21:00:29 <notmyname> #startmeeting swift 21:00:29 <openstack> Meeting started Wed Mar 1 21:00:29 2017 UTC and is due to finish in 60 minutes. The chair is notmyname. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:00:30 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 21:00:33 <openstack> The meeting name has been set to 'swift' 21:00:34 <notmyname> who's here for the swift team meeting? 21:00:37 <timburke> o/ 21:00:41 <joeljwright> o/ 21:00:43 <mattoliverau> o/ 21:00:45 <mathiasb> o/ 21:00:51 <kota_> o/ 21:00:51 <pdardeau_> hi 21:00:52 * clayg lurks 21:00:55 <ntata> hello 21:01:30 <torgomatic> hi 21:01:46 <sgundur> hi 21:01:58 <acoles> hi 21:02:01 <notmyname> welcome, everyone 21:02:04 <m_kazuhiro> o/ 21:02:32 <clayg> where's onovy and rledisez 21:02:55 <notmyname> they're not normally here, but it's also very late for them 21:03:00 <notmyname> cschwede: ? 21:03:02 <notmyname> tdasilva: ? 21:03:07 <tdasilva> hello 21:03:15 <tdasilva> i'm half here ;) 21:03:31 <clayg> maybe we should do one of those global timezone calendar things agains and sanity check our meeting time 21:04:12 <notmyname> clayg: best time globally is 7 or 8am us pacific time. that's never seemed too viable, unfortunately ;-) 21:04:22 <notmyname> ok, let's get started 21:04:26 <notmyname> good to see everyone here 21:04:35 <notmyname> agenda is at... 21:04:39 <notmyname> #link https://wiki.openstack.org/wiki/Meetings/Swift 21:04:50 <notmyname> #topic PTG summary 21:05:01 <notmyname> I wrote some thoughts about the PTG at http://lists.openstack.org/pipermail/openstack-dev/2017-February/113062.html 21:05:13 <notmyname> our notes are collected at (or linked from) https://etherpad.openstack.org/p/swift-ptg-pike 21:05:32 <notmyname> if you've got something more detailed about a particular topic, PLEASE link to it from the ideas page 21:05:41 <notmyname> https://wiki.openstack.org/wiki/Swift/ideas 21:06:00 <notmyname> and project team photos are at https://www.flickr.com/photos/152419717@N06/sets/72157680602754246/ (if you missed it) 21:06:24 <notmyname> ok, I think that's it for general purpose links :-) 21:06:33 <notmyname> so... what'd you think? how was the PTG? 21:06:38 <notmyname> clayg: how was the food? 21:06:39 <notmyname> ;-) 21:06:52 <notmyname> (I'm kidding. don't talk about the food) 21:07:11 <kota_> lol 21:07:17 <mattoliverau> PTG was good. much better then I expected it to be 21:07:50 <clayg> OS - keeping expectations low 21:07:58 <notmyname> ouch 21:08:07 <acoles> notmyname: nice write up 21:08:12 <notmyname> mattoliverau: anything more than that? 21:08:14 <notmyname> acoles: thanks 21:08:14 <mattoliverau> as always we had alot going on, and multiple discussions going at once in the Swift room. 21:08:38 <mattoliverau> But I really enjoyed the hallway track as well. So it was good that other projects were around 21:08:48 <notmyname> yeah, that was good 21:09:05 <notmyname> of course the PTG is new, so it's hard to compare with what we've done in the past. and the upcoming summit is the other parts of the big rescheduling changes 21:09:17 <notmyname> I"m planning on having more info for everyone about the summit by next week 21:09:19 <acoles> IMO the 3 swift days were as productive as previous midcycles 21:09:36 <notmyname> were we negatively impacted by it being 3 days instead of 4? 21:10:00 <notmyname> did we lose anything by not having a sponsored evening group activity? 21:10:48 <notmyname> were the first two days effective and useful for the swift community? (ie yes, it's good to work with different projects, but was that productive with regard to making an awesome storage system?) 21:10:52 <mattoliverau> I think the 3 days didn't impact us too bad, as we broke up into small discussions early (from the start). 21:11:00 <mattoliverau> Though I do miss the Ops feedback 21:11:06 <notmyname> mattoliverau: YES! 21:11:47 <notmyname> was there anything that you'd change for the next PTG? 21:12:02 * notmyname is trying to prompt responses 21:12:09 <acoles> once or twice i was aware of two simultaneous discussions that I would like to have been in but that has happened at 4 day events as well 21:12:10 <tdasilva> get onovy and briancline there ???? 