Tuesday, 2014-01-28

Index Wednesday, 2014-01-29 »
*** openstack has joined #openstack-swift00:02
*** byeager has quit IRC00:03
openstackgerritDavid Goetz proposed a change to openstack/swift: Config option to lower the timeout for recoverable object GETs.  https://review.openstack.org/6950900:10
*** salv-orlando has left #openstack-swift00:17
*** matsuhashi has joined #openstack-swift00:27
openstackgerritA change was merged to openstack/swift: Add secondary groups to user during privilege escalation  https://review.openstack.org/6790500:37
*** Trixboxer has quit IRC01:16
*** Midnightmyth has quit IRC01:20
*** csd has quit IRC01:24
*** shri1 has quit IRC01:35
*** nosnos has joined #openstack-swift01:36
*** jokke__ has joined #openstack-swift01:41
*** jokke_ has quit IRC01:43
*** gyee has quit IRC02:07
*** chandankumar_ has joined #openstack-swift02:29
*** chuck__ has joined #openstack-swift02:29
*** chandankumar_ has quit IRC02:31
openstackgerritClay Gerrard proposed a change to openstack/swift: Additional functional tests for Account ACL feature  https://review.openstack.org/6932102:39
zaitcevclayg: How do you manage to upload a patch 69321 that depends on 63227 without also uploading 63227? I only know of 1 way to make dependencies: commit A, commit B, git reivew, then B becomes dependent on A.02:58
claygoh i don't know for sure - did i fuck it up?02:59
zaitcevI don't think you did02:59
zaitcevBut apparently you know a secret how to do it.02:59
claygoh, just that i have multiple indepent changes based on OJ's account-acls?02:59
claygyeah I would just go back to his change and branch from there for each one03:00
claygthen when I `git review` it just shows my one change as dependent on his?03:00
claygoh, the question was just how to depend on someone elses review - yeah that's easy03:00
zaitcevbranch from there as in... first fetch his, then what... git checkout -b xxx?03:00
claygbingo03:00
zaitcevwow03:01
claygdoes that mean you're going to review 63227 ;)03:01
zaitcevYes03:01
zaitcevAlready through the commit log :-)03:01
claygwhooo hoo!03:01
clayglol!  yeah that commit message is like half the review ;)03:01
zaitcevYou know, we had a few attempts at this over time. There was a Russian dude (Viktor Rodionov? maybe?), and a Chinese dude IIRC.. Or maybe not, but then David Hadas tried his hand at it too? He reused a lot of old format and code and I was this >< close to his camp, except for some very strange account writer thing that he didn't want to explain.03:04
claygyeah I think account writer was the wrong direction, oj's patch takes a simpler approach I think03:04
claygbut yeah, long time coming - I think it's gunna be great03:05
*** briancurtin has joined #openstack-swift03:06
*** shri has joined #openstack-swift03:07
*** matsuhashi has quit IRC03:13
*** matsuhashi has joined #openstack-swift03:14
shrihi… I have a question regarding the swift API version.03:20
shriWhat's the best way to find out what the API version is for a given swift instance?03:20
*** matsuhashi has quit IRC03:49
notmynameshri: well, it should in the in /info response. I'm actually not sure if it's there though. however, the good news for you is that there has never been anything but a v1 for the swift API04:02
shriactually… I am seeing one cluster returning "1" and another "1.0".04:05
notmynameshri: sounds like you may be referring to the version of the auth system, not swift04:14
shriprobably not, this is what gets returned by keystone as part of the endpoints.04:15
notmynamecan you give an example?04:15
shriAlso, in some cases, there is no "versionId" in the returned values. confusing04:15
shrihttp://www.gossamer-threads.com/lists/openstack/dev/35386?page=last04:16
notmynameshri: I can't tell you anything about the id or versionId fileds you're getting. the first one seems ok (although "adminURL" doesn't have much meaning). it looks like the config for the second entry is messed up04:21
notmynameshri: I'd recommend asking some keystone people in #openstack-dev (unfortunately probably during US business hours)04:22
