Monday, 2015-02-02

« Sunday, 2015-02-01 Index Tuesday, 2015-02-03 »
*** dmorita has joined #openstack-swift00:30
*** oomichi has joined #openstack-swift00:32
*** occupant has quit IRC00:44
*** occupant has joined #openstack-swift00:45
*** bill_az_ has quit IRC00:55
*** addnull has joined #openstack-swift01:03
*** nellysmitt has joined #openstack-swift01:08
*** nellysmitt has quit IRC01:12
*** nexusz99 has joined #openstack-swift01:17
*** madhuri has joined #openstack-swift01:42
madhurimattoliverau: Hi Matthew, can you please review it https://review.openstack.org/#/c/91753/ ?01:44
mattoliveraumadhuri: sure thing :)01:45
madhurimattoliverau: Thank you :)01:53
*** haomaiwang has joined #openstack-swift02:08
openstackgerritDaisuke Morita proposed openstack/swift: Execute object daemons' tasks according to dir information  https://review.openstack.org/14125202:24
*** nellysmitt has joined #openstack-swift03:08
*** nellysmitt has quit IRC03:13
*** addnull has quit IRC03:14
*** tellesnobrega has joined #openstack-swift04:05
egonIs there anyone maybe interested in a swiftsync feature add? https://review.openstack.org/#/c/144701/04:18
*** addnull has joined #openstack-swift04:25
*** addnull has quit IRC04:59
*** nellysmitt has joined #openstack-swift05:09
*** nellysmitt has quit IRC05:14
*** nshaikh has joined #openstack-swift05:20
*** ppai has joined #openstack-swift05:26
openstackgerritMatthew Oliver proposed openstack/swift-specs: Container sharding spec  https://review.openstack.org/13992105:42
*** oomichi has quit IRC05:47
openstackgerritMatthew Oliver proposed openstack/swift-specs: Container sharding spec  https://review.openstack.org/13992105:49
notmynamemattoliverau: thanks!06:15
notmynamealso, cool ascii art diagram.06:15
mattoliveraunotmyname: lol, its the only way to go :P06:15
notmynameyou do it by hand or with a tool?06:15
mattoliveraunotmyname: also, I may need to re-read it again tomorrow to make sure it makes sense.. its a bit brain dumpy :P06:16
notmynameheh. me too. I thought it looked ok, for my own late-night look at it06:16
mattoliveraunotmyname: http://asciiflow.com/06:16
notmynamenice06:17
mattoliveraunotmyname: just wanted to get something down early in the week and keep it updated leading to mid-cycle in case it comes up in dicussion :)06:17
notmynameI'm sure it will :-)06:17
notmynamethanks again06:17
notmynameand speaking of late night here....06:17
mattoliveraunotmyname: yeah you should be sleeping! I'm about to call it a day myself!06:18
notmynameI'm out. talk to you (my) tomorrow06:18
mattoliveraunight06:18
*** addnull has joined #openstack-swift06:23
*** SkyRocknRoll has joined #openstack-swift06:26
*** tellesnobrega_ has joined #openstack-swift06:30
*** jyoti-ranjan has joined #openstack-swift06:31
*** tellesnobrega has quit IRC06:32
*** silor has joined #openstack-swift06:40
*** nellysmitt has joined #openstack-swift07:10
*** nellysmitt has quit IRC07:15
*** nexusz99_ has joined #openstack-swift07:25
*** nexusz9__ has joined #openstack-swift07:27
*** nexusz99 has quit IRC07:28
*** nexusz99_ has quit IRC07:30
openstackgerritMadhuri Kumari proposed openstack/swift: Check for existence of swift servers binaries.  https://review.openstack.org/9175307:38
openstackgerritOpenStack Proposal Bot proposed openstack/swift: Merge "Drop redundant check in SLO segment-size validation"  https://review.openstack.org/15201107:44
*** madhuri has quit IRC07:58
*** jyoti-ranjan has quit IRC07:59
*** chlong has quit IRC08:00
*** mkerrin has quit IRC08:00
*** MooingLemur has quit IRC08:08
*** rledisez has joined #openstack-swift08:09
openstackgerritMerged openstack/swift: Make more memcache options configurable  https://review.openstack.org/14601108:14
*** addnull has quit IRC08:21
*** geaaru has joined #openstack-swift08:26
openstackgerritMerged openstack/python-swiftclient: Fix cross account upload using --os-storage-url  https://review.openstack.org/12575908:30
