Thursday, 2015-09-10

« Wednesday, 2015-09-09 Index Friday, 2015-09-11 »
*** jruano has joined #senlin00:18
*** Qiming has quit IRC00:26
*** mathspanda has joined #senlin01:20
*** Qiming has joined #senlin01:22
*** xuhaiwei has joined #senlin01:41
*** mathspanda has quit IRC01:42
*** mathspanda has joined #senlin01:50
*** mathspanda has quit IRC01:56
*** mathspanda has joined #senlin01:57
openstackgerritxu-haiwei proposed stackforge/python-senlinclient: Add resource_key to event models  https://review.openstack.org/22201202:05
*** Yanyanhu has joined #senlin02:13
*** Yanyanhu has quit IRC02:18
*** Yanyanhu has joined #senlin02:25
*** Tennyson has joined #senlin02:26
openstackgerritMerged stackforge/python-senlinclient: Add resource_key to event models  https://review.openstack.org/22201202:32
*** jruano has quit IRC02:51
*** jruano has joined #senlin02:55
*** jruano has quit IRC03:04
*** lixinhui has joined #senlin03:33
*** mathspanda has quit IRC03:53
*** mathspanda has joined #senlin04:01
*** lixinhui has quit IRC04:35
*** lixinhui has joined #senlin04:58
*** lixinhui has quit IRC05:06
*** lixinhui has joined #senlin05:23
*** mathspanda has quit IRC06:04
LiuWeihi,when I deepcopy the context object,I met the error:TypeError: object.__new__(NotImplementedType) is not safe, use NotImplementedType.__new__()06:07
LiuWeiyou can see more details at :http://paste.openstack.org/show/454425/06:08
LiuWeido you meet the same question when deepcopy context?please give some advise ^.^06:12
*** Tennyson has quit IRC06:29
*** lawrancejing has joined #senlin06:35
xuhaiweiLiuWei, dont know your problem07:06
xuhaiweiQiming, are you around?07:07
xuhaiweiFound a quite big problem07:07
LiuWeithanks,I have solved it .07:07
Qiminghi07:08
Qimingwhat's up07:08
xuhaiweiI am afraid trust is not working in senlin07:08
LiuWeiI misunderstand the context between Action class and Profile class.07:08
Qimingxuhaiwei, evidence?07:09
xuhaiweiDoes senlin user have the admin priority?07:09
xuhaiweiI just made some test by the webhook07:09
Qimingsenlin user is an admin in project 'service'07:09
xuhaiweiI found though I dont use trust, senlin can still create a token07:10
Qimingwhen it performs some operations on behalf of a requesting user, senlin assumes the roles of that user using trust07:10
Qimingwhat do you mean?07:10
xuhaiweiI saw the webhook implementation, when we dont use '-C' option, we will use trust to create token, that's true?07:11
xuhaiweibut if I modified the source, dont input trust into the kwargs which is used to get_token, token can still be fetched07:12
Qimingyes07:12
Qimingthat is a wrong implementation07:13
xuhaiweilike you said, senlin is an admin in 'service' project07:13
Qiminga token can be created with and without a trust07:13
xuhaiweiyes07:13
Qimingif you don't provide a trust, the token will be created for 'senlin' in the 'service' project07:14
xuhaiweibut if I used trust, the token is still in 'service' project07:14
Qimingif you use that token to create a heat stack for example, the stack will be created in the 'service' project as well, not the requesting user's project07:14
QimingI'm not sure about that07:15
xuhaiweiso there is no difference whether I use trust or not07:15
Qimingif you provide a trust, you cannot provide a 'project' for token creation07:15
Qimingthere is big difference07:15
Qimingthe correct implementation must use trust, or else everything falls apart07:16
xuhaiweiyes, when trust is provided token can only be created in 'service' project07:16
Qimingthe token can be created, yes, but when it is later authenticated by keystone, keystone knows where you are from07:16
xuhaiweithat will cause the 403 error when hitting the policy check07:16
Qimingthat token has access to the project indicated by the trust07:17
xuhaiweibecause the user project is not 'service'07:17
QimingI have never seen that happening07:17
Qimingif that does happen, it is a bug for sure07:17
xuhaiweimaybe webhook is the only case07:17
Qimingthere have been some bugs fixed recently07:18