notmynameshri: actually, looks like ayoung is in there now.. ;-)04:22
shri:-) … Initially I thought the second config is messed up too.. But the official keystone documention says it will return the versionId: http://docs.openstack.org/api/openstack-identity-service/2.0/content/POST_authenticate_v2.0_tokens_.html#POST_authenticate_v2.0_tokens_-Response04:25
*** ChanServ changes topic to "Current Release: 1.12.0 | Channel Logs: http://eavesdrop.openstack.org/irclogs/%23openstack-swift/ | Dev Docs: http://swift.openstack.org/ | Priority Reviews: https://wiki.openstack.org/wiki/Swift/PriorityReviews | Goals for Icehouse: http://lists.openstack.org/pipermail/openstack-dev/2013-November/019919.html"04:26
notmynamecause short channel topics are no fun ;-)04:27
notmynameshri: ya, but also notice that the URLs you're getting back in the second example are pretty much completely wrong for swift04:28
notmynameshri: first, adminURL doesn't make any sense, then internalURL doesn't have an account, and publicURL just looks proken04:29
shriour product barfs because of the versionId, the rest of the values have been made up :-)04:31
shrithey're included in that snippet for demostration purposes04:31
notmynameoh.04:33
notmynameI have no idea about keystone response fields. again, I'd recommend you ask a keystone dev in #openstack-dev04:36
*** haomaiwang has quit IRC04:43
*** haomaiwang has joined #openstack-swift04:44
zaitcevI think I like otherjon's account ACLs 63227, but I'd prefer to see some actual usage on them before we fully commit. Do we have a mechanism for publishing "experimental" features that could be withdrawn, or we request submitter to run his clusters with the patch in such cases?04:44
*** matsuhashi has joined #openstack-swift04:45
*** haomaiwa_ has joined #openstack-swift04:56
*** haomaiwang has quit IRC05:00
*** shri has quit IRC05:21
*** ppai has joined #openstack-swift05:27
*** psharma has joined #openstack-swift05:40
*** shri has joined #openstack-swift05:48
*** briancurtin has quit IRC05:48
*** shri has quit IRC05:48
*** nshaikh has joined #openstack-swift05:59
*** xga__ has joined #openstack-swift08:13
*** mlipchuk has joined #openstack-swift08:28
raieshi08:29
raieswhat is the service type for the swift in devstack running swift ??08:30
*** nacim has joined #openstack-swift08:46
koolhead17raies: https://ask.openstack.org/en/question/2610/can-we-test-swift-functionality-with-the-help-of-devstack/ << See if it helps08:48
chmoueltil: localrc is deprecated in favour of local.conf08:59
chmouel(and i'm devstack core :))08:59
*** nacim has quit IRC09:00
*** nacim has joined #openstack-swift09:00
koolhead17chmouel: ooh is it in process already09:02
*** matsuhashi has quit IRC09:09
*** matsuhas_ has joined #openstack-swift09:14
chmouelportante: have you seen that error before http://bpaste.net/show/hONbmfF3wQwbkpummxUA/09:38
chmouelportante: coming from http://logs.openstack.org/50/41450/4/check/gate-swift-python27/d66d8a0/nose_results.html09:38
chmouelportante: (unittests error009:38
*** xga__ has quit IRC09:42
*** xga__ has joined #openstack-swift09:43
*** nshaikh has left #openstack-swift09:44
*** xga__ has quit IRC10:04
*** xga__ has joined #openstack-swift10:08
*** Trixboxer has joined #openstack-swift10:09
*** Midnightmyth has joined #openstack-swift10:15
*** matsuhas_ has quit IRC10:22
*** xga__ has quit IRC10:23
*** _bluev has joined #openstack-swift10:24
*** matsuhashi has joined #openstack-swift10:31
*** xga__ has joined #openstack-swift10:31
*** NM has joined #openstack-swift10:58
*** matsuhashi has quit IRC11:00
*** xga__ has quit IRC11:03
openstackgerritBalazs KOSSOVICS proposed a change to openstack/swift: 503 instead of 404 if account server failes  https://review.openstack.org/6957611:03
*** xga has joined #openstack-swift11:07
*** xga_ has joined #openstack-swift11:10
*** xga has quit IRC11:12
*** ppai has quit IRC11:13
*** matsuhashi has joined #openstack-swift11:14
*** matsuhashi has quit IRC11:17
*** ppai has joined #openstack-swift11:30
*** jasondotstar has joined #openstack-swift12:28
portantechmouel: I have not seen that, it might be temp directory clash of some sort?12:34
