Monday, 2020-04-27

« Sunday, 2020-04-26 Index Tuesday, 2020-04-28 »
*** tosky has quit IRC00:09
*** brokencycle has quit IRC00:53
*** threestrands has joined #openstack-dev02:51
*** morazi has quit IRC03:27
*** psachin has joined #openstack-dev03:30
*** factor has joined #openstack-dev03:34
*** avolkov has joined #openstack-dev04:12
*** ircuser-1 has quit IRC04:23
*** evrardjp has quit IRC04:35
*** evrardjp has joined #openstack-dev04:35
*** udesale has joined #openstack-dev05:29
*** dpawlik has joined #openstack-dev05:56
*** pcaruana has joined #openstack-dev06:01
*** yolanda has joined #openstack-dev06:16
*** seco has joined #openstack-dev06:41
*** dancn has joined #openstack-dev06:50
*** lennyb has quit IRC06:54
*** nightmare_unreal has joined #openstack-dev07:02
*** ccamposr__ has joined #openstack-dev07:05
*** ltyrex has joined #openstack-dev07:06
*** slaweq has joined #openstack-dev07:06
*** iurygregory has quit IRC07:09
*** iurygregory has joined #openstack-dev07:10
*** tesseract has joined #openstack-dev07:14
*** rpittau|afk is now known as rpittau07:22
*** tosky has joined #openstack-dev07:26
*** jcapitao has joined #openstack-dev07:34
*** sshnaidm|afk is now known as sshnaidm07:35
*** jcapitao has quit IRC07:38
*** jcapitao has joined #openstack-dev07:40
*** ccamacho has joined #openstack-dev07:43
*** ccamposr has joined #openstack-dev07:45
*** ccamposr__ has quit IRC07:47
*** jpich has joined #openstack-dev07:50
*** jpich has quit IRC07:52
*** jpich has joined #openstack-dev07:55
*** rcernin has quit IRC08:13
*** threestrands has quit IRC08:20
*** tkajinam has quit IRC08:23
*** logan_ has joined #openstack-dev08:31
*** logan- has quit IRC08:32
*** logan_ is now known as logan-08:35
*** gfidente has joined #openstack-dev09:22
*** ttsiouts has joined #openstack-dev09:24
*** dtantsur|afk is now known as dtantsur09:49
*** yolanda has quit IRC09:56
*** yolanda has joined #openstack-dev10:10
*** rpittau is now known as rpittau|bbl10:32
*** ttsiouts has quit IRC10:49
*** ttsiouts has joined #openstack-dev10:54
*** jcapitao is now known as jcapitao_lunch11:03
*** smcginnis has quit IRC11:40
*** smcginnis has joined #openstack-dev11:41
*** yolanda has quit IRC11:44
*** yolanda has joined #openstack-dev11:44
*** bbowen_ has quit IRC11:53
*** bbowen_ has joined #openstack-dev11:53
*** nweinber has joined #openstack-dev11:57
*** __ministry has joined #openstack-dev12:04
*** jcapitao_lunch is now known as jcapitao12:04
*** __ministry has quit IRC12:05
*** raildo has joined #openstack-dev12:09
*** morazi has joined #openstack-dev12:20
*** seco has quit IRC12:33
*** ondrejburian has quit IRC12:45
*** rpittau|bbl is now known as rpittau12:49
*** lbragstad has joined #openstack-dev12:59
*** kgiusti has joined #openstack-dev13:00
*** mrtadis has quit IRC13:02
*** mrtadis has joined #openstack-dev13:03
*** seco has joined #openstack-dev13:04
*** seco has quit IRC13:08
*** _mmethot_ has quit IRC13:10
*** mmethot has joined #openstack-dev13:11
*** eharney has joined #openstack-dev13:14
*** udesale_ has joined #openstack-dev13:20
*** udesale has quit IRC13:23
*** dsneddon has quit IRC13:23
*** mmethot has quit IRC13:25
*** mmethot has joined #openstack-dev13:26
*** ttsiouts has quit IRC13:26
*** rloo has joined #openstack-dev13:27
*** seco has joined #openstack-dev13:32