Qimingto make sure your experimentation really reflects what the code's behavior07:18
QimingI'd suggest you to delete all data in your credential table07:18
Qimingstart from a clean install07:19
xuhaiweiok, I will test again07:19
Qimingokay07:19
openstackgerritQiming Teng proposed stackforge/senlin: Update locale string  https://review.openstack.org/22205807:37
xuhaiweiQiming, got the problem07:46
xuhaiweiit is still the trust parameter's name's problem07:46
Qimingusername or user_name ?07:47
xuhaiweiopenstacksdk uses trust_id07:47
xuhaiweino, I remembered you or yanyan have fixed this07:47
QimingI see, we were provide 'trusts' .... for whatever reason07:47
xuhaiweiyes07:47
*** yuanying has joined #senlin07:48
openstackgerritxu-haiwei proposed stackforge/senlin: Fix trust parameter error  https://review.openstack.org/22206007:55
Qimingxuhaiwei, can we add a test case for the patch above ^ ?07:57
xuhaiweiok07:57
Qimingthis is a serious bug, need to be verified in future in case we accidentally change it to something else07:57
Qimingmaybe just modifying existing test cases would suffice07:58
xuhaiweiok07:58
xuhaiweiby the way, I am not understanding well about the '-C' option07:58
openstackgerritLiuWei proposed stackforge/senlin: (WIP) cross-az policy  https://review.openstack.org/22168408:00
Qimingokay08:00
Qimingit allows a user A to say: I'm creating a webhook that will be triggered as user B ... and here is user B's credential08:01
Qimingin some deployments, this will be very convenient, at least as we can imagine08:02
Qimingyou may create a special user 'alarm-trigger'08:02
Qimingthat user can do nothing else other than trigger a webhook08:02
xuhaiweiyes, passing password seems not safe08:02
Qimingall monitoring/alarming services will use that for this purpose08:03
Qimingyes, it is not safe08:03
Qiminginstead, it can contain things like 'trust' or whatever08:03
xuhaiweiwhen that user trigger the webhook, he just trigger the url, but anyone else can trigger the webhook if he knows the url, can't he?08:03
Qimingyes, but that triggering action will translate to a 'user', 'project' context when called08:04
Qimingwe have webhook middleware to translate that back08:04
xuhaiweiif A created a webhook, and said: B can run it, but if C knows the url, C can also run it08:06
Qimingyes08:06
Qimingthat is about webhook url management problem08:07
QimingA should take care of it08:07
Qimingthe only thing we (senlin) can do is we allow A to create a webhook that will be triggered as if the request comes from B08:07
xuhaiweiif A wants B to run it, A should tell B the url, so where does the credentials work?08:07
Qimingyou are mixing two things together08:08
QimingA creates a webhook, and he can tell anyone he trusts to trigger that URL08:08
xuhaiweiyes08:09
Qimingthis is totally not senlin's business, we cannot control it08:09
QimingWhen A creates a webhook, he has a freedom to choose whose credential will be used for triggering the webhook08:09
Qimingthat is where the -C parameter comes to play08:09
Qimingthere are three cases here:08:10
Qimingif A is an admin, and A doesn't provide additional credentials, senlin will use A's credential for webhook creation08:10
Qimingin other words, in future, when the webhook is triggered, senlin-engine will receive a request as if it comes from A08:11
Qimingcase 208:11
Qimingsorry, in the above case, A is not an admin08:11
Qimingback to case 208:11
Qimingif A IS an admin, in theory, A can access any object (cluster/node ...), but we cannot create webhook that will be triggered in future as the admin08:12
Qimingso in this case, we use the target object's owner id for webhook creation08:12
Qimingcase 308:12
Qiminga user A (admin or not), wants a webhook to be triggered as user B, and user A does have the credentials of user B, fine, we allow it08:13
Qimingis this clear enough?08:13
xuhaiweistill case 308:14
Qimingyou got to read the webhook_trigger workflow to understand this08:14
