| *** mhen_ is now known as mhen | 02:45 | |
| opendevreview | melanie witt proposed openstack/oslo.limit master: Call Keystone API once to get (registered_)limits https://review.opendev.org/c/openstack/oslo.limit/+/944000 | 03:27 |
|---|---|---|
| opendevreview | Stanislav Zaprudskiy proposed openstack/keystone master: Support emitting partial hash of invalid password https://review.opendev.org/c/openstack/keystone/+/932423 | 13:25 |
| slaweq | hi gtema, may I have qq about oslo policy rules? | 13:33 |
| slaweq | gtema is it possible to define scope of the custom rule in the policy.yaml file somehow? I can't find it anywhere | 13:33 |
| gtema | hey hey, I am just trying to workaround neutron madness around policies and you come with such question ;-) | 13:33 |
| slaweq | or is scope only defined in code for rules and then only the check_str can be overwritten in the yaml file? | 13:33 |
| slaweq | haha :) | 13:34 |
| gtema | lemme check | 13:34 |
| gtema | but I would rather confirm you summary that it is not possible | 13:35 |
| slaweq | that's what I though but I wanted to make sure asking someone more familiar with this | 13:35 |
| gtema | neah, sorry. I do not see any possibility to change anything beyond the check in config file | 13:41 |
| gtema | slaweq ^^ | 13:42 |
| slaweq | thx for confirmation gtema | 13:43 |
| gtema | and btw - I am on porting ownercheck and fieldcheck to OpenPolicyAgent to actually simplify and speed up neutron. Sadly this requires also bit hacking on the policy hook of neutron | 13:43 |
| slaweq | if I can help you somehow, please let me know | 13:52 |
| gtema | sure slaweq, thanks | 13:52 |
| slaweq | I know we were discussiong in the past about changes in the neutron policies to include descriptions of the apis in docstrings, but I don't have time for this at all | 13:52 |
| gtema | one of the main things I am currently on about neutron policies is that it is extremely expensive when GET operation deals with many resources (filtering out records and then for every record checking multiple attrs) | 13:53 |
| gtema | so in devstack for subnet with 200 ports get_ports call takes already 2.5 sec | 13:54 |
| gtema | and it grows progressively | 13:54 |
| gtema | with using openpolicyagent simply implementing oslo.policy checks it goes up to 5 sec since every invokation is an http request | 13:55 |
| gtema | but I just found a method to upload all results to openpolicyagent and filter it there. With that necessary time for policy goes down to 0.3s | 13:55 |
| gtema | so now I am trying to override a policy hook to invoke it this way in a way that is friendly for deployers | 13:57 |
| gtema | for ownercheck I implemented a small binary that exposes certain attrs of those resources in question over http by doing direct DB read - this allows http caching | 13:58 |
| opendevreview | Ghanshyam proposed openstack/oslo.policy master: Testing doc job on Ubuntu Noble https://review.opendev.org/c/openstack/oslo.policy/+/944068 | 19:25 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!