21:12:12 <kota_> if it could be 21:12:37 <acoles> did we get many ops to midcycles before? or mainly at summits? 21:12:41 <kota_> swapping project specific days and cross-project days might be usefule? 21:12:51 <kota_> useful 21:12:53 <tdasilva> kota_: i was thinking the same thing 21:13:17 <mattoliverau> acoles: nope good point 21:13:18 <kota_> to cover topics which is discussed not enough 21:13:22 <acoles> notmyname: re sponsored evening...we had kind people who organised dinner venues for us at PTG :) 21:13:23 <notmyname> acoles: yeah, briancline has been to at least on midcycle, IIRC (but sometimes the events blend together in memory) 21:13:26 <kota_> which are 21:13:31 <notmyname> kota_: that's a really interesting idea 21:13:49 <clayg> acoles: IIRC we've historically had more ops feedback at the design summits - but we had ahale one time in san antonio and it was great 21:13:58 <clayg> I love ops - they can come hang out anytime 21:13:58 <kota_> not sure it works well for cross projects 21:14:01 <jrichli> sorry im late 21:14:03 <acoles> clayg: right 21:14:20 <notmyname> kota_: do you mean that the last two days would be for cross project but could be used for project-specific stuff as necessary? 21:14:37 <kota_> notmyname: yes 21:15:31 <notmyname> any other feedback on the week? other comments or suggestions that we can take to the larger openstack community? 21:16:09 <mattoliverau> Just better scheduling, its hard to search through everyones etherpad 21:16:26 <kota_> mattoliverau: +1 21:16:42 <torgomatic> try not to schedule on top of holidays? 21:16:46 <mattoliverau> And I miss the snacks and coke from developer lounge, but understand that costs money :) 21:17:13 <notmyname> torgomatic: in which country? but yeah :-) 21:17:19 <torgomatic> notmyname: host country, maybe 21:17:24 <tdasilva> notmyname: my thought with switching the days, is that we would be able to discuss things in project first which may raise questions for cross project later in the week 21:17:40 <mattoliverau> maybe more projector or sceens in rooms 21:17:44 <torgomatic> also, do we know yet if going to Boston will be useful for those of us who are only focused on development? 21:17:49 <tdasilva> not sure it makes sense, but the thought occurred to me... 21:17:51 <torgomatic> (sorry if that's a bit off topic) 21:18:09 <notmyname> torgomatic: that's what I want to learn myself this week and have info about during next week's meeting 21:18:17 <notmyname> tdasilva: yeah, that makes sense 21:18:25 <mattoliverau> torgomatic: I think the Sydney forum might clash with an Oz holiday. so yeah 21:18:26 <torgomatic> notmyname: 👍 21:18:51 <acoles> mattoliverau: is there a day in AU that is not a holiday ? ;) 21:18:53 <notmyname> tdasilva: alternatively, the later discussions we had in the week were simpler because you'd *already* figured out devstack/infra stuff at the first of the week :-) 21:19:08 <mattoliverau> acoles: a few, like next tueday.. that isn't a holiday :P 21:19:25 <joeljwright> :D 21:19:47 <tdasilva> notmyname: yeah, that's what i was trying to figure out...is the same true about barbica for example? 21:20:40 <notmyname> hard to say. hard to know what could have happened :-) 21:20:49 <notmyname> anything else to bring up before we move on? 21:21:27 <notmyname> overall, I thought it was a great week, and that's mostly due to you, the swift community. so thanks for being there 21:21:56 <notmyname> (and if you weren't there, you were missed) *cough*joel*cough* 21:22:23 <joeljwright> notmyname: thanks, I definitely feel like I missed out :( 21:22:34 <notmyname> mattoliverau: thanks for filling out the container sharding trello https://trello.com/b/z6oKKI4Q/container-sharding 21:22:59 <notmyname> #topic swift3+auth bug 21:23:05 <notmyname> timburke: your topic. what's up? 21:23:27 <timburke> bug's at https://bugs.launchpad.net/swift3/+bug/1561199 21:23:27 <openstack> Launchpad bug 1561199 in OpenStack Security Advisory "Client-accessible headers are used to send authentication information to other middlewares" [Undecided,Incomplete] 