstackgerritLi Yingjun proposed openstack/searchlight: to_dict instead of __dict__ for cinder resource  https://review.openstack.org/36540800:56
*** yingjun has quit IRC01:13
*** yingjun has joined #openstack-searchlight01:19
openstackgerritLi Yingjun proposed openstack/searchlight: to_dict instead of __dict__ for cinder resource  https://review.openstack.org/36540802:41
*** shu-mutou-AFK is now known as shu-mutou02:55
*** shu-mutou is now known as shu-mutou-AFK04:12
*** itisha has quit IRC05:11
*** pcaruana has joined #openstack-searchlight06:48
*** tsufiev_ is now known as tsufiev08:13
*** sjmc7 has joined #openstack-searchlight09:03
*** sjmc7 has quit IRC09:08
*** yingjun has quit IRC09:34
*** lei-zh has joined #openstack-searchlight09:53
*** lei-zh has left #openstack-searchlight09:53
*** sjmc7 has joined #openstack-searchlight10:04
*** sjmc7 has quit IRC10:08
*** yingjun has joined #openstack-searchlight11:02
*** sjmc7 has joined #openstack-searchlight12:05
*** sjmc7 has quit IRC12:11
*** pcaruana has quit IRC12:50
*** matt-borland has joined #openstack-searchlight13:17
*** ddieterly has joined #openstack-searchlight13:27
*** yingjun has quit IRC13:41
*** yingjun has joined #openstack-searchlight13:41
*** TravT has joined #openstack-searchlight13:45
*** yingjun has quit IRC13:45
*** yingjun has joined #openstack-searchlight13:55
*** sjmc7 has joined #openstack-searchlight14:08
*** yingjun has quit IRC14:08
*** yingjun has joined #openstack-searchlight14:08
*** yingjun has quit IRC14:13
*** yingjun has joined #openstack-searchlight14:36
*** tyr_ has joined #openstack-searchlight14:41
*** tyr_ has quit IRC14:42
*** matt-borland has quit IRC15:17
*** RickA-HP has joined #openstack-searchlight15:22
*** pcaruana has joined #openstack-searchlight15:42
*** TravT_ has joined #openstack-searchlight16:04
*** david-lyle_ has joined #openstack-searchlight16:05
*** david-lyle_ has quit IRC16:05
*** TravT has quit IRC16:08
*** TravT has joined #openstack-searchlight16:10
*** TravT_ has quit IRC16:12
*** matt-borland has joined #openstack-searchlight16:39
*** bkeller` has quit IRC16:56
*** ddieterly is now known as ddieterly[away]17:19
*** TravT has quit IRC17:31
*** TravT has joined #openstack-searchlight17:33
*** bkeller` has joined #openstack-searchlight17:37
sjmc7TravT, david-lyle : i’m coming to the point of punting on the policy-to-rbac work for this release. there’s too much special sauce goes on17:48
sjmc7it might be more useful to allow the queries to be given by an operator rather than parsing them from policy17:48
sjmc7as an example, the ‘get_image’ rule in https://github.com/openstack/horizon/blob/master/openstack_dashboard/conf/glance_policy.json belies all the special case code in glance that actually controls whether you can see an image17:49
TravTsjmc7 not sure I understand fully your second statement17:49
sjmc7i mean allow an operator to provide a json file with canned RBAC queries17:49
sjmc7rather than the static ones we do now, with some interpolation from the token credentials17:50
TravTIOW, allow the rbac portion of the query to be pluggable17:51
TravTi agree that in many cases the policy file is a lie17:51
sjmc7yeah. so you’d have to do the translation yourself but at least it’d be configurable17:51
TravTin glance, with that example.17:51
sjmc7the policy files are wildly inconsistent in what they attempt to do17:51
TravTthe policy file is kind of pre-filter, right?17:52
sjmc7it’s a shame. i was quite pleased with being able to turn them into queries in some cases, until i tried to use some real ones17:52
sjmc7for glance it’s just ‘can you use the api'17:52
sjmc7for others it’s “can you use the api to get this resource”, and for some it’s inbetween - there’s still some in-code filtering17:53
sjmc7neutron’s is the most comprehensive but has all kinds of special rules they implemented outside of oslo.policy17:53
sjmc7so i’m voting to knock this on the head for now17:54
sjmc7it wouldn’t be too much work to do a pluggable option but not sure it’s worth the risk at this stage in the release17:54
* david-lyle is confused17:55
david-lylethe policy files are the way the operator specifies the policy rules they want to enforce17:55
sjmc7yep17:55
david-lyleso you're proposing adding what instead?17:56
sjmc7so look at that glance example17:56
sjmc7who can view a given image?17:56
david-lylewell, it should be limited by policy even if they have a secondary permission construct17:57
