| *** mpanetta_ has joined #openstack-zaqar | 00:29 | |
| *** mpanetta_ has quit IRC | 00:30 | |
| *** mpanetta_ has joined #openstack-zaqar | 00:30 | |
| *** Qiming has quit IRC | 00:38 | |
| *** mpanetta_ has quit IRC | 00:43 | |
| *** mpanetta_ has joined #openstack-zaqar | 00:44 | |
| *** mpanetta_ has joined #openstack-zaqar | 00:44 | |
| wanghao | morning, everyone~ | 01:11 |
|---|---|---|
| wanghao | flwang: hi, feilong, this patch https://review.openstack.org/#/c/286433/ may need you to add +1 again for workflow, seems it didn't merge master now... | 01:12 |
| openstackgerrit | wangxiyuan proposed openstack/python-zaqarclient: Add update queue function in v2 https://review.openstack.org/294368 | 01:13 |
| wanghao | flwang: btw, xiyuan and I have some summaries about the differences between aliyun's mns and zaqar and what we can do, I will make a list today later. | 01:15 |
| *** mpanetta_ has quit IRC | 01:16 | |
| openstackgerrit | wanghao proposed openstack/zaqar: Show default attributes for queue https://review.openstack.org/286433 | 01:20 |
| flwang | wanghao: awesome | 01:24 |
| flwang | wanghao: did you do a rebase or just upload a new patchset? | 01:26 |
| wanghao | flwang: yes, and remove the depends-on. | 01:26 |
| wanghao | flwang: rebase too. | 01:27 |
| flwang | ok, cool | 01:27 |
| *** Qiming has joined #openstack-zaqar | 01:34 | |
| flwang | wanghao: in summary, is there a big gap comparing with aliyun? | 01:36 |
| flwang | i think we're in good shape as for the messaging part | 01:36 |
| flwang | based on my review | 01:36 |
| flwang | but for notification part, our notification format need to be improved | 01:37 |
| *** kgriffs is now known as kgriffs|afk | 02:11 | |
| wanghao | flwang: not big gap, some details I think we can improve our Zaqar. | 02:19 |
| wanghao | flwang: for messaging, I feel two places we can thank about, for notification, we found three points we can improve. | 02:22 |
| flwang | wanghao: awesome, looking forward to details | 02:25 |
| wanghao | flwang: sure | 02:26 |
| *** mpanetta_ has joined #openstack-zaqar | 02:38 | |
| *** flwang1 has joined #openstack-zaqar | 02:42 | |
| *** mpanetta_ has quit IRC | 02:46 | |
| *** akanksha_ has joined #openstack-zaqar | 03:23 | |
| *** achanda has joined #openstack-zaqar | 03:49 | |
| *** Kevin_Zheng has joined #openstack-zaqar | 03:51 | |
| *** achanda has quit IRC | 04:05 | |
| *** rcernin has joined #openstack-zaqar | 04:52 | |
| *** flwang1 has quit IRC | 05:02 | |
| *** akanksha_ has quit IRC | 06:17 | |
| *** achanda has joined #openstack-zaqar | 06:23 | |
| *** tesseract has joined #openstack-zaqar | 06:24 | |
| *** tesseract is now known as Guest15115 | 06:24 | |
| *** khushbu_ has joined #openstack-zaqar | 07:23 | |
| *** khushbu_ has quit IRC | 08:46 | |
| *** khushbu has joined #openstack-zaqar | 08:58 | |
| *** khushbu has quit IRC | 09:06 | |
| *** khushbu has joined #openstack-zaqar | 09:07 | |
| *** khushbu__ has joined #openstack-zaqar | 09:15 | |
| *** khushbu has quit IRC | 09:15 | |
| *** openstackgerrit has quit IRC | 09:17 | |
| *** openstackgerrit has joined #openstack-zaqar | 09:17 | |
| *** khushbu__ has quit IRC | 09:26 | |
| *** shu-mutou is now known as shu-mutou-AFK | 09:35 | |
| *** openstackstatus has quit IRC | 09:57 | |
| *** openstack has joined #openstack-zaqar | 09:58 | |
| *** openstackstatus has joined #openstack-zaqar | 10:00 | |
| *** ChanServ sets mode: +v openstackstatus | 10:00 | |
| *** achanda has quit IRC | 10:08 | |
| *** Qiming has quit IRC | 10:14 | |
| *** achanda has joined #openstack-zaqar | 10:38 | |
| *** achanda has quit IRC | 10:47 | |
| *** khushbu has joined #openstack-zaqar | 10:50 | |
| *** khushbu has quit IRC | 10:57 | |
| *** achanda has joined #openstack-zaqar | 11:08 | |
| *** achanda has quit IRC | 11:12 | |
| *** Qiming has joined #openstack-zaqar | 11:22 | |
| *** openstack has quit IRC | 12:04 | |
| *** openstack has joined #openstack-zaqar | 12:05 | |