21:23:54 <notmyname> (note that it's public, despite being a security advisory) 21:24:11 <timburke> tl;dr is that from a presigned s3 url, an attacker can get access to everything the signer could access, rather than just the specific object 21:24:30 <notmyname> thanks :-) 21:24:48 <timburke> i mainly wanted to highlight that every auth middleware i've seen that supports swift3 has been affected, so anyone with in-house auth that integrates with swift3 should go audit to see if they're affected and plan on changing to the new env vars 21:24:50 <notmyname> and more specifically, it's related to the particular auth system that is being used (right?) 21:25:07 <timburke> i think beyond that, i just need notmyname to click the buttons on the swift patches 21:25:27 <notmyname> specifically, the backport patches so that the swift3 changes can be landed 21:25:42 <notmyname> since, in part, swift3 tests against swift stable and not swift master 21:25:42 <kota_> notmyname: yes 21:25:58 <notmyname> I'm planning on doing that this afternoon 21:26:38 <clayg> notmyname: this is https://review.openstack.org/#/c/438720 ??? 21:26:51 <notmyname> timburke: and by "every auth middleware" you mean tempauth (dont' use this anyway), swauth, keystone. any others? 21:26:56 <timburke> re: auth system -- yup; it's a breakdown in input validation -- swift3 only does it's validation when the Authorization header starts with 'AWS ', while every auth system i've looked at will try to authenticate with *every* Authorzation header 21:27:11 <notmyname> clayg: actually the backport is https://review.openstack.org/#/c/438722 21:27:12 <timburke> swiftstack's auth 21:27:28 <timburke> i would expect anyone derived from tempauth to be similarly affected 21:27:29 <clayg> notmyname: is the plan... to land the backport before we land the change on master? 21:27:44 <notmyname> clayg: no 21:28:20 <notmyname> ok, let me rephrase my own plan: after my meetings are done today, I'll be looking at the patch to master (which timburke might already +A) and the proposed backport to see what needs to happen 21:28:22 <timburke> so go land 20 and then the backport (22), so i can land swift3's fix 21:28:23 <notmyname> :-) 21:29:03 <timburke> and if anyone has a better idea for how i can land critical security fixes in swift3 without needing swift backports, i'm all ears 21:29:52 <notmyname> timburke: general question about this... after landing, what breaks if someone upgrades without rewriting their auth integration? 21:30:04 <clayg> notmyname: the plan is for timburke to +A his own patch to swift master? Even though he's currently asking if anyone has a better plan? 21:30:16 <timburke> notmyname: s3 api access 21:31:02 <timburke> we're making a conscious break to force middleware authors to deal with it 21:31:23 <kota_> neither older swift3 + new swift auth nor new swift3 + older swift auth works 21:31:33 <kota_> for s3 api 21:31:55 <timburke> clayg: i think this will have to be the plan for this fix. i'd be interested in ideas for avoiding backports to tempauth for future issues 21:31:57 <clayg> timburke: kota_: sounds ok to me! 21:32:32 <clayg> timburke: how do you avoid bacports if you make backwards incompatible changes? 21:32:38 <notmyname> what's the status of a swauth patch? 21:32:41 <clayg> do you want current swift3 to work with old swift or not? 21:33:13 <timburke> clayg: with old swift, yes. with old tempauth, i don't care so much 21:33:38 <timburke> notmyname: submitted https://review.openstack.org/#/c/439853/ -- passes gate, but i haven't func tested recently 21:34:04 <timburke> (it looks like swauth doesn't have func tests in the gate) 21:35:09 <notmyname> tempauth patch: needed for swift3 gate, swauth: should also bump the dependency on swift3, other proprietary auth: same as swauth but we can't patch it 21:35:12 <timburke> i'll probably submit a backport for keystonemiddleware, too, although the real solution there is to switch to using swift3's version of s3token 21:35:45 <notmyname> so timburke's point is that if you are running swift3, you need to examine your auth system, especially if