david-lylea dual filter17:57
sjmc7we already can restrict access to glance images in general in policy17:57
TravTthis is why we have the plugin with the multiple levels of filtering already. because it is so complex and because oslo.policy can't be used.17:57
TravToslo.policy can only express part of the equation17:57
sjmc7what i was triyng to do was enable policy to influence the filter used to restrict which images you can search on17:58
sjmc7which is fine if everyone uses ‘admin_or_owner’ and that’s it, but it’s more complicated than that17:58
david-lyleI would have thought policy should be the second layer of filtering on top of the inherent glance filtering17:58
sjmc7right now we honour ‘get_images'17:59
openstackgerritRick Aulino proposed openstack/searchlight: RBAC for network sharing  https://review.openstack.org/34870117:59
TravTwhat david is mentioning could be done in the post_filter17:59
david-lylesjmc7: I'm not arguing that any further work could be too much for the current release18:00
TravTnova also essentially has _source exclude policy18:00
david-lyleI would think it is18:00
TravTyeah, it is late in the game for anything terribly earth shattering.18:00
sjmc7yeah, understood. the *field* filtering i think we could implement from policy18:00
sjmc7but yeah, i think it’s going to have to wait since i don’t want to break stuff18:01
TravTyeah, time would be better used banging on what we have and defect fixing18:02
david-lylepolicy is a quagmire that should wait18:03
TravTsaid every project ever18:03
TravT;)18:03
sjmc7:)18:03
openstackgerritSteve McLellan proposed openstack/searchlight: WIP Policy rbac DO NOT MERGE  https://review.openstack.org/36247018:03
* david-lyle nods18:03
sjmc7some of the rules it allows are quite odd18:03
david-lylewell, our use model wasn't what they intended18:04
david-lylein horizon and searchlight18:04
sjmc7hahahaha - this one is a sad echo of what could’ve been:  "role:admin or (project_id:%(project_id)s and role:projectadmin)"18:04
* david-lyle immediately cringes at the hardcoded roles18:05
sjmc7the httpcheck would be a really interesting attack vector18:05
sjmc7ok, gonna leave it on the backburner and go back to mashing18:06
sjmc7you can discuss it over an octopus in barcelona18:06
sjmc7on that note, i’m hungry18:06
david-lylesjmc7: does that mean you'll be dining in barcelona rather than chicago?18:06
*** ddieterly[away] has quit IRC18:19
sjmc7sadly i likely won’t be included in the ‘you’18:23
*** bkeller` has quit IRC18:26
david-lylesjmc7: where do I send my angry letters?18:30
*** bkeller` has joined #openstack-searchlight18:37
*** TravT has quit IRC18:45
*** TravT has joined #openstack-searchlight18:46
*** ddieterly has joined #openstack-searchlight18:58
*** sjmc7 has quit IRC18:58
*** pcaruana has quit IRC19:11
openstackgerritMerged openstack/searchlight: Fix exceptions error for image plugin  https://review.openstack.org/36546519:14
*** bkeller` has quit IRC19:17
*** sjmc7 has joined #openstack-searchlight19:19
openstackgerritMerged openstack/searchlight: Use more specific asserts in tests  https://review.openstack.org/36090919:34
*** bkeller` has joined #openstack-searchlight19:44
*** TravT has quit IRC19:55
*** bkeller` has quit IRC19:58
*** bkeller` has joined #openstack-searchlight20:05
*** bkeller` has quit IRC20:12
*** TravT has joined #openstack-searchlight20:13
*** bkeller` has joined #openstack-searchlight20:18
*** ddieterly is now known as ddieterly[away]20:37
*** TravT has quit IRC20:55
*** ddieterly[away] is now known as ddieterly20:59
*** matt-borland has quit IRC21:18
*** ddieterly is now known as ddieterly[away]21:30
*** ddieterly[away] is now known as ddieterly21:36
*** bkeller` has quit IRC21:52
*** ddieterly is now known as ddieterly[away]22:00
*** ddieterly[away] is now known as ddieterly22:12
*** ddieterly is now known as ddieterly[away]22:17
*** bkeller` has joined #openstack-searchlight22:20
*** ddieterly[away] is now known as ddieterly22:24
*** ddieterly has quit IRC22:43
*** yingjun has quit IRC22:59
*** yingjun has joined #openstack-searchlight22:59
*** yingjun has quit IRC23:04
*** sjmc7 has quit IRC23:10
openstackgerritRick Aulino proposed openstack/searchlight: Standard error logging  https://review.openstack.org/35568923:17
*** ddieterly has joined #openstack-searchlight23:56
« Monday, 2016-09-05 Index Wednesday, 2016-09-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!