*** nellysmitt has joined #openstack-swift08:36
*** tdasilva has joined #openstack-swift08:47
*** joeljwright has joined #openstack-swift08:48
*** jistr has joined #openstack-swift08:58
*** jyoti-ranjan has joined #openstack-swift09:02
*** jordanP has joined #openstack-swift09:12
*** ho has joined #openstack-swift09:19
*** mkerrin has joined #openstack-swift09:54
*** jordanP has quit IRC10:28
*** jordanP has joined #openstack-swift10:40
*** tellesnobrega_ has quit IRC10:42
*** addnull has joined #openstack-swift10:43
*** SkyRocknRoll has quit IRC11:00
*** SkyRocknRoll has joined #openstack-swift11:07
*** haomaiwang has quit IRC11:07
*** jyoti-ranjan has quit IRC11:22
*** ho has quit IRC11:27
*** NM has joined #openstack-swift11:33
*** tellesnobrega has joined #openstack-swift11:34
*** erlon has joined #openstack-swift11:36
*** nexusz9__ has quit IRC12:14
*** miqui_away has quit IRC12:21
*** dmorita has quit IRC12:25
*** aix has joined #openstack-swift12:31
*** addnull has quit IRC12:33
*** nellysmitt has quit IRC12:38
*** nellysmi_ has joined #openstack-swift12:38
*** nellysmi_ has quit IRC12:39
*** delattec has joined #openstack-swift12:40
*** cdelatte has quit IRC12:42
*** nellysmitt has joined #openstack-swift12:58
openstackgerritTakashi Kajinami proposed openstack/swift: Prevent redundant commenting by drive-audit  https://review.openstack.org/14931713:01
*** nshaikh has quit IRC13:13
*** panbalag has joined #openstack-swift13:17
*** ppai has quit IRC13:21
*** joeljwright has quit IRC13:24
*** joeljwright has joined #openstack-swift13:28
*** bill_az_ has joined #openstack-swift13:28
*** lpabon has joined #openstack-swift13:30
*** pdion891 has joined #openstack-swift13:55
*** jkugel has joined #openstack-swift13:56
*** mahatic has joined #openstack-swift14:15
*** acoles_away is now known as acoles14:23
*** zigo has quit IRC14:31
*** zigo has joined #openstack-swift14:35
*** jasondot_ has joined #openstack-swift14:45
*** openstackgerrit has quit IRC14:52
*** openstackgerrit has joined #openstack-swift14:52
*** jwalcik has joined #openstack-swift14:55
*** SkyRocknRoll has quit IRC15:05
*** rdaly2 has joined #openstack-swift15:29
ekarlsocan I configure swift to just use a flat directory on local host ?15:36
ekarlsolike a single srver install kinda15:36
*** jyoti-ranjan has joined #openstack-swift15:36
tdasilvaekarlso: do you mean something like a saio deployment?15:39
*** annegent_ has joined #openstack-swift15:51
*** jrichli has joined #openstack-swift15:54
ekarlsotdasilva: kinda but just a backend to store stuff in a directory or so16:03
*** abhirc has joined #openstack-swift16:16
ekarlsotdasilva: is that possible  ?16:17
*** lpabon has quit IRC16:18
*** david-lyle_afk is now known as david-lyle16:19
tdasilvaekarlso: sorry, it is not exactly clear to me what you are trying to do, can you describe more? My first thought was an saio deployment? you also mentioned "like a single srver", do you mean you just want one replica?16:22
ekarlsotdasilva: as in I want to have a swift api just with one node ;p16:23
ekarlsoI just a swift api that puts everything on one disk16:23
eikketdasilva: for your no-http review => would you be interested if we spend some time on doing some changes/cleanups, then publish the branch so you can cherry-pick whhatever you like? (mostly things I mentioned on Gerrit)16:26
tdasilvaekarlso: right, so you could setup your object rings with one device and just run all your swift servers in one node. but I assume you know this is not "safe" as in your data is not being correctly replicated16:29
tdasilvaeikke: hey, yeah...I've been looking for a chance to upload a new patchset and am hoping I can do that this week16:29
tdasilvaeikke: are you going to the hackathon next week?16:30
rlediseztdasilva: hello16:31
rlediseztdasilva: you asked me to enable reuseport in SAIO16:31
rlediseztdasilva: i'm not sure it's a good idea because the official doc says to use ubuntu 12.04, but ubuntu 12.04 comes with a kernel 3.2 (not compatible with reuseport)16:31
rlediseztdasilva: and reuseport is only for linux (>=3.9), so it would make saio linux only16:32
rlediseztdasilva: what do you think?16:32
tdasilvarledisez: you could have it "reuseport = no" by default, just like you did in etc16:33