| wanghao | flwang: hi, there is summary about the difference between MNS and Zaqar, plz have a look: http://paste.openstack.org/show/493777/ | 12:40 |
| ryansb | wanghao: I am not flwang, but that looks really handy, thanks for doing the research :) | 12:42 |
| Eva-i | ryansb: Hello. I want your opinion. Look at my last comment on this patch: https://review.openstack.org/#/c/294368/ and wxy's replies. Should we pre-create queue in API v2 in the client, like in API v1 in the client? Also here's my discussion with flwang about it, we have different points of view: http://eavesdrop.openstack.org/irclogs/%23openstack-zaqar/%23openstack-zaqar.2016-04-07.log.html | 13:08 |
| ryansb | sure thing | 13:09 |
| Eva-i | ryansb: nice =) | 13:09 |
| ryansb | our logs really need a filter so it doesn't record 1 billion join/quit messages | 13:17 |
| klambrec | Eva-i, It seems to me that Zaqar completely ignores the X-Project-Id header provided in a keystone setup, all requests are processed against the requester's Primary Project, this seems to match with https://bugs.launchpad.net/zaqar/+bug/1544328 - Am I right in assuming that this header is in the API but is basically completely unimplemented ? | 13:24 |
| openstack | Launchpad bug 1544328 in zaqar "Zaqar doesn't require X-PROJECT-ID header in requests (noauth)" [Undecided,New] - Assigned to Eva Balycheva (ubershy) | 13:24 |
| Eva-i | klambrec: as I know, when Zaqar is configured to use Keystone, X-Project-Id header provided by the user is always ignored, because Zaqar takes X-Project-Id header from Keystone itself based on the X-Auth-Token header provided by the user. | 13:27 |
| Eva-i | klambrec: if it wasn't implemented like that, I think, a single user could access messages/queues/subscriptions of any project, which is bad. Of course it doesn't matter when there's no authentication. | 13:30 |
| klambrec | Well not quite, in Keystone you have a Primary Project, but can be assigned roles in any other projects. | 13:31 |
| Eva-i | klambrec: but when there's authentication, we shouldn't allow the user to use any X-Project-ID header. | 13:31 |
| klambrec | Obviously if in Keystone I have not been mapped a member of another Project, I should not get access, but when Ive been granted membership of some secondary Projects, I should be able to access those. | 13:32 |
| Eva-i | klambrec: aha, I see. I didn't know the user can be associated with multiple projects in keystone. | 13:34 |
| Eva-i | klambrec: so better behavior of Zaqar would be: not ignore, but accept the X-Project-ID header provided by the user, but check if it's associated with the token provided, right? Because the user can have access to multiple projects, right? | 13:38 |
| Eva-i | klambrec: and if no X-Project-ID header is provided, but only token, take primary project from keystone? | 13:39 |
| klambrec | Yes I think that would be ideal. | 13:40 |
| klambrec | I *think* that a token is only valid for one Project at a time, so if a user has access to multiple projects, he will need to get mulitiple tokens. But I'm not 100% sure on that one. | 13:41 |
| klambrec | Never really submitted anything to Open Stack before, is it worth to create a bug for this, or it will it get duped to yours anyway ? | 13:42 |
| *** ametts has joined #openstack-zaqar | 13:43 | |
| *** khushbu has joined #openstack-zaqar | 13:45 | |
| Eva-i | klambrec: "token is only valid for one Project at a time" if this is true, Zaqar works good now and we must keep the current implementation, I think. | 13:47 |
| Eva-i | klambrec: a bit later I'll ask people in keystone chat to make sure | 13:48 |
| klambrec | Eva-i, well to be clear : Zaqar ignores the Project ID inside the token, it actually seems to get the Primary Project from Keystone and use that. | 13:49 |
| *** amitgandhinz has joined #openstack-zaqar | 13:49 | |
| klambrec | So my primary project is X, but I have permissions on Project Y, I request & get a token for Project Y, use that token with Zaqar & specify the X-Project-Id as project Y ... my requests still hit project X. | 13:50 |