xuhaiweiI have read the source code08:14
Qimingto senlin-engine, it doesnt care whether a request comes from a webhook or REST request08:15
xuhaiweiI just think we asked for B's credentials but not used it when B is triggering the webhook08:16
Qimingalthough there are some trivial translation08:16
Qimingyou haven't read the whole story08:16
Qimingwhen a webhook is triggered, the request is first translated by the webhook middleware here: http://git.openstack.org/cgit/stackforge/senlin/tree/senlin/api/middleware/webhook.py08:17
xuhaiweiyes, got the project_id and so on08:18
Qimingthe middleware parses the URI08:18
Qiminguse the extracted project, webhook_id, key to get credential saved when the webhook was created08:19
xuhaiweiyes, from the url got project_id and webhook id08:19
xuhaiweiyes08:19
Qimingafter decryption, line 98 will return the user trust created between user B and 'senlin', right?08:19
Qimingthat is what was stored when the trust was created when you create the webhook08:20
xuhaiweiyes08:20
Qimingthen, back to line 5308:20
Qimingwe use 'senlin' user name, password, but attach the previously created trust08:20
Qimingwhen we get a token from line 6208:21
Qimingwe get a new token from keystone08:21
Qimingthis new token will be used down the request processing flow, until it arrives the senlin-api08:22
Qimingwhat senlin-api sees?08:22
xuhaiweithe token contains userB's credential08:22
Qimingit sees a request from 'senlin', it also says: okay, I'm senlin, but I'm doing this on behalf of B08:23
Qimingplease treat me as B when I'm requesting anything08:23
Qimingthis whole design cost us about 3 weeks, we evaluated quite some other alternatives before decision was made08:25
xuhaiweiI need to go through back and think about it more:)08:27
Qimingyep08:28
Qimingthat is the core of the trust based authentication08:28
yuanyingI'm not sure why `credential` option is pass from client08:28
Qiming:) no ....08:28
Qimingneed me explain that again, ;)08:28
yuanyinghmm08:28
Qimingis that a yes?08:29
Qimingyuanying, read this first: http://git.openstack.org/cgit/stackforge/senlin/tree/doc/source/developer/authorization.rst08:29
yuanyingI'll discuss to xuhaiwei08:29
Qimingand this: http://git.openstack.org/cgit/stackforge/senlin/tree/doc/source/developer/webhook.rst08:30
yuanyingoh,08:30
yuanyingthanks!08:30
* Qiming feels lucky that he wrote something before08:30
yuanyinghaha08:31
yuanyingI saw that, senlin webhook-create -C 'project_id=admin' was worked08:32
Qimingwebhook-create -C 'god=idiot' will work as well08:32
yuanyingso, I'm confusing what is credential08:33
Qimingseveral possible combinations actually08:33
Qimingyou will need some background from keystone to understand that08:33
yuanyingok08:33
Qimingfor example, some valid combinations inclue:08:33
Qimings/inclue/include/:08:34
Qiminguser_id + password08:34
Qiminguser_id + password + trust_id08:34
Qiminguser_id + token08:34
Qiminguser_name + password + user_domain_name08:34
Qiminguser_name + password + project_id08:35
Qimingoh, the last one won't work08:35
Qiminguser_name + password + project_id + user_domain_name08:35
Qiminguser_id + token + project_name + project_domain_name08:35
*** lawrancejing has quit IRC08:36
yuanyingthese are parameter for keystone authentication08:36
QimingI am not 100% sure how will sdk or keystone treat with extra keys08:36
Qimingyep08:36
Qimingif you specify god_name=jesus, it may and may not complain though08:37
openstackgerritQiming Teng proposed stackforge/python-senlinclient: Fix node-update behavior  https://review.openstack.org/22207308:43
Qimingsigh, SDK doesn't have support for stack update08:45
openstackgerritYanyan Hu proposed stackforge/senlin: Rework context initialization in action module  https://review.openstack.org/22167608:48
YanyanhuQiming, yes, the node update feature has been frozen for a while as this reason08:48
Yanyanhujust came back08:49
openstackgerritMerged stackforge/senlin: Update locale string  https://review.openstack.org/22205809:08