it's something internal/proprietary 21:36:45 <timburke> and that's about all i had for that topic 21:36:57 <notmyname> ok 21:37:36 <clayg> timburke: and we can't just file a bug that says swauth doesn't work with swift3 > xyz? 21:37:44 <notmyname> and clayg's points/questions are good. we'll land master first. in this case, it's a patch to tempauth (which should be relatively low impact), but anyone else can also go review that if you're super concerned about it 21:37:57 <timburke> clayg: i might as well be a *little* more helpful than that 21:38:01 <clayg> there's a security bug in swauth that requires a change - so we may as well work with new swift3 while we're at it? 21:38:14 <notmyname> clayg: IMO yes 21:38:42 <notmyname> shall we move on to the last topic? 21:38:42 <clayg> notmyname: yes we *can* just file the bug? Or yes there is a security hole that requires a change anyway? 21:39:10 <notmyname> clayg: yes there's a sec bug that requires a change anyway 21:39:14 <clayg> it's not writing the damn change - it's finding enough people to give a ^&*# about swauth+swift3 to get it landed? 21:40:35 <timburke> ...in which case swauth is screwed either way? 21:40:44 <timburke> i'm not sure i see your point 21:41:07 <notmyname> can we have that conversation either in -swift or somewhere else? 21:41:14 <timburke> sure 21:41:18 <clayg> sure 21:41:20 <notmyname> #topic Add X-Backend-Versioning-Mode-Override 21:41:31 <notmyname> timburke: this is also something you brought up. what's up here? 21:41:38 <timburke> so i'm going to talk about swift3 some more :P 21:42:05 <clayg> lol 21:42:23 <timburke> i've been working with an outreachy intern, karenc, who's been working on using the new history mode for versioned writes to implement s3-like versioning for swift3 21:42:37 <notmyname> that's cool 21:43:11 <clayg> timburke: there's a patch up right? 21:43:17 <timburke> she's submitted https://review.openstack.org/#/c/437196/ because she needed to be able to toggle between modes in some cases, and double POSTing to the container before doing an object delete seems like a Bad Idea 21:44:02 <timburke> clayg pointed out that it might be nice as a client-accessible feature, but i had some memory of us moving away from that during the review of https://review.openstack.org/#/c/437196/ 21:44:31 <timburke> so i wanted opinions on whether to make this part of the public api or leave it just for middleware authors 21:44:44 <clayg> timburke: that's the same change? 21:45:11 <notmyname> shoudl be https://review.openstack.org/#/c/214922/ 21:45:12 <timburke> bah. https://review.openstack.org/#/c/214922/ 21:45:15 <timburke> yeah 21:46:07 <timburke> i'd pushed toward the latter (use an X-Backend-* header) just because if we change our mind later, it's easier to open it up than close it 21:46:31 <timburke> so, thoughts? tdasilva, maybe? 21:46:33 <notmyname> Adding X-Backend-Versioning-Mode-Override allows swift3 to override the 21:46:34 <notmyname> stored versioning mode for one request. This means that even if the 21:46:34 <notmyname> versioning mode is set to "history", if the request has the header 21:46:35 <notmyname> "X-Backend-Versioning-Mode-Override: stack", swift will use "stack" as 21:46:37 <notmyname> the versioning mode. 21:47:14 <notmyname> so the question is, do we keep that as a private thing or allow end-users to use that (ie drop the x-backend- part) 21:47:28 <tdasilva> do we need to decide that now? 21:47:38 <tdasilva> i can look at it, but don't have an opinion now 21:47:58 <notmyname> tdasilva: you'd expressed hesitation earlier, and clayg suggesting it should be public. thus "meeting topic" ;-) 21:48:24 <notmyname> so, no, AFAIK we don't have to decide it right this minute (correct me timburke) 21:49:21 <timburke> only time constraint is that karenc's internship ends next week, but it sounds like she'll try to still get outstanding patches landed afterward 21:49:52 <clayg> timburke: is there a swift3 change that makes use of the header? 21:49:59 <tdasilva> timburke: please don't let me hold up things, i only meant to say i'd have to load this stuff up in my head again and think it through... 