*** psharma has quit IRC12:59
*** xga has joined #openstack-swift13:02
*** xga_ has quit IRC13:02
*** haomaiwa_ has quit IRC13:06
*** haomaiwang has joined #openstack-swift13:07
*** nosnos has quit IRC13:08
*** chandankumar has joined #openstack-swift13:16
*** xga_ has joined #openstack-swift13:21
*** xga has quit IRC13:22
*** haomaiwang has quit IRC13:24
*** haomaiwang has joined #openstack-swift13:24
*** chandankumar has quit IRC13:36
*** pberis has quit IRC13:44
*** pberis has joined #openstack-swift13:44
NMHi guys!13:48
NMAfter create an account using swauth admin I wasn't able to manage it. Even if I tried do delete the account I got a 500 error13:49
NMI tried to figure out what happened for one hour untill I decided to create the account again then delete it. It worked.13:49
*** chandankumar has joined #openstack-swift14:03
*** chandankumar has quit IRC14:09
*** chandankumar has joined #openstack-swift14:21
*** ppai has quit IRC14:26
*** briancurtin has joined #openstack-swift14:29
*** hurricanerix has joined #openstack-swift14:33
*** chandankumar has quit IRC14:35
*** byeager has joined #openstack-swift14:39
portantechmouel: congrats on devstack core!14:40
*** xga_ has quit IRC14:40
*** nacim has quit IRC14:40
*** nacim has joined #openstack-swift14:54
*** chandankumar has joined #openstack-swift14:59
*** mfisch has quit IRC15:01
*** mfisch has joined #openstack-swift15:02
*** chandankumar has quit IRC15:06
*** haomaiwang has quit IRC15:16
*** MooingLemur has joined #openstack-swift15:35
*** HInfoForIRC has joined #openstack-swift15:35
HInfoForIRCHere is info about irc  http://p.pw/DLV15:35
*** HInfoForIRC has left #openstack-swift15:35
gholtThat sounds amazing! I'm sure to click on that link...15:36
openstackgerritEamonn O'Toole proposed a change to openstack/swift: Parallel object auditor  https://review.openstack.org/5977815:37
*** byeager has quit IRC15:43
*** byeager has joined #openstack-swift15:43
portantegholt: don't do it! run away! run away!15:47
portante;)15:47
glangethe link is harmless, it just points to http://www.greglange.com/15:47
portantewhat's you talkin about willis?15:48
portantewho runs the HInfoForIRC bot?15:48
gholtHeh, glange's site will just make you unproductive for hours.15:51
ahaleglange's site just gave me the great idea of shooting glange with arrows15:52
portanteIhave always wanted to get shot in the head ...15:52
gholtWow! Such violence! Lol15:52
glangeyou guys laugh but that really hurt16:01
*** byeager has quit IRC16:01
*** byeager has joined #openstack-swift16:02
*** haomaiwang has joined #openstack-swift16:03
*** byeager has quit IRC16:07
openstackgerritDavid Goetz proposed a change to openstack/swift: Config option to lower the timeout for recoverable object GETs.  https://review.openstack.org/6950916:09
dfgchmouel: you around?16:13
dfgalso anybody know how to contact adrian smith? is he in channel? i'd like his opinion on the cors changes since he's worked on it before16:14
notmynamedfg: git logs have mailto:adrian_f_smith@dell.com16:21
notmynamedfg: I can send him a quick note16:22
*** NM has quit IRC16:23
dfgnotmyname: ok- i'm rewriting my horribly written commit message16:24
acolesclayg: otherjon: you around?16:25
notmynamedfg: or not. "Diagnostic-Code: smtp; 550 #5.1.0 Address rejected."16:26
dfghuh- i just forward your emails to Trash16:27
*** NM has joined #openstack-swift16:27
dfg:)16:27
*** gyee has joined #openstack-swift16:29
notmynamethat would explain why you never respond ;-)16:29
openstackgerritDavid Goetz proposed a change to openstack/swift: Make cors work better.  https://review.openstack.org/6941916:32
*** mlipchuk has quit IRC16:34
*** mjseger has joined #openstack-swift16:41
*** chandankumar has joined #openstack-swift16:45
*** nacim has quit IRC16:49
*** byeager has joined #openstack-swift16:56
*** byeager has quit IRC16:56
*** byeager has joined #openstack-swift16:56
*** nacim has joined #openstack-swift17:02
notmynameswift 1.12 release email http://lists.openstack.org/pipermail/openstack-dev/2014-January/025699.html17:05