QimingYanyanhu, just posted comments to your patch above09:32
Yanyanhuok, thanks09:32
Qimingsomething I'd suggest we will do this once09:32
Yanyanhuok09:33
Yanyanhuhi, Qiming, about your comment in this fiel https://review.openstack.org/#/c/221676/2/senlin/engine/actions/cluster_action.py, so you mean we don't pass context even for those actions which derived from an existing action?09:36
Qimingyes09:36
Qimingit is useless09:36
Qimingwe had this discussion yesterday09:37
Qimingat the end of the day, you cannot pass stateful things through RPC09:37
Yanyanhuyes, but I thought that is for actions created for RPC request?09:38
Yanyanhue.g. those actions created in engine service09:38
Yanyanhusince these actions will be transmitted through queue or DB09:38
Qimingoh really?09:38
Qimingdo you call start_action?09:38
Yanyanhuyes09:39
Yanyanhuactually you're right09:39
Qimingthere is no difference09:39
Yanyanhuthe result is the same even for those actions derived from existing one09:39
QimingI have struggled on that for many hours last week09:39
Yanyanhuso seems we don't need context param in action base at all?09:40
QimingI'm afraid so09:40
Yanyanhuor said DBsession param09:40
Yanyanhuhmm09:40
Yanyanhuok, maybe we should remove it09:40
Qimingyou just pass in a tuple (user, project, domain) when creating an action from scratch09:41
Yanyanhuyea09:41
Qimingwhen you load an action from DB, the logic can be changed09:41
QimingI'm not 100% sure the 'context'/dbsession should be created in _from_db_record09:42
Qimingmaybe we have to09:42
Qimingbecause the target we stored in DB could reference anything09:42
Qimingtry deserialize a cluster then a node then a policy there to get the (user, project, domain) ?09:43
Yanyanhuyes09:43
Yanyanhuthat's one reason09:43
Qimingthat sounds a dirty job09:43
Yanyanhuyes, we shouldn't do this09:43
Yanyanhuok09:43
Yanyanhuunderstand09:44
Yanyanhuso we keep this 'context/session' param09:44
Yanyanhuhi, Qiming, actually about the refactoring about context usage in senlin service, my only concern is 'oslo context' could be bonded with other oslo lib like 'oslo.messaging' or 'oslo.db' more and more tightly09:44
Qimingany evidence on that?09:45
Qimingthey are different projects09:45
Yanyanhuone thing is the context serialization/deserializatoin in oslo.messaing09:45
Qimingit would be very hard for them to make disruptive change now09:45
Yanyanhuand also some context usage in DB09:45
Yanyanhuhope they don't do this kind of work09:47
Yanyanhusince it could make the context more and more complicated09:47
Yanyanhuyou can even find a property name as 'show_deleted' in oslo context base. This is weird I think09:48
Yanyanhuand also read_only. Don't know what this property for09:50
Qimingwe don't use it09:52
Qimingwe delete the usage of 'context.show_deleted'09:52
Yanyanhuyes, it shouldn't belong to context09:52
Qimingthe reason is that we are doing asynchronous execution09:52
YanyanhuI think09:52
*** Yanyanhu has quit IRC10:01
*** Yanyanhu has joined #senlin10:01
openstackgerritYanyan Hu proposed stackforge/senlin: [WIP]Add functional test for cluster resize  https://review.openstack.org/22210510:08
*** Yanyanhu has quit IRC10:12
*** Qiming has quit IRC10:28
*** lixinhui has quit IRC10:33
*** zhenguo has quit IRC10:33
openstackgerritxu-haiwei proposed stackforge/senlin: Fix trust parameter error  https://review.openstack.org/22206010:40
*** Qiming has joined #senlin11:32
openstackgerritLiuWei proposed stackforge/senlin: (WIP) cross-az policy  https://review.openstack.org/22168411:41
*** LiuWei has quit IRC12:11
*** Qiming has quit IRC12:50
*** jdandrea has joined #senlin13:03
*** zhenguo has joined #senlin13:11
*** jruano has joined #senlin14:14
*** jruano_ has joined #senlin14:35
*** jruano has quit IRC14:38
*** jruano_ has quit IRC15:06
*** zhenguo has quit IRC17:07
*** xuhaiwei has quit IRC23:31
*** xuhaiwei has joined #senlin23:38
« Wednesday, 2015-09-09 Index Friday, 2015-09-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!