rlediseztdasilva: oh, ok, i misunderstood you :)16:33
tdasilvarledisez: it's just that to test your patch, I had to go and change all the configs there16:33
notmynamegood morning16:38
notmynametdasilva: ekarlso: and easy way to set up a one-server, one-replica "cluster" (ie effectively just an API test endpoint) is to use the vagrant-swift-all-in-one and set the config to be one replica and one drive16:39
notmynamehttps://github.com/swiftstack/vagrant-swift-all-in-one16:39
tdasilvarledisez: I wonder if it would make sense to go one step further and provide instruction on the SAIO doc on how to enable all the configs with a simple sed script, that way your tests would be "always" run on people's dev. environments16:41
tdasilvanotmyname: perfect16:41
*** annegent_ has quit IRC16:46
*** annegent_ has joined #openstack-swift16:49
*** gyee has joined #openstack-swift16:50
*** MooingLemur has joined #openstack-swift16:50
*** jkugel has left #openstack-swift16:55
*** tdasilva has quit IRC16:59
*** abhirc_ has joined #openstack-swift17:01
*** abhirc has quit IRC17:03
*** annegent_ has quit IRC17:04
notmynamedfg: thanks for the research on https://review.openstack.org/#/c/150149/17:09
dfgnotmyname: ya np. you dont know of why anybody would ever want a valid content-type of 304s do you?17:12
dfgi'm hopinh those tests were just there just for completeness's (is that a word?) sake17:13
notmynamedfg: makes sens that 304 means "you already have this" so not sending the headers kinda makes sense. seems you looked at the rfc and it said leave them out?17:15
*** imkarrer has joined #openstack-swift17:15
*** panbalag has quit IRC17:17
imkarrerGood almost noon to you guys!  I have a question about rate limiting.  Is this a cluster wide parameter or is it enforced per proxy.  I have set a rate limit of 0.1 at the account level on a deployment with two proxy servers.  I expect 50 requests for new containers to take 8.33 minutes.  The requests take exactly half that time, which happens to be the number of proxies I am running.  I am thinking I have a problem in my me17:18
*** EmilienM is now known as EmilienM|afk17:18
notmynameimkarrer: rate limiting is set up globally for the cluster. that is, while each proxy does enforce it individually, they share the same ratelimiting state info in memcache. so all the configs should be the same or you're going to get some really hard-to-debug behavior17:20
imkarrernotmyname: I should have been more specific  The configs are the same, but I have haproxy round robining the requests between proxies. The load is split between the proxies which is part of why I am seeing this discrepancy.17:22
notmynameimkarrer: if the configs are the same, and if the memcache configs reference all of the proxy servers (ie every proxy server config references the same pool of memcache servers), then the ratelimiting should be constant for any request17:23
notmynameimkarrer: but note that ratelimiting is designed to slow down the request rate (not throughput) on a per container basis based on how many objects are in the container17:24
notmynameit's not designed to do eg "make sure each request takes at least 200 ms"17:24
imkarrernotmyname: I see.  I am using account rate limiting.  Setting account rate limit to 0.1 should mean that I am setting any updates to the account db to 6 times per minute.  I am seeing 12 times per minute, each proxy seems to only know about its own rate.17:27
notmynamedfg: any chance you can help here?17:32
*** jyoti-ranjan has quit IRC17:37
*** jistr has quit IRC17:39
notmynameswift 2.2.2 release email has been sent to the -dev and -announce mailing lists17:41
*** jordanP has quit IRC17:46
*** rledisez has quit IRC17:48
*** wer_ has quit IRC17:51
*** wer_ has joined #openstack-swift17:52
dfgnotmyname: about 304- ya the spec says to not include them17:52
*** zaitcev has joined #openstack-swift17:52
*** ChanServ sets mode: +v zaitcev17:52
notmynamedfg: ok. thanks17:53
dfgabout rateliming thing- the memcache is set up properly? if its not set each proxy would use only itself. if they dont share then the doubling makes sense17:56