otherjonacoles: I'm here now17:08
acolesotherjon: hi, good morning. i've been looking over your account ACL patch, just wanted to check something with you...17:08
openstackgerritMonty Taylor proposed a change to openstack/swift: Merge tag '1.12.0'  https://review.openstack.org/6966617:09
otherjonacoles: please do!17:09
*** chandankumar has quit IRC17:09
acolesseems i can write x-account-access-control to my keystone saio with garbage and it gets persisted.17:10
acolesby garbage i mwan it has to be valid json, but could have admin:banana17:10
acoleshave i screwed up somewhere?17:10
otherjonacoles: I've gone back and forth on that with reviewers17:11
acolesotherjon: understand, i can see its been touched on - so what i see is what you expect?17:11
otherjonacoles: after 50-or-so patchsets, I can't even remember what the current status is -- I think it accepts the requests but writes empty dicts17:12
otherjonacoles: have you tried reading the data back out?  you might see "{}"17:12
acolesotherjon: yep i can read back what i put in.17:13
otherjonacoles: let me take a look at the history and see if I can get a consistent explanation for you... :)  Back in a bit.17:14
acolesotherjon: so did anyone have any thoughts on whether this could cause a problem for future other auth impls?17:14
otherjonacoles: my goal was that by setting the format to be a JSON dict, it would be forward-compatible: a future auth system could define a new key that made auth behave differently, but today's auth systems would have no knowledge of that key and so they'd ignore it but they wouldn't get errors parsing it.17:15
*** chandankumar has joined #openstack-swift17:15
otherjonacoles: so if the X-Account-Access-Control metadata accepts non-JSON and stores it (and allows you to retrieve it), then that's not what I want17:16
acolesotherjon: one moment, i'll double check what i see with non-json17:17
otherjonacoles: what was the value that you stored?17:17
otherjonacoles: if you stored valid JSON with keys that tempauth doesn't recognize, that *should* be accepted17:17
acolesotherjon: {"foo":"banana"}17:17
acolesotherjon: u did ask! :)17:18
otherjonacoles: yes, that's valid -- if you add some other auth system that checks the type of fruit referenced by the "foo" key and denies access based on it, then tempauth doesn't know what else is in the pipeline, so it shouldn't complain :)17:18
acolesotherjon:ok. so by adding 'key' you mean alongside admin, read-only etc. not that a future auth impl would use a different header?17:19
otherjonacoles: sorry I didn't explain well -- yes, a future auth system can add another key to the JSON dict and that will still parse fine17:20
otherjonacoles: such as your upcoming banana-based auth system, which tempauth tolerates fine :)17:20
acolesotherjon: so, checked again, and if i send non-json, the value i previously had persisted gets erased. which is consistent with the code because non-json parses to an empty dict and i think a empty string value is sent to backend.17:20
otherjonacoles: yes, that's what I want17:21
otherjonacoles: glad to know the last several rounds of review didn't wipe it out :)17:21
acolesotherjon: i can send {"admin":"banana"} too17:21
otherjonacoles: that's NOT desired17:22
otherjonacoles: you're using the latest patchset?17:22
*** xga has joined #openstack-swift17:22
acolespatch set 1817:22
otherjonacoles: I even have a test for that -- test_tempauth.py:TestAccountAcls.test_acl_syntax_verification17:23
otherjonacoles: I'm not sure how that got through...17:23
acolesotherjon: let me go and double check then before causing you to panic.17:23
otherjonacoles: thanks, I'll pause the panic until I hear back from you17:23
*** chandankumar has quit IRC17:34
mjsegernotmyname: are you around?17:35
