Friday, 2016-07-01

*** rrecio has quit IRC00:06
*** catintheroof has joined #openstack-mistral00:13
*** cheneydc has joined #openstack-mistral00:59
*** chlong has quit IRC01:06
*** _gryf has joined #openstack-mistral01:36
*** cheneydc has quit IRC02:16
*** cheneydc1 has joined #openstack-mistral02:16
*** cheneydc1 is now known as cheneydc02:19
*** chlong has joined #openstack-mistral02:34
*** catintheroof has quit IRC03:00
*** gyee has quit IRC03:00
*** chlong has quit IRC03:34
openstackgerritMerged openstack/mistral: Updated from global requirements  https://review.openstack.org/33619204:04
openstackgerritOpenStack Proposal Bot proposed openstack/python-mistralclient: Updated from global requirements  https://review.openstack.org/33635904:24
*** rrecio has joined #openstack-mistral04:52
*** rrecio_ has joined #openstack-mistral04:53
rakhmerovxavierhardy: hi Xavier, what do you mean by ACL?04:55
*** rrecio has quit IRC04:56
rakhmerovhparekh: hi Hardik, you're here?05:03
*** rrecio_ has quit IRC05:08
*** chlong has joined #openstack-mistral05:15
openstackgerrityushangbin proposed openstack/mistral: add mistral data handling on dictionary type.  https://review.openstack.org/33637205:44
xavierhardyrakhmerov: access control05:53
rakhmerovyou mean that policy.json file?05:54
xavierhardythat's part of it05:55
xavierhardywhat is an admin, what's an owner? how do you determine that05:55
xavierhardy?05:55
rakhmerovthe only thing we have now in Mistral is policy.json which is a standard OpenStack thing for endpoints05:56
xavierhardywhat kind of authentication is required ? do we have to get through the hurdles of configuring keystone?05:56
rakhmerovwe don't have anything on top of it05:57
rakhmerovyes05:57
xavierhardy:(05:57
rakhmerovwe have to05:57
rakhmerovit's been on a roadmap for a while but not implemented yet05:57
rakhmerovto make it more flexible etc.05:57
rakhmerovsorry05:57
xavierhardywhat does it provide today exactly?05:58
xavierhardyCan I limit one action to a certain group of users (while other actions are available for everyone)?05:59
xavierhardyThey should be owner of the action?05:59
*** Ravikiran_K has joined #openstack-mistral05:59
xavierhardycan we have authentication information available in the action context?06:00
rakhmerovxavierhardy: honestly, I'm not an expert at it myself. It was merged recently and I haven't configured it myself yet. I just know how it's integrated with Mistral. Please take a look at http://docs.openstack.org/mitaka/config-reference/policy-json-file.html06:00
rakhmerovon your last question: yes06:01
rakhmerovyou can take a look at how OpenStack actions are implemented06:01
rakhmerovthey use mistral.context06:01
rakhmerovbut06:01
rakhmerovit is going to change soon once we implement Custom Actions API06:01
rakhmerovas far as policy.json, in my understanding you can create users with certain roles in Keystone and then define what endpoints are accessible to what roles06:02
rakhmerovthat's basically it06:02
rakhmerovas far security info for actions, it's not well design now for many reasons, we're willing to change it06:03
Ravikiran_KHi rakhmerov, one quick question..... is it possible to use mistral to schedule for things to run on infrastructure VM?06:04
xavierhardyOK, is it possible to change the authentication backend?06:06
rakhmerovI'm now working on integrating OpenID Connect authentication06:07
rakhmerovhttps://review.openstack.org/#/c/335944/06:08
rakhmerovshould be finished soon06:09
rakhmerovit's now specific to KeyCloak but I may go away from it at all06:09
rakhmerovso that it is purely OpenID06:09
xavierhardybut it's in the client, how can I change it in the servers?06:10
rakhmerovxavierhardy: working on it06:11
rakhmerovwill be working today06:11
rakhmerovthe change will be pretty small06:11
rakhmerovfor now06:11
rakhmerovbecause it will be only validating access token06:11
rakhmerovif we want RBAC it'll be more serious work06:12
xavierhardyDo you have the change request on the server side?06:12
rakhmerovnot yet06:12
rakhmerovxavierhardy: what are you interested? What protocol etc.06:12
rakhmerovinterested in..06:12
xavierhardyExtremely basic actually: just matching some header06:13
xavierhardyheaders06:13
rakhmerovyes, it will be done06:13
rakhmerovtoday06:13
xavierhardythe headers already contain the information we need06:13
xavierhardyok06:13
rakhmerovthe use case we're interested in for now (at Nokia) is to run Mistral with KeyCloak06:13