| klambrec | I think that's wrong, or well, up for improvement :) | 13:50 |
| Eva-i | klambrec: aha, I see, it really seems wrong, please create a bug report for this. I'll work on it later. | 13:53 |
| Eva-i | klambrec: and thanks =) | 13:53 |
| klambrec | Eva-i, , also for your existing bug, so this behavior with noauth, I've seen that the v1.1 API DOES expect the X-Project-Id in place, but only sometimes, I think it was inside the message functions. Some generic requests, listing queues etc.. do not require it. Either way, quite inconsistent. | 13:54 |
| klambrec | I'll see if I can reproduce exactly what it was and update your bug. | 13:54 |
| *** khushbu has quit IRC | 13:55 | |
| *** jhesketh has left #openstack-zaqar | 13:56 | |
| Eva-i | klambrec: my bug report is for Zaqar configured to not use authentication and the problem there is different from yours. I think a new bug report should be created. | 13:59 |
| klambrec | Eva-i, I know, I agree they are different problems. | 14:00 |
| klambrec | But I was testing Zaqar with noauth last week as well, and ran into similar observations. | 14:00 |
| Eva-i | klambrec: that's strange. In noauth x-project-id header is never ignored as I know. | 14:02 |
| klambrec | I mean similar to yours. In noauth, there are no project ids of course, so Zaqar will accept anything. That's ok, but I noticed that some requests are accepted without X-Project-Id, while other request types DO require you to provide some X-Project-Id | 14:04 |
| *** khushbu has joined #openstack-zaqar | 14:04 | |
| klambrec | Anyway, I will retest it later and update your bug with what I know. | 14:05 |
| Eva-i | klambrec: I might be wrong, but I think some resources in Zaqar are shared amongst project ids, for example pools and flavors, so maybe it's okay that they don't require project id. Messages, queues and subscriptions resources are different and they definitely should require project id. Also ping or health requests also don't require project id and I think it's okay. | 14:12 |
| Eva-i | klambrec: if you think something is strange, of course update bug or leave a comment, it would be nice. | 14:14 |
| klambrec | Ok, thanks for the feedback. I seem to have found that in a keystone auth scenario, even a ping requires a valid auth token i.e.. but I need to test more and make sure it's not a problem on my end. | 14:15 |
| *** khushbu has quit IRC | 14:24 | |
| Eva-i | klambrec: It's okay for Zaqar to require valid token for ping request in keystone scenario. It's not because Zaqar wants to get x-project-id from Keystone by using token, but because it just needs to validate access. Ping is same for all clients, no matter which project ids are associated with users. | 14:30 |
| klambrec | Well it causes some problems for i.e. HAProxy which just wants to send a simple HTTP request to check if Zaqar is alive, it has no understanding of project ids. But I'm already discussing that one with flwang . | 14:32 |
| Eva-i | klambrec: For example, in case the user wants to send messages to Zaqar, not only access is validated, but x-project-id is taken from Keystone by token. Because available messages are different for each x-project-id. | 14:32 |
| klambrec | Other Open Stack components seem to accep that. | 14:32 |
| ryansb | hrm, that's a good point. | 14:32 |
| *** flwang has quit IRC | 14:32 | |
| ryansb | Our ping endpoint doesn't need any project info really, though doing it that way could mean pings "work" when the keystone backend is degraded/down | 14:33 |
| *** flwang has joined #openstack-zaqar | 14:36 | |
| klambrec | Agreed, there's no ideal approach there; maybe you could send a similiar ping to keystone as well and only respond 204 No Content if that returns successful as well to increase the meaningfulness. | 14:36 |
| klambrec | Or well other components must have considered this one already at lenght, probably best to get some feedback there. | 14:36 |