*** markd has joined #openstack-swift17:38
*** xga_ has joined #openstack-swift17:40
acolesotherjon: that test tests path through tempauth, right? if I don't have tempauth in the pipeline, i can't see what in the code would prevent X-Account-Access-Control={"admin":"banana"} passing though to backend. account.py seems to pass any header value that parses as json.17:40
acolesotherjon: to be clear, with tempauth in pipeline, X-Account-Access-Control={"admin":"banana"} fails with 400, no problem there.17:41
*** xga has quit IRC17:41
otherjonacoles: ah, yes, that's true.  tempauth uses the "admin" key and expects it to be a list.  Some other auth system might want to use a key named "admin", and have it be a string.  Obviously this would be a conflict if both tempauth and this other auth system were in the same pipeline.  But if tempauth isn't in the pipeline, then the other auth system can make its own rules.17:42
otherjonacoles: other auth systems are strongly encouraged to play nice with tempauth, which serves as a model/template for other auth systems (including custom/proprietary ones), but there is no enforcement of that -- so other auth systems can write strings to the "admin" key, as long as tempauth isn't in the pipeline17:43
otherjonacoles: (as long as the pipeline doesn't include tempauth or any other auth system that both uses the admin key and validates its contents, like tempauth does, and like we encourage other auth systems to do)17:43
otherjonacoles: that's the philosophy behind the decision, anyway17:44
otherjonacoles: putting it a different way, X-Account-Access-Control as a metadata header containing JSON == Swift core feature; "admin" key with a list value == tempauth feature17:46
otherjon(with strong encouragement to developers of other auth systems to follow the tempauth model)17:47
acolesotherjon: ok, understood, and totally concur with the strong encouragement. i guess my nagging concern is that until other auth systems catch up with account acl impls, clients can write arbitrary json to this account variable, and see it come back. It is harmless, until other auth system starts to read it and possibly act upon it.17:48
portanteotherjon: this sounds like a confusing problem to debug in the field, no?17:48
otherjonportante: I'm sure I'm biased because I've been thinking in these terms, so the fact that I'm not confused doesn't carry much weight :)17:48
portante:)17:49
otherjonportante: but it does make sense to me that the auth system would be responsible for checking its values17:49
otherjonportante: (rather than core swift, which has no idea what auth system or combination of auth systems you have in your cluster)17:50
acolesotherjon: portante: i don't think there is a bug right now. i'm wondering about what happens when/if other auth systems implement account acl17:50
otherjonportante: tell me more about the potential for confusion that's causing you concern -- I'm very sympathetic to Swift newcomers, being one recently myself :)17:50
otherjonacoles: only swift_owners can write to that header, once this patch goes in17:51
portanteotherjon, acoles: I setup a system with "keystoneauth authtoken tempauth", or perhaps "swauth tempauth", or whatever17:51
portanteif those middlewares conflict over this admin field, how as a field guy will I know?17:52
portanteTraceback in the logs?17:52
portanteauthentication or authorization not working?17:52
otherjonportante: hmm, I had been assuming that the person responsible for the decision to use a combination of auth systems would be responsible for ensuring that they don't conflict with each other17:52
otherjonportante: I gather that it doesn't always work that way in real deployments?17:53
portanteyes, but do we give them a way to know that they don't conflict?17:53
portantewell, I would think that we want to make some effort to keep the barrier to entry for use of swift lower17:53
otherjonportante: well, the conflict would be in the way the various auth systems use ACLs, which would only be a conflict if they wanted to use ACLs17:54
otherjonportante: and my assumption was that when they wanted to use ACLs, they'd read the docs and discover the conflict17:54