xavierhardyIs that how OpenID works? It looked like a rather complicated authentication technology06:13
rakhmerovwe only need authentication for client and server (server will be just validating tokens) and multitenancy06:14
rakhmerovit's one of OpenID Connect authentication flows06:14
rakhmerovit can be used differently06:14
rakhmerovgenerally yes, OpenID is a pretty complicated stuff06:15
rakhmerovI'm now implementing just one simple flow06:15
rakhmerovon client: provide client_id, client_secret, user and password and get access token (there's also ID token but it's for different purpose)06:16
rakhmerovclient inserts access token into Mistral API requests06:16
rakhmerovon server: check that access token is valid and extract project name06:17
rakhmerovif it's not valid, raise an exception06:17
rakhmerovthat's it06:17
rakhmerovit's also possible to extract various information from the token but it can be implemented in future06:17
xavierhardyOK, we will not need the client side but the server side changes you mention is what I'm looking for06:18
rakhmerovalthough this topic is a little bit tricky for many reason06:18
rakhmerovthat's why Keystone has its Federation06:18
rakhmerovyes, it'll be simple06:18
xavierhardymake the header names configurable please06:18
rakhmerovconfigurable how?06:18
xavierhardythe header names could be variables in the mistral.conf file06:19
rakhmerovusing env variables, config options or what?06:19
rakhmerovooh, ok06:19
xavierhardyon the server06:19
rakhmerovwhat about client side?06:19
xavierhardywe don't need any change there06:19
rakhmerovwe do need them :)06:20
rakhmerovok, I'll think about it06:20
xavierhardyactually we already have authentication, but mistral is not aware of that06:20
rakhmerovI bet06:20
xavierhardywe pass headers to mistral with some information06:20
rakhmerovit's easy to have config options on the server side06:20
xavierhardybut right now, it ignores them06:20
rakhmerovwhat headers?06:20
xavierhardyuser information06:20
rakhmerovI mean, what are they exactly?06:21
xavierhardyHTTP headers06:21
rakhmerovbtw: https://blueprints.launchpad.net/mistral/+spec/mistral-rbac06:21
rakhmerovBP for RBAC06:21
rakhmerovyeah, I mean what exact HTTP headers?06:21
rakhmerovcan you please add info into the BP? https://blueprints.launchpad.net/mistral/+spec/mistral-configurable-auth-middleware06:21
xavierhardyThat I'm not allowed to say06:22
rakhmerovooh...06:22
xavierhardyIf it's configurable, it's fine06:22
rakhmerovok, I'll try to make it as much flexible as possible06:23
rakhmerovand I'll ask you to review changes06:23
xavierhardycool, thanks a lot06:23
rakhmerovxavierhardy: so you're building some commercial product? Why so much secrecy? :)06:24
xavierhardyno, nothing commercial06:25
xavierhardybut internal, so it is just to make sure that internal users have only access to what makes sense for them06:25
rakhmerovok, got it06:25
xavierhardyI prefer to say less than I'm allowed to, to be on the safe side ;)06:26
xavierhardyI see there are 2 functions to get the authentication headers from06:36
xavierhardycontext_from_config (keystone only for the moment)06:36
xavierhardycontext_from_headers06:36
xavierhardywhen is context_from_headers used?06:36
xavierhardywhen using mistral_http06:36
xavierhardy?06:36
xavierhardyit seems to be always on, whereas the AuthHook depends on auth_enable06:38
rakhmerovxavierhardy: client pushes some auth headers to server, server build auth context from those headers06:51
rakhmerovthat's it06:51
rakhmerovwhen calling mistral_http and other actions security context is already populated06:52
rakhmerovand can be used by actions06:52
rakhmerovyes, if auth is disabled security context is empty06:52
rakhmerovno user, no project, no auth token06:52
xavierhardyok06:56
xavierhardyso I really your CR then, OK06:56
xavierhardy:)06:56
xavierhardythanks06:56
rakhmerovCR? :)07:02
rakhmerovwhat's that?07:02
xavierhardychange requests07:03
rakhmerovok07:03
xavierhardyCompletely unrelated, but I think we should add a field in the DSL to have input validation in workflows and ad-hoc actions, using YAQL.07:22
*** chlong has quit IRC07:23
openstackgerritMerged openstack/python-mistralclient: Updated from global requirements  https://review.openstack.org/33635907:25
xavierhardySpeaking of YAQL, do you have any idea for the custom YAQL function we could use as an example in my change requests?07:27
*** openstackgerrit has quit IRC07:33
*** openstackgerrit has joined #openstack