dfgnotmyname: imkarrer ^^17:56
*** EmilienM|afk is now known as EmilienM18:00
*** annegent_ has joined #openstack-swift18:04
*** jasondot_ has quit IRC18:20
notmynameI got this email today from someone using swift:18:23
notmyname"I am very thankful this technology exists as it's enabling people like me to easily have a ridiculously scalable distribution method."18:23
notmynamedfg: glange: peluse_: acoles: cschwede: torgomatic: swifterdarrell: clayg_: ^^18:24
notmynamethe person who wrote that is storing and distributing game content with Swift18:24
imkarrerdfg: notmyname: thanks for confirming.  I have my memcache servers listed in proxy-server.conf, I can telnet and get the stats of my memcached servers.  Where else can I check for configuration errors aside from proxy-server.conf?18:24
*** geaaru has quit IRC18:25
acolesnotmyname: cool, my credibility with my kids will go up enormously if i can say my work is connected to the gaming industry :)18:25
notmynameacoles: :-)18:26
notmynamethere's quite a few game companies using Swift18:26
acolesnotmyname: totally off-topic, but i was reading that sfo had zero rainfall in january - wow!18:28
notmynameya. it's pretty bad. december was very wet. but the entire year last year was pretty bad.18:28
acolesyea. where 'bad' in rainfall context has opposite sense for you than us18:29
notmynameit's supposed to rain this coming weekend.18:31
dfgimkarrer: thats the only place for this. can you make a paste of the proxy-server.conf?18:34
acolesnotmyname: ok, so i should pack my raincoat (like brits always do)18:35
imkarrerdfg: making a gist18:41
imkarrerdfg: https://gist.github.com/imkarrer/253cf81066a7b72a536118:42
*** clayg_ is now known as clayg18:53
*** acoles is now known as acoles_away18:53
imkarrerdfg: If thats the only place for this, the only other possible thing I can think of is the the necessary ports are not open, but they are.  My memcached servers can contact each other.18:56
imkarrerdfg: notmyname:  I restarted my memcached servers and that seems to have fixed the problem.  The set of requests I am making are now taking the expected amount of time.18:59
*** aix has quit IRC18:59
imkarrerdfg: notmyname:  Thanks for your help today!  I really appreciate it.19:00
*** reed has joined #openstack-swift19:01
zaitcevweird story19:01
zaitcevI suspect something stuck in the connection caching in our client, but I haven't heard of such things happening before.19:02
*** jasondot_ has joined #openstack-swift19:02
dfgimkarrer: oh cool. glad it worked19:04
imkarrerIf anyone is curious about how to test rate limiting      expected time = 1/rate * #requests19:06
*** echevemaster has joined #openstack-swift19:11
*** mahatic has quit IRC19:11
*** mahatic has joined #openstack-swift19:16
mahaticnotmyname,  hello! what you said is right - any modification to the code and the test would still pass. Should I compare the message of NotImplementedError? (I'm not sure how to test it explicitly)19:16
*** silor1 has joined #openstack-swift19:24
*** EmilienM is now known as EmilienM|afk19:25
*** silor has quit IRC19:25
*** nellysmitt has quit IRC19:34
*** pdion891 has quit IRC19:38
*** EmilienM|afk is now known as EmilienM19:50
*** jasondot_ has quit IRC20:02
*** bsdkurt has quit IRC20:05
*** bsdkurt has joined #openstack-swift20:06
*** jrichli has quit IRC20:10
*** thumpba has joined #openstack-swift20:15
thumpbacan i override the 5GB limit on images20:16
*** mahatic has quit IRC20:24
glangethumpba: do you mean on objects?20:28
thumpbayes20:29
thumpbaglange: im getting an error uploading a snapshot of an raw image into glance which is using swift as its backend. the snapshot.raw is over 5gb20:30
thumpbaglange: glance is giving me this error "during chunked upload to backend, deleting stale chunks"20:31
thumpbaglange: and "Failed to add object to Swift"20:31
*** jasondot_ has joined #openstack-swift20:33
*** jrichli has joined #openstack-swift20:33
glangehttps://github.com/openstack/swift/blob/master/etc/swift.conf-sample <-- it looks like you can, see max_file_size20:34