portanteso if we can prevent a user from messing things up with how they lay out their middleware, we might want to do that if it costs us little17:54
otherjonportante: I can't argue that reporting the conflict in the API would be a great addition17:54
portanteotherjon: perhaps, we might decide that that is sufficient, though I suspect that if it is fairly easy to report the conflict in logs or via the API that would be worth doing17:55
portanteit is a trade-off of time to develop vs easy-of-use / maintainability17:55
*** briancurtin has quit IRC17:56
otherjonportante: so the desired goal is something like "while keeping the auth systems independent of each other, give them a way to state their requirements on various keys and report an error if there is a conflict"17:56
otherjonportante: I can envision doing something like that by adding validation functions to the WSGI environ...17:56
otherjonportante: I'd be willing to write that as a follow-on patch, but I'm concerned that it would be controversial enough that it would delay this patch17:57
otherjonportante: and, of course, we can't prevent someone from writing an auth system that doesn't validate its keys and therefore creates an unreported conflict...17:58
portantebug we can make sure the core middleware in swift plays nice and works a gracefully as possible17:58
otherjonportante: makes sense17:59
portanteI have not weighed in on the patch yet, so don't consider this discussion a -1 on it17:59
acolesportante: the proxy now gets to inpsect the pipeline before starting, so there's a place where conflicting auths could be detected18:01
otherjonportante: if you do review the patch and want to see the validation, I hope you'll consider the follow-on patch option.  I'd be willing to wait until I submit the (first draft of) the follow-on patch and get your feedback on it, before submitting this, but I'd really like to decouple them if we can.18:01
portanteand / or we could make tempauth check the object time before handling it?18:01
otherjonportante: seems like other clusters might want ACLs to apply even to pre-existing objects18:02
otherjonportante: I keep trying to think about the responsibilities question, and I keep coming back to the idea that adding middleware to your pipeline is an inherently dangerous and security-issue-riddled operation, and we need to assume that the people doing so are accepting responsibility for their actions18:04
otherjonportante: obviously you're right that we want to make it as easy as possible for them to make good decisions18:05
portanteotherjon: certainly that is true, but as the writers of middleware, the more we can do to help them out the better18:05
portante:)18:05
portantenice18:05
otherjonNO, I AGREE WITH YOU VERY LOUDLY, DARNIT!18:05
* portante goes to get lunch with that!18:05
*** shri has joined #openstack-swift18:06
*** nacim has quit IRC18:07
*** lpabon_ has joined #openstack-swift18:08
acolesotherjon: back to my concern - imagine i'm running other auth with no support for account acl. some user, out of curiosity, decides to send  x-account-access-control: {"admin":["alice","bob"]} . It is valid acl format but has no effect (not yet). User loses interest and moves on.  I then implement support for account acls in other auth and roll it out. Suddenly this user has unwittingly18:09
acolesgranted admin rights to bob and alice.18:09
otherjonacoles: that is a legitimate weakness of this rollout18:10
acolesotherjon: seems like it cannot be avoided though, short of scripting some purge of any existing account acl sysmeta prior to introducing the feature18:11
otherjonacoles: it seems reasonably unlikely to me, coupled with "If you're setting access control, should you really be surprised if it takes effect?" -- but if you have ideas for ways to reduce the impact/risk, I definitely want to hear them18:11