| Eva-i | klambrec: our API v2 uses policy.json. With this file you can grant access to anyone to make PING requests. | 14:36 |
| klambrec | Haa ! I hadn't thought of that. Maybe that's the answer. | 14:37 |
| Eva-i | klambrec: zaqar policy.json is located in /etc/zaqar/ directory | 14:37 |
| ryansb | oh, well there you have it | 14:38 |
| ryansb | thanks Eva-i | 14:38 |
| Eva-i | klambrec: according to this manual it's possible to grant access to anyone: http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html, but I haven't tried. | 14:38 |
| klambrec | Thanks indeed, I'll try that. | 14:38 |
| Eva-i | klambrec: I hope with this instruction it's possible to allows anybody access, not only all users registered in Keystone. | 14:39 |
| Eva-i | *to allow | 14:40 |
| Eva-i | if it will not work, perhaps we need to think about another solution, for example, make Zaqar not require token on ping request. | 14:42 |
| wxy | klambrec: Eva-i: There are two kinds of token: unscoped and scoped | 14:44 |
| wxy | Usually, we use the scoped token out of Keystone. And then the token contains the project id. | 14:47 |
| wxy | So IMO, the behavior in zaqar now looks ok. or maybe there are bugs in some API. klambrec, you'd better create a bug.I'll take a look at it tomorrow and I guess I could help a little. :) | 14:51 |
| klambrec | Shall do. | 14:55 |
| *** ametts has quit IRC | 14:59 | |
| Eva-i | ryansb: hey, I answered to you in this patch: https://review.openstack.org/#/c/294368 | 15:12 |
| Eva-i | ryansb: this is my last argument after thinking. | 15:12 |
| ryansb | Eva-i: lol! "queue = cli.queue('somequeue', auto_create=True, force_create=False, really_create=True)" | 15:14 |
| ryansb | you're the best | 15:14 |
| *** kgriffs|afk is now known as kgriffs | 15:15 | |
| Eva-i | hehe | 15:15 |
| *** kgriffs is now known as kgriffs|afk | 15:15 | |
| *** khushbu has joined #openstack-zaqar | 15:17 | |
| *** openstackgerrit has quit IRC | 15:18 | |
| *** openstackgerrit has joined #openstack-zaqar | 15:18 | |
| *** itisha has joined #openstack-zaqar | 15:21 | |
| *** achanda has joined #openstack-zaqar | 15:25 | |
| *** kgriffs|afk is now known as kgriffs | 15:30 | |
| *** itisha has quit IRC | 15:31 | |
| *** itisha has joined #openstack-zaqar | 15:33 | |
| Eva-i | wxy: ryansb: okay, let's not pre-create queue in metadata(). The patch is almost good now, except one little mistake. After it will be fixed, I'll mark it +2. ;) | 15:37 |
| *** achanda has quit IRC | 15:38 | |
| *** fesp has joined #openstack-zaqar | 15:43 | |
| *** fesp has quit IRC | 15:45 | |
| *** mpanetta has joined #openstack-zaqar | 16:05 | |
| *** Qiming has quit IRC | 16:22 | |
| *** achanda has joined #openstack-zaqar | 16:25 | |
| *** flwang has quit IRC | 16:29 | |
| *** achanda has quit IRC | 16:30 | |
| *** flwang has joined #openstack-zaqar | 16:33 | |
| *** david_cu has joined #openstack-zaqar | 16:39 | |
| *** khushbu has quit IRC | 16:44 | |
| *** kgriffs is now known as kgriffs|afk | 16:45 | |
| *** kgriffs|afk is now known as kgriffs | 16:45 | |
| *** Guest15115 has quit IRC | 16:55 | |
| *** david_cu has quit IRC | 17:10 | |
| *** davideag_ has quit IRC | 17:28 | |
| *** davideagnello has joined #openstack-zaqar | 17:32 | |
| *** achanda has joined #openstack-zaqar | 17:34 | |
| klambrec | I've created a bug for the OPTIONS ping. Accessing secondary Projects works fine though, my mistake. | 17:38 |
| *** ametts has joined #openstack-zaqar | 17:45 | |
| *** flwang1 has joined #openstack-zaqar | 17:45 | |
| flwang1 | morning/evening, guys | 17:47 |
| *** rcernin has quit IRC | 17:53 | |
| *** Eva-i has quit IRC | 17:58 | |
| openstackgerrit | Fei Long Wang proposed openstack/zaqar: Make sure use IPv6 sockets for Zaqar in IPv6 environment https://review.openstack.org/304800 | 17:58 |
| *** Eva-i has joined #openstack-zaqar | 17:59 | |
| *** david_cu has joined #openstack-zaqar | 18:21 | |
| *** achanda has quit IRC | 18:23 | |
| *** kukacz has quit IRC | 18:24 | |
| openstackgerrit | Merged openstack/zaqar: Show default attributes for queue https://review.openstack.org/286433 | 18:42 |