glangeit might not be a good idea though -- the bigger the objects the bigger potential problem with uneven data distrubution you might have in your swift cluster20:34
thumpbahmmmm...i am just trying to migrate an instance from one openstack env to another, i took a snapshot and downloaded it and now trying to upload the snap to create an instance from it20:36
glangeif you have control over what you are doing, you could use either a static large object or dynamic large object instead, there are "no limits" on the size of those files20:37
ahaledoesnt glance call it a chunked upload when it is creating a swift large object? that sounds like an error in one of the <5GB chunks, which causes it to roll back everything else as it cant retry a chunk ?20:38
glangeand once they are created, they seem to be one object to the downloader20:38
thumpbahttps://github.com/openstack/glance/blob/master/etc/glance-api.conf <-- under e_large_object_size20:38
thumpbaswift_store_large_object_size20:38
glangethumpba: so there is a mismatch betwen swift and glance about what is too large an object?20:39
*** rdaly2 has quit IRC20:39
glangeor, how are you getting that error if glance starts "chunking" ?20:39
thumpbaglange: glance image-create --name image-name --disk-format raw --container-format bare --is-public True --file snapshot.raw, i found the error on the glance-api log20:40
glangesorry, I don't know much about glance, is there a glance irc channel?20:41
thumpbaglange: me niether, figured since i was using swift, this would be more relavant20:42
*** tongli has joined #openstack-swift20:42
thumpbashould i modify the swift.conf to get the upload completed?20:43
thumpbaglange: let me ask you how do i use static large object or dynamic large object instead20:43
*** mahatic_ has joined #openstack-swift20:44
*** jasondot_ has quit IRC20:45
*** nellysmitt has joined #openstack-swift20:47
glangehttp://docs.openstack.org/developer/swift/overview_large_objects.html <-- read that20:52
glangehttp://docs.openstack.org/api/openstack-object-storage/1.0/content/create_static_large_objects.html20:52
glangethat seems better for SLO, which might be what you want to use20:53
*** nellysmitt has quit IRC20:54
torgomaticSLO > DLO in nearly every use case20:56
torgomatic(IMO)20:56
*** silor1 has quit IRC21:06
*** jrichli has quit IRC21:07
mattoliverauMorning21:09
*** IRTermite has quit IRC21:16
*** NM has quit IRC21:19
*** IRTermite has joined #openstack-swift21:24
thumpba"Got error from Swift: Object PUT failed: 413 Request Entity Too Large" trying to upload an image over 5gb21:26
notmynamewhew. 2.5 hour meeting with a customer21:28
*** chipmanc has joined #openstack-swift21:30
*** jrichli has joined #openstack-swift21:32
notmynamelong meeting, but good to hear user stories21:33
*** imkarrer has quit IRC21:37
*** mahatic_ has quit IRC21:49
*** mahatic_ has joined #openstack-swift21:51
*** chipmanc has quit IRC21:56
thumpbahow do i restart swift21:56
notmynamethumpba: `swift-init all restart`. also `swift-init all reload` will do a graceful reload22:04
notmynamethumpba: why are you restarting?22:05
notmynamethumpba: https://swiftstack.com/blog/2013/12/20/upgrade-openstack-swift-no-downtime/ might be interesting to you22:05
thumpbanotmyname:  changed the max_file_size in swift.conf,22:06
thumpbanotmyname: "Got error from Swift: Object PUT failed: 413 Request Entity Too Large" trying to upload an image over 5gb22:06
notmynameah. then reload is fine to get that new value22:06
*** mariusleu has quit IRC22:06
notmynamethumpba: however, note that raising the max_file_size is generally not recommended. that's not how to store bigger objects in swift, and changing it can make life more difficult for your ops and users22:07
notmynamethumpba: obviously, there are times you want to change it (otherwise it wouldn't be configurable). just note that "I need to store larger objects" is almost never best solved by raising the max object size22:08