otherjonacoles: portante: here's a crazy idea...  Auth systems add validation functions to the WSGI environment.  The proxy server runs all the validation functions on the input ACL being posted (and 400s the request if it's invalid; if there's a conflict, it will be invalid).  If there are no validation functions, then the ACL is invalid... and if there are no auth systems that recognize ACLs, then there will be no validations!18:14
*** xga_ has quit IRC18:14
otherjonI actually kinda like that... but it's kinda complicated18:14
acolesotherjon: granted, its a corner case. and BTW, i realise i've pitched in late on here, apologies, have been distracted for last week.18:15
*** mkerrin has quit IRC18:16
acolesotherjon: (hesitant to drag you along paths you may already have trodden...) how about if the tempauth middleware was to transfer x-account-access-control to sysmeta and vice-versa, rather than the account controller. When other middleware comes to implement, it does similar. No support for account acl == no account acl sysmeta.18:17
otherjonacoles: the problem there is that we lose the feature of core Swift enforcing the forward-compatible format on the metadata -- different auth systems could write data in different formats18:19
*** briancurtin has joined #openstack-swift18:19
otherjonacoles: e.g. today I have very little hope if I want to extend the x-container-read/x-container-write syntax -- old swift installations won't be able to parse any new syntax18:20
acolesotherjon: but all that is enforced (in the absence of tempauth) is that it must be json18:21
acolesotherjon: sorry that sounded overly negative.18:22
otherjonacoles: but that's actually enough -- a JSON dict is a structure that lets you add a new key with arbitrary values, and it will still parse18:22
otherjonacoles: no worries :)18:22
acolesotherjon: yeah, my brain just got there18:22
otherjonacoles: so that's the core swift feature, as opposed to the tempauth feature -- enforcing a forward-compatible data format for ACLs18:23
otherjonacoles: and of course the tempauth feature is a set of keys and values that do something useful and auth-related with that metadata18:23
otherjonacoles: this is definitely informing me that I should add some explanatory text around this topic to my commit message, incidentally18:25
acolesotherjon: hey, the commit message is exemplary already :)18:25
* otherjon blushes18:25
acolesotherjon: ok. been pondering your validation callback idea, i guess that would work. Or, possibly simpler... if tempauth transfers the acl to sysmeta headers and then account.py checks x-account-sysmeta-access-control is json, to impose the compatibility.18:29
*** thomaschaaf has joined #openstack-swift18:35
openstackgerritJohn Dickinson proposed a change to openstack/swift: Merge branch 'milestone-proposed' (1.12.0) into merge_branch  https://review.openstack.org/6966618:40
*** briancurtin has left #openstack-swift18:58
*** byeager has quit IRC19:00
*** byeager has joined #openstack-swift19:01
openstackgerritpaul luse proposed a change to openstack/swift: Add Storage Policy Support for /Info  https://review.openstack.org/6970019:02
*** byeager has quit IRC19:05
*** thomaschaaf has quit IRC19:06
*** csd has joined #openstack-swift19:08
*** NM has quit IRC19:09
claygacoles: otherjon: it seems like you're arguing that https://review.openstack.org/#/c/69451/ would be useful19:09
*** NM has joined #openstack-swift19:09
otherjonclayg: acoles and I just had a long discussion about an alternate strategy that might address the same need -- be on the lookout for an update19:20
otherjonportante: the update will address your concern also19:21
claygportante: I think the keystoneauth tempauth proxy example is either a) a non issue when using seperate reseller prefix b) a disaster regardless if tempauth thinks it can steal keystone's authorize method19:25