| *** david_cu has quit IRC | 18:48 | |
| openstackgerrit | Fei Long Wang proposed openstack/zaqar: Fix auth when accessing "/" https://review.openstack.org/304817 | 18:56 |
| *** ametts has quit IRC | 18:58 | |
| openstackgerrit | Fei Long Wang proposed openstack/zaqar: Make sure use IPv6 sockets for Zaqar in IPv6 environment https://review.openstack.org/304800 | 19:01 |
| openstackgerrit | Fei Long Wang proposed openstack/zaqar: Fix auth issue when accessing root path "/" https://review.openstack.org/304817 | 19:02 |
| flwang1 | klambrec: i have fixed your haproxy issue, pls try it https://review.openstack.org/304817 | 19:03 |
| *** achanda has joined #openstack-zaqar | 19:05 | |
| *** achanda has quit IRC | 19:05 | |
| *** david_cu has joined #openstack-zaqar | 19:09 | |
| *** david_cu has quit IRC | 19:10 | |
| *** david_cu has joined #openstack-zaqar | 19:17 | |
| *** david_cu has quit IRC | 19:29 | |
| *** david_cu has joined #openstack-zaqar | 19:33 | |
| *** flwang1 has quit IRC | 19:34 | |
| *** david_cu has quit IRC | 19:34 | |
| *** david_cu has joined #openstack-zaqar | 19:43 | |
| *** tqtran has joined #openstack-zaqar | 20:00 | |
| *** mpanetta has quit IRC | 20:55 | |
| *** ametts has joined #openstack-zaqar | 21:06 | |
| *** flwang1 has joined #openstack-zaqar | 21:23 | |
| *** flwang1 has quit IRC | 21:37 | |
| *** amitgandhinz has quit IRC | 21:38 | |
| *** amitgandhinz has joined #openstack-zaqar | 21:40 | |
| *** amitgandhinz has quit IRC | 21:42 | |
| *** david_cu has quit IRC | 21:46 | |
| *** flwang1 has joined #openstack-zaqar | 22:01 | |
| flwang | Eva-i: ping | 22:08 |
| klambrec | flwang, yes that works beautifully now. | 22:08 |
| flwang | klambrec: awesome | 22:09 |
| Eva-i | flwang: hello | 22:09 |
| flwang | klambrec: i will get it in and backport to mitaka | 22:09 |
| flwang | Eva-i: can you help review the top 3 commits ? https://review.openstack.org/#/q/project:openstack/zaqar | 22:09 |
| flwang | Eva-i: and this one https://review.openstack.org/#/c/297695/ | 22:10 |
| flwang | https://review.openstack.org/296937 | 22:10 |
| flwang | sorry for the pushing ;) | 22:10 |
| klambrec | flwang, thanks ! | 22:12 |
| flwang | klambrec: anytime, sir | 22:12 |
| Eva-i | flwang: oki | 22:14 |
| Eva-i | flwang: should I prioritize top 3 commits? | 22:15 |
| flwang | Eva-i: the two +2ed patches should be the low-hanging-fruit | 22:15 |
| flwang | but i would highlight the HAproxy issue and the ipv6 patch | 22:16 |
| flwang | up to you :) | 22:16 |
| flwang | ryansb: vkmc: flaper87: don't be lazy before summit ;) https://review.openstack.org/#/q/project:openstack/zaqar+status:open | 22:17 |
| Eva-i | flwang: okay, I'll try to review 1-3 patches and go to sleep | 22:18 |
| flwang | Eva-i: oh, sorry, i'm not pushing you to review it right now | 22:19 |
| flwang | i know it could be late for you | 22:20 |
| Eva-i | flwang: nothing to sorry, it's okay | 22:20 |
| flwang | :) | 22:20 |
| openstackgerrit | Merged openstack/zaqar-specs: Make queues lazy in subscriptions https://review.openstack.org/284180 | 22:26 |
| *** klambrec has quit IRC | 22:27 | |
| *** ametts has quit IRC | 22:37 | |
| Eva-i | flwang: how do you test a patch like this: https://review.openstack.org/#/c/302479 ? | 22:51 |
| ryansb | of course :) | 23:11 |
| flwang | Eva-i: run the shell | 23:18 |
| Eva-i | flwang: what do you mean? | 23:23 |
| Eva-i | flwang: I want to test it too, but don't know how to run | 23:23 |
| *** itisha has quit IRC | 23:29 | |
| *** Qiming has joined #openstack-zaqar | 23:35 | |
| Eva-i | flwang: from where can I start? | 23:36 |
| flwang | Eva-i: download the shell gate_hook.sh and then run ./gate_hook.sh tempest | 23:39 |
| Eva-i | flwang: hm, oki, I'll try tomorrow | 23:48 |
| flwang | Eva-i: cool, thanks | 23:50 |
| *** tqtran has quit IRC | 23:53 | |
| Eva-i | flwang: ryansb: see you tomorrow =) | 23:55 |
| flwang | good night | 23:56 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!