thumpbanotmyname: i want to migrate an instance from another openstack env, when uploading into glance its giving me the error from Swift.22:08
thumpbanotmyname: once i can make the instance from the image i will delete it and reset the value to normal22:09
notmynamehow big is the image?22:10
thumpbanotmyname: whats the correct way? the image is 5.63GB22:10
*** jwalcik has quit IRC22:10
notmynamethe correct way is to use large object manifests22:11
thumpbanotmyname: dont i have to split the image first in order to do that22:11
notmynameyes22:11
*** wer_ has quit IRC22:11
*** wer has quit IRC22:11
thumpbanotmyname: is there an openstack tool to split the image?22:12
*** wer has joined #openstack-swift22:12
*** wer_ has joined #openstack-swift22:12
notmynamethumpba: the glance client should. also, the swift CLI can. otherwise, the unix tools `split` is sufficient22:14
*** tongli has quit IRC22:15
*** rdaly2 has joined #openstack-swift22:16
*** jrichli has quit IRC22:17
*** mariusleu has joined #openstack-swift22:18
thumpbanotmyname: thanks. gotta figure out how to split and use the large object manifests22:19
notmynamethumpba: http://docs.openstack.org/developer/swift/overview_large_objects.html is a great starting place22:19
thumpbanotmyname: once they're uploaded into the container how will glance recognize that22:20
notmynamethumpba: don't know. and from listening in the -infra channel, it would seem that different openstack deployments do it different ways (eg HP and Rackspace).22:22
notmynamethumpba: that's why using the glance client is probably the best bet. but I'm not sure of the root cause of the error your seeing22:23
notmynamethumpba: I mean "object too big". but the question is why glance isn't chunking that22:23
gyeedoes swift team aware of this? https://review.openstack.org/#/c/131515/22:38
notmynamegyee: nope. thanks22:41
gyeeit makes me nervous because Swift is eventual consistency22:41
gyeeI really worry about performance as well22:41
*** annegent_ has quit IRC22:42
notmynamegyee: why? isn't keystone performance really slow today?22:44
notmyname;-)22:44
gyeeheh22:44
notmynamegyee: in seriousness, ya, perf could be an issue. net request + disk IO for every token fetch can be slow. works fine for well-behaved clients. probably not good for clients who re-auth every request22:46
notmynamegyee: but this has been done before. swauth is an auth system that uses swift as a k/v store for the tokens22:47
gyeenotmyname, good, that's what I am looking for22:48
gyeethe ratio for token lookup versus token creation is pretty high22:49
notmynameya, it should be22:49
egonActually, what would be really nice would be for *swift* to reuse tokens.22:49
notmynameegon: the swift cli? yeah, that'd be nice22:50
egonWhich is what I thought that patch was for at first.22:50
notmynameegon: well, it does. just not across different command-line invoactions22:50
notmynamegyee: and I think you could build a pretty high-performance cluster to handle that22:51
gyeenotmyname, does Swift cache objects that have high lookup rate?22:51
egonis that fixed in the latest clients? last I was looking, the tokens aren't reused.22:51
notmynameegon: s/does/should/22:52
gyeeegon, keystoneclient session does token management22:52
gyeeit won't reauth22:52
notmynamegyee: yes. it can. but it relies on the system page cache for that. so other memory pressure on a box can evict items from the page cache. but yes, swift can specifically keep certain things in memory22:52
gyeek, we may be OK with Swift as a token backend then22:55
*** nellysmitt has joined #openstack-swift22:55
gyeefor multiregion, we may use federation instead of relying on container sync22:55
egonkeystone token-get returns a different token each time.22:56
gyeeegon, yes, it suppose to22:56
ahalethe swauth proxy auth middleware uses memcache tons anyway so page cache eviction is less of an issue for hot tokens22:57
gyeeahale, this is for using swift as token backend22:58
gyeekeystone is calling swift to fetch token objects22:59
*** reed has quit IRC23:00
*** nellysmitt has quit IRC23:00
ahaleah like that ignore me :)23:00