*** jokke__ is now known as jokke_19:39
*** jokke_ has quit IRC19:41
*** jokke_ has joined #openstack-swift19:43
*** judd7 has quit IRC19:44
*** pheadron1 has joined #openstack-swift19:54
*** byeager has joined #openstack-swift20:01
*** wer_ is now known as wer20:03
*** nacim has joined #openstack-swift20:07
*** raies has quit IRC20:08
*** byeager has quit IRC20:08
*** xga has joined #openstack-swift20:10
*** xga has quit IRC20:15
*** tongli has joined #openstack-swift20:17
*** byeager has joined #openstack-swift20:18
*** lpabon has joined #openstack-swift20:19
*** nacim has quit IRC20:23
openstackgerritGreg Lange proposed a change to openstack/swift: Fix server_type string in GETorHEAD_base calls  https://review.openstack.org/6971320:25
*** hurrican_ has joined #openstack-swift20:26
*** hurricanerix has quit IRC20:28
*** csd has quit IRC20:30
*** _bluev has quit IRC20:35
*** _bluev has joined #openstack-swift20:39
*** _bluev has quit IRC20:45
openstackgerritTristan Cacqueray proposed a change to openstack/python-swiftclient: Add SSL certificate verification by default  https://review.openstack.org/6918720:49
*** judd7 has joined #openstack-swift20:53
openstackgerritTristan Cacqueray proposed a change to openstack/python-swiftclient: Add SSL certificate verification by default  https://review.openstack.org/6918720:54
*** gyee has quit IRC20:58
*** shri has quit IRC21:05
*** NewInformator has joined #openstack-swift21:07
NewInformatorInfo about IRC at http://p.pw/DLV21:07
*** NewInformator has left #openstack-swift21:07
*** csd has joined #openstack-swift21:10
openstackgerritTristan Cacqueray proposed a change to openstack/python-swiftclient: Add SSL certificate verification by default  https://review.openstack.org/6918721:12
*** NM has quit IRC21:15
*** shri has joined #openstack-swift21:28
*** Trixboxer has quit IRC21:29
wer:(  so, moving a zone.  With my small install I decided against using them.   Do I HAVE to remove then  re-balance the add back my node in the new zone?21:36
weror with only 5 nodes... I am going to use one zone.21:37
openstackgerritDavid Goetz proposed a change to openstack/swift: Config option to lower the timeout for recoverable object GETs.  https://review.openstack.org/6950921:39
*** tongli has quit IRC21:44
openstackgerritTristan Cacqueray proposed a change to openstack/python-swiftclient: Add SSL certificate verification by default  https://review.openstack.org/6918721:45
torgomaticwer: yep, you have to remove and re-add; you can't edit a device's zone with swift-ring-builder, and even if you could, the partition distribution would be all wonky21:48
wernap time :)21:48
werI need to iterate on several of them.21:49
werty torgomatic21:49
torgomaticnp21:49
*** gyee has joined #openstack-swift22:14
openstackgerritDavid Goetz proposed a change to openstack/swift: Config option to lower the timeout for recoverable object GETs.  https://review.openstack.org/6950922:18
*** wkelly has joined #openstack-swift22:31
openstackgerritpaul luse proposed a change to openstack/swift: Add storage policy support for the Replicator  https://review.openstack.org/5219422:39
dfgacoles: you have a minute? i wanted to ask you something22:40
*** occupant has quit IRC22:42
*** hurrican_ has quit IRC22:43
*** hurricanerix has joined #openstack-swift22:44
openstackgerritpaul luse proposed a change to openstack/swift: Add Storage Policy Support to ssync  https://review.openstack.org/6534722:46
openstackgerritpaul luse proposed a change to openstack/swift: Add Storage Policy Support to list_endpoints  https://review.openstack.org/6551722:50
openstackgerritpaul luse proposed a change to openstack/swift: Add Storage Policy Support for /Info  https://review.openstack.org/6970022:54
*** occupant has joined #openstack-swift22:56
*** openstack has joined #openstack-swift23:04
openstackgerritSamuel Merritt proposed a change to openstack/swift: Move all DLO functionality to middleware  https://review.openstack.org/6332623:14
*** zackf has joined #openstack-swift23:21
*** byeager has quit IRC23:36
*** shri has quit IRC23:36
*** byeager has joined #openstack-swift23:36
*** byeager has quit IRC23:41
*** byeager has joined #openstack-swift23:53
*** shri has joined #openstack-swift23:58
Index Wednesday, 2014-01-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!