*** psachin has quit IRC13:35
*** tkajinam has joined #openstack-dev13:42
*** ondrejburian has joined #openstack-dev13:47
*** mikecmpbll has joined #openstack-dev13:53
*** ttsiouts has joined #openstack-dev13:58
*** ttsiouts has quit IRC14:03
*** ttsiouts has joined #openstack-dev14:05
*** irclogbot_0 has joined #openstack-dev14:08
*** irclogbot_0 has quit IRC14:12
*** irclogbot_1 has joined #openstack-dev14:22
*** irclogbot_1 has quit IRC14:25
*** irclogbot_1 has joined #openstack-dev14:25
*** ttsiouts has quit IRC14:27
*** irclogbot_1 has quit IRC14:29
*** irclogbot_2 has joined #openstack-dev14:29
*** irclogbot_2 has quit IRC14:35
*** irclogbot_1 has joined #openstack-dev14:35
*** READ10 has joined #openstack-dev14:37
*** irclogbot_1 has quit IRC14:39
*** irclogbot_2 has joined #openstack-dev14:39
*** mlavalle has joined #openstack-dev14:41
*** irclogbot_2 has quit IRC14:45
*** irclogbot_3 has joined #openstack-dev14:45
*** iurygregory has quit IRC14:47
*** iurygregory has joined #openstack-dev14:48
*** stewie925 has joined #openstack-dev14:49
*** beekneemech is now known as bnemec14:50
*** irclogbot_3 has quit IRC14:51
*** irclogbot_2 has joined #openstack-dev14:51
*** tkajinam has quit IRC14:54
*** irclogbot_2 has quit IRC14:55
*** irclogbot_2 has joined #openstack-dev14:56
*** irclogbot_2 has quit IRC14:59
*** irclogbot_0 has joined #openstack-dev15:00
*** dklyle has joined #openstack-dev15:00
*** irclogbot_0 has quit IRC15:03
*** irclogbot_3 has joined #openstack-dev15:04
*** irclogbot_3 has quit IRC15:07
*** irclogbot_0 has joined #openstack-dev15:08
*** irclogbot_0 has quit IRC15:11
*** irclogbot_2 has joined #openstack-dev15:12
*** irclogbot_2 has quit IRC15:15
*** irclogbot_0 has joined #openstack-dev15:16
*** ltyrex has quit IRC15:17
*** irclogbot_0 has quit IRC15:19
*** irclogbot_1 has joined #openstack-dev15:20
*** irclogbot_1 has quit IRC15:23
*** irclogbot_2 has joined #openstack-dev15:24
*** irclogbot_2 has quit IRC15:27
*** irclogbot_1 has joined #openstack-dev15:28
*** __ministry has joined #openstack-dev15:28
*** irclogbot_1 has quit IRC15:31
*** irclogbot_3 has joined #openstack-dev15:37
*** _mlavalle_1 has joined #openstack-dev15:38
*** mlavalle has quit IRC15:40
*** seco has quit IRC15:51
*** sshnaidm is now known as sshnaidm|afk15:53
*** mikefix has joined #openstack-dev15:59
*** dsneddon has joined #openstack-dev15:59
*** tesseract has quit IRC16:02
*** rpittau is now known as rpittau|afk16:07
*** jpich has quit IRC16:11
*** iurygregory has quit IRC16:17
*** Dantalio- has joined #openstack-dev16:20
*** Dantalion has quit IRC16:20
*** dsneddon has quit IRC16:26
*** udesale_ has quit IRC16:26
*** mrtadis has quit IRC16:26
*** kgiusti has quit IRC16:26
*** raildo has quit IRC16:26
*** vesper11 has quit IRC16:26
*** mbandeir has quit IRC16:26
*** negronjl has quit IRC16:26
*** mikecmpbll has quit IRC16:26
*** maharg101 has quit IRC16:26
*** athmane has quit IRC16:26
*** haleyb has quit IRC16:26
*** fmount has quit IRC16:26
*** iokiwi has quit IRC16:26
*** cswang has quit IRC16:26
*** admcleod has quit IRC16:26
*** radez has quit IRC16:26
*** rmk has quit IRC16:26
*** rektide has quit IRC16:26
*** rha has quit IRC16:26
*** tonyb has quit IRC16:26
*** kgz has quit IRC16:26
*** tris has quit IRC16:26
*** rektide has joined #openstack-dev16:27