21:50:30 <tdasilva> but i trust others to make the right decision, so don't wait up for me if you can move things forward 21:50:31 <timburke> tdasilva: yeah, no worries :-) i'd prefer a thought-through response over a snap judgement 21:50:59 <clayg> timburke: notmyname: the history on patch 214922 - do you have he specific comment/context where someone said "clients should not be able to set version mode per request because xyz" 21:51:06 <timburke> clayg: not yet. it'll probably be part of https://review.openstack.org/#/c/436571/ but right now i think that just does the double-post thing 21:52:05 <timburke> on ps3, "The part I'm a little hesitant about is with the query parameter. I don't really see the need for it, why not just make it a configuration option. In this case I think I'd prefer the simplicity of having one or the other, but not both." 21:52:44 <clayg> timburke: so I don't love the idea of merging a string for some middleware to pull at and supporting that interface without functionally testing all the bits work together the way we want to solve the use-case 21:53:33 <clayg> timburke: if we make it a proper swift feature we can move orthogonally to the middleware - if it's just there for swift3 - I'd like to know it works for swift3 - I think that's about the whole of it 21:54:45 <timburke> clayg: even if it works for swift3 now, you wouldn't know when you break it later anyway. that's why swift3 is gating off ocata and not master -- we have a habit of breaking internal interfaces 21:54:59 <clayg> timburke: wasn't that concern raised before containers *had* a versioning mode? 21:55:51 <clayg> timburke: that we have containers with a default versioning mode - and you can flop containers back and forth - is it really so insane to think you can flop individual requests off the default mode per request (should probably be a qs) 21:57:05 <clayg> timburke: ok, and I think we should do better at that - one part of that strategy is being smart about the interfaces we "support" - and avoiding swift3 digging magic roots into other middlewares that only make sense in the context of swift3? 21:57:42 <notmyname> I wish we'd been able to discuss this topic (new external or internal api headers) last week 21:57:48 <clayg> anyway - my vote is the same 1) it could totally be a public client feature if someone wanted that and it would make it easier to maintain 2) if we don't want to do that work lets at least make sure it works for the consumer it's intended for 21:58:05 <clayg> why didn't we? 21:58:17 <notmyname> we're running out of time in here in the meeting room 21:58:22 <timburke> ...not many people care about swift3? 21:58:49 <notmyname> so what's the conclusion for this topic? timburke anything specific to do next? 21:58:59 <mattoliverau> I'm not against it becoming a public API, execpt that once it's pulically a part of the API we can't (or don't) remove it. So rather be a thought out decision before we add something. Though in this case I don't realy see the harm. 21:59:02 <clayg> that's too bad! I'd like to get better at using swift3! 21:59:30 <timburke> i guess i need to push toward having a swift3 patch that uses the functionality. even though swift3 can't have any functests for it 21:59:41 <notmyname> mattoliverau: " I don't see the harm" <-- dangerous words ;-) 21:59:46 <mattoliverau> lol 21:59:53 <notmyname> timburke: ack 22:00:13 <clayg> timburke: we should work on swift3 having a gate against master - and eventually having swift cogate with swift3 as well 22:00:16 <mattoliverau> yeah, which is why tdasilva's loading into brain and thinking about it is important ;) 22:00:47 <notmyname> tdasilva: did you see how mattoliverau just avoided reviewing the patch by saying you would? ;-) 22:01:05 <tdasilva> lol 22:01:06 <notmyname> timburke: I like your thought on getting the swift3 patch in 22:01:09 <notmyname> ok, we're at time 22:01:11 <mattoliverau> damn you saw through it :P 22:01:14 <notmyname> mattoliverau: lol 22:01:27 <notmyname> thank you, everyone, for coming. thank you for your work on swift 22:01:30 <notmyname> #endmeeting