notmynamegyee: I do have one concern on that spec: using tempauth23:02
egongyee: so, what makes you assert that the keystone client reuses tokens?23:03
notmynamegyee: instead, using tempurls might be a really great idea23:03
gyeenotmyname, all bootstrap evil :)23:03
notmynamegyee: doesn't solve all the auth bootstrap problems, but is interesting23:03
gyeethat's a shared secret key so security folks may get too curious23:04
notmynamegyee: as opposed to the shared secret stored in plain text in a config file that is tempauth?23:05
gyeeegon, https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L14323:06
notmynameand tempurls are a lot more supportable than tempauth IMO (ie what we recommend people to use in prod)23:06
gyeenotmyname, we obfuscated passwords in conf files23:06
gyeeI supposed we can encrypt the shared keys23:07
notmynamegyee: not unless you rewrote tempauth, you didn't23:07
gyeebut I am with you, tempurl is a lot better23:07
gyeewe have requirement to rotate passwords every 3 months or so23:07
gyeeso managing service passwords is PITA23:07
notmynametempurls allow multiple keys so you can rotate them without expiring existing urls23:08
gyeenice!23:08
notmynamegyee: I actually just wrote all this down last week :-) https://swiftstack.com/blog/2015/01/29/swift-feature-highlight-tempurls/23:08
*** dmsimard is now known as dmsimard_away23:09
gyeeawesome, ++ for tempurl23:10
gyeeactually, ++ for signature-based access23:10
*** chlong has joined #openstack-swift23:11
notmynamegyee: yes!23:14
notmynameI'd love to see better support for that overall. give me an authenticated service API to get the shared secret(s) for a given user, and I'll do signature-based auth all day long23:14
notmynameright now, since that API doesn't exist, we're using the account metadata to store the shared secret. that way swift can access it to validate the signatures23:15
gyeenotmyname, I wrote a bp awhile back, got shot down23:15
gyeesorry23:15
notmynamegyee: I left a comment in gerrit on the spec23:16
gyeenotmyname, great, thanks for help!23:16
notmynamegyee: thanks for letting us know23:17
egongyee: the cli's do not reuse tokens automatically. I think I see that you're saying that if you're using the python client library, it does.23:27
notmynameoh yeah. the swift client lib will too23:30
gyeeegon, "keystone token-get" explicitly ask for new token, that's by design23:34
gyeelib will cache the token23:34
gyeenot sure if swift cli supports keyring like nova cli does23:35
notmynamegyee: what are you seeing as the problems with storing tokens in swift and eventual consistency?23:36
gyeenotmyname, for multi-region, I don't know how long the replication takes23:36
gyeealso, I am not sure about searching capability, like search all the tokens own by a user so we can revoke them23:37
egongyee: If you do keystone user-list twice in a row, it uses a different token for each request.23:37
gyeeI suppose we'll have to store metadata for swift objects to enhance searching capability?23:37
notmynamegyee: ya, I think there would need to be some thought put into how to organize accounts/containers/objects so that it remains performant and searchable23:38
notmynamegyee: maybe. maybe not23:38
gyeenotmyname, for now I put a -1 there for more details23:38
notmynamegyee: ya, I saw23:38
gyeeegon, yes, because we don't use keyring23:39
gyeefor keystone CLI, every call is a new session23:39
notmynamegyee: now can I ask for some keystone help? :-)23:41
gyeesure :)23:41
notmynamehttps://review.openstack.org/#/c/152283/ was proposed today by torgomatic. We're not at all experts in keystone, so we'd appreciate help (even with getting tests passing)23:42
*** annegent_ has joined #openstack-swift23:42
gyeelooks like a trivial change23:43
gyeelet me take a look23:43
notmynamegyee: thanks23:43
notmynametorgomatic is on a train home right now, but he'l probably be back online later today23:44
gyeek23:44
*** annegent_ has quit IRC23:49
*** annegent_ has joined #openstack-swift23:57
« Sunday, 2015-02-01 Index Tuesday, 2015-02-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!