*** admcleod has joined #openstack-dev16:28
*** irclogbot_3 has quit IRC16:28
*** tris has joined #openstack-dev16:29
*** vesper11 has joined #openstack-dev16:29
*** irclogbot_1 has joined #openstack-dev16:29
*** kgz has joined #openstack-dev16:29
*** dsneddon has joined #openstack-dev16:31
*** udesale_ has joined #openstack-dev16:31
*** mrtadis has joined #openstack-dev16:31
*** kgiusti has joined #openstack-dev16:31
*** raildo has joined #openstack-dev16:31
*** mbandeir has joined #openstack-dev16:31
*** negronjl has joined #openstack-dev16:31
*** mikecmpbll has joined #openstack-dev16:32
*** maharg101 has joined #openstack-dev16:32
*** athmane has joined #openstack-dev16:32
*** haleyb has joined #openstack-dev16:32
*** fmount has joined #openstack-dev16:32
*** iokiwi has joined #openstack-dev16:32
*** cswang has joined #openstack-dev16:32
*** radez has joined #openstack-dev16:32
*** rmk has joined #openstack-dev16:32
*** rha has joined #openstack-dev16:32
*** tonyb has joined #openstack-dev16:32
*** evrardjp has quit IRC16:35
*** jcapitao has quit IRC16:35
*** ChanServ has quit IRC16:42
*** ChanServ has joined #openstack-dev16:45
*** tepper.freenode.net sets mode: +o ChanServ16:45
*** evrardjp has joined #openstack-dev16:46
*** udesale_ has quit IRC16:50
*** _mlavalle_1 has quit IRC17:09
*** mlavalle has joined #openstack-dev17:11
*** dtantsur is now known as dtantsur|afk17:18
*** yolanda has quit IRC17:18
*** bbowen_ has quit IRC17:22
*** bbowen has joined #openstack-dev17:25
*** maharg101 has quit IRC17:26
*** athmane has quit IRC17:26
*** haleyb has quit IRC17:26
*** fmount has quit IRC17:26
*** iokiwi has quit IRC17:26
*** cswang has quit IRC17:26
*** radez has quit IRC17:26
*** rmk has quit IRC17:26
*** rha has quit IRC17:26
*** tonyb has quit IRC17:26
*** dsneddon has quit IRC17:26
*** mrtadis has quit IRC17:26
*** kgiusti has quit IRC17:26
*** raildo has quit IRC17:26
*** mbandeir has quit IRC17:26
*** negronjl has quit IRC17:26
*** jcapitao has joined #openstack-dev17:28
*** maharg101 has joined #openstack-dev17:29
*** athmane has joined #openstack-dev17:29
*** haleyb has joined #openstack-dev17:29
*** fmount has joined #openstack-dev17:29
*** iokiwi has joined #openstack-dev17:29
*** cswang has joined #openstack-dev17:29
*** radez has joined #openstack-dev17:29
*** rmk has joined #openstack-dev17:29
*** rha has joined #openstack-dev17:29
*** tonyb has joined #openstack-dev17:29
*** dsneddon has joined #openstack-dev17:29
*** mrtadis has joined #openstack-dev17:29
*** kgiusti has joined #openstack-dev17:29
*** raildo has joined #openstack-dev17:29
*** mbandeir has joined #openstack-dev17:29
*** negronjl has joined #openstack-dev17:29
*** nightmare_unreal has quit IRC17:32
*** ChanServ has quit IRC17:39
*** ChanServ has joined #openstack-dev17:42
*** tepper.freenode.net sets mode: +o ChanServ17:42
*** jcapitao has quit IRC17:43
*** mbandeir has quit IRC17:51
*** READ10 is now known as READ10|away17:57
*** factor has quit IRC17:58
*** gfidente is now known as gfidente|afk18:02
*** factor has joined #openstack-dev18:04
*** mehakmittal has joined #openstack-dev18:04
*** dmellado has quit IRC18:17
*** mikefix has quit IRC18:19
*** mehakmittal has quit IRC18:20
*** dmellado has joined #openstack-dev18:24
*** muskan has joined #openstack-dev18:25
