| opendevreview | Tim Burke proposed openstack/swift master: CI: update known failures for the ceph tests https://review.opendev.org/c/openstack/swift/+/922164 | 04:04 |
|---|---|---|
| opendevreview | Tim Burke proposed openstack/swift master: DNM: drop boto test requirement; skip unported tests https://review.opendev.org/c/openstack/swift/+/922177 | 04:06 |
| opendevreview | Alistair Coles proposed openstack/swift master: sq? simplify legacy option parsing https://review.opendev.org/c/openstack/swift/+/922199 | 10:49 |
| opendevreview | Alistair Coles proposed openstack/swift master: statsd client: warn when legacy options are used https://review.opendev.org/c/openstack/swift/+/922200 | 10:49 |
| opendevreview | ASHWIN A NAIR proposed openstack/swift master: fix x-open-expired 404 on HEAD?part-number reqs https://review.opendev.org/c/openstack/swift/+/916547 | 15:12 |
| ozzzo_work | Reading here: https://docs.openstack.org/swift/latest/overview_acl.html | 15:46 |
| ozzzo_work | It looks like an ACL can grant access to a user, but that user's "openrc" file has to include OS_TENANT_NAM | 15:47 |
| ozzzo_work | Does that mean that, in order to access a container via ACL, a user must have a role in a project? | 15:48 |
| timburke | ozzzo_work, pretty sure, yes. i'll admit that it's been a while since i did much exploration of the interactions between keystone and swift, though. if memory serves, keystone will fail the auth request if the user has no role in the project. i wonder, though, if the acl is like *:<user-id> and you override OS_STORAGE_URL... | 15:54 |
| ozzzo_work | my customer was trying it that way but no luck | 16:11 |
| ozzzo_work | if he doesn't set OS_PROJECT_NAME he gets "No project name or project id specified." If he sets it to the project that owns the container, he gets "Unauthorized" | 16:12 |
| ozzzo_work | so I think you're right when you say "keystone will fail the auth request if the user has no role in the project" | 16:13 |
| ozzzo_work | Reading the doc; it looks like he doesn't have to have a role in the project that owns the container; it looks like any role in any project would be sufficient, as long as the ACL grants access to his user | 16:14 |
| opendevreview | Merged openstack/swift master: Skip boto 2.x tests if boto is not installed https://review.opendev.org/c/openstack/swift/+/918144 | 17:10 |
| opendevreview | Merged openstack/swift master: CI: update known failures for the ceph tests https://review.opendev.org/c/openstack/swift/+/922164 | 17:10 |
| opendevreview | Merged openstack/swift master: CI: make sure old swift is truly gone for rolling-upgrade jobs https://review.opendev.org/c/openstack/swift/+/922157 | 21:47 |
| opendevreview | Shreeya Deshpande proposed openstack/swift master: Add get_statsd_client function https://review.opendev.org/c/openstack/swift/+/919444 | 22:13 |
| opendevreview | Tim Burke proposed openstack/swift master: CI: up-rev a few py2 constraints https://review.opendev.org/c/openstack/swift/+/922261 | 23:28 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!