*** dmellado has quit IRC18:25
*** dmellado has joined #openstack-dev18:33
*** iurygregory has joined #openstack-dev18:34
*** READ10|away is now known as READ1018:45
*** dpawlik has quit IRC18:47
*** __ministry has quit IRC18:54
*** ttsiouts has joined #openstack-dev18:59
*** ttsiouts has quit IRC19:13
*** ttsiouts has joined #openstack-dev19:13
*** muskan has quit IRC19:14
*** READ10 has quit IRC19:24
*** mikecmpbll has quit IRC19:35
*** mikecmpbll has joined #openstack-dev19:37
*** mmethot has quit IRC19:40
*** brokencycle has joined #openstack-dev19:40
*** mmethot has joined #openstack-dev19:40
*** Lucas_Gray has joined #openstack-dev19:41
*** Lucas_Gray has quit IRC19:42
*** ttsiouts has quit IRC19:44
*** ttsiouts has joined #openstack-dev19:45
*** roukoswarf has joined #openstack-dev19:49
*** Lucas_Gray has joined #openstack-dev19:51
roukoswarfanyone know if i can somehow insert like... arbitrary code in oslo policy, or if ill need to edit in specific code changes?19:52
roukoswarfim trying to policy verify security groups against an external policy that checks more than just owner etc19:52
*** rloo has quit IRC19:55
*** dklyle has quit IRC19:56
bnemecroukoswarf: We've had users who wrote policy checks against an external policy engine using HttpChecks.19:56
*** rloo has joined #openstack-dev19:56
bnemecIt is also possible to write custom checks against things other than owner and what-not.19:56
roukoswarfis that in oslo_policy, or in neutron?19:56
*** rloo has quit IRC19:57
roukoswarfcause, i know i can do whatever if i hard code it into neutron, but i was hoping for a pluggable method.19:57
*** rloo has joined #openstack-dev19:57
roukoswarfhuh, didnt know about httpchecks in oslo.19:58
roukoswarfthis might be perfect, if it can send enough detail about the object.19:58
*** dklyle has joined #openstack-dev20:00
*** rloo has quit IRC20:00
*** rloo has joined #openstack-dev20:01
bnemecroukoswarf: If there isn't enough detail sent, you could open a bug to request it. We found a few places back when this first started to be used where services were not actually sending what they were supposed to send.20:07
bnemecI think we fixed all of those, but since this doesn't really get tested upstream it's possible there were regressions.20:07
roukoswarfwell, im just working through what id need to do to get neutron to send the full rule being created when doing security group rule creates.20:08
roukoswarfso i dont have to directly generate the payload? its just hardcoded into oslo?20:12
*** ttsiouts has quit IRC20:15
bnemecroukoswarf: I think the object being affected by the policy is usually passed to the policy. Unfortunately you may have to check code itself to see exactly what is passed.20:15
roukoswarfwonder where that code would be in neutron.20:16
bnemecroukoswarf: The target is what I was thinking of: https://opendev.org/openstack/neutron/src/branch/master/neutron/policy.py#L42220:19
bnemecFor creation that might not be useful though if it's just passing a project_id. :-/20:19
*** stewie925 has quit IRC20:20
*** smarcet has joined #openstack-dev20:23
*** smarcet has left #openstack-dev20:23
roukoswarfwell i guess ill just change the policy and see what it does.20:23
roukoswarfsee what i get20:23
bnemecYeah, that might be easiest.20:24
bnemecI glanced through the neutron code, but there are several different places policy checks are done, depending on what api call is being made.20:24
roukoswarfyeah, i just want create_security_group_rule20:25
*** nweinber has quit IRC20:26
*** ccamacho has quit IRC20:38
roukoswarfbnemec: its not in the docs, does oslo support and? or just or?20:55
roukoswarfnvm, its just not explicitly mentioned very well, i did find an example.20:56
bnemecYeah, the docs are example-based so the specifics of what exists is kind of buried.20:58
*** igordc has joined #openstack-dev21:07
roukoswarfcan the policy take port numbers? i got nothing hitting my webserver and the rule was accepted without asking...21:12
*** rcernin has joined #openstack-dev21:14
*** rloo has quit IRC21:29
*** gfidente|afk has quit IRC21:41
*** ttsiouts has joined #openstack-dev21:42
*** rloo has joined #openstack-dev21:44
*** rloo has quit IRC21:45
*** rloo has joined #openstack-dev21:45
*** slaweq has quit IRC21:49
*** ttsiouts has quit IRC21:51
*** slaweq has joined #openstack-dev21:52
bnemecroukoswarf: I believe should be able to specify a port. The URL basically gets passed to requests, which does recognize ports in URLs.21:52
roukoswarfyeah, for some reason nothing ever hits my api, after adding "create_security_group_rule": "http://10.0.74.95/policy/verifyrule" to my policy21:55
roukoswarfis there some step im missing/misunderstanding?21:55
*** raildo has quit IRC21:56
roukoswarfit just... accepts the change, even without hitting the api.21:57
bnemecYeah, that's concerning. Even if it's failing to reach the server it should have failed closed.21:59
roukoswarfso it looks like neutron is cheeky and for some reason totally bypasses policy if youre an admin.21:59
roukoswarfwhich uh... sounds wrong to me.21:59
bnemecOhhh, I remember discussing this in regard to the role and scope policy changes.22:00
bnemecSome projects still have hard-coded policy checks like that.22:00
roukoswarfits not a dealbreaker for me... just not very nice to bypass policy processing like that.22:01
roukoswarfi guess at least i can check what i get sent finally.22:01
bnemecYeah, you would need to talk to the neutron team about that.22:02
bnemecI know it's a concern in general for the new policy work because we don't want admin to be a special one-off thing. That makes it impossible to delegate admin permissions to other users who may need a subset of admin functionality.22:02
*** slaweq has quit IRC22:03
*** dancn has quit IRC22:06
roukoswarfbnemec: the good news is the rule create http verification does in fact send literally everything about the request to the httpcheck, so this will work excellently, thanks a bunch for the pointer.22:08
bnemecroukoswarf: Glad I could help!22:09
*** dancn has joined #openstack-dev22:10
*** dancn has quit IRC22:15
*** Lucas_Gray has quit IRC22:21
*** tkajinam has joined #openstack-dev22:49
*** tkajinam has quit IRC22:49
*** tkajinam has joined #openstack-dev22:50
*** rloo has quit IRC22:51
*** roukoswarf has quit IRC22:54
*** lbragstad has quit IRC22:56
*** tosky has quit IRC23:02
*** igordc has quit IRC23:14
*** avolkov has quit IRC23:22
*** bbowen has quit IRC23:32
*** bbowen has joined #openstack-dev23:32
« Sunday, 2020-04-26 Index Tuesday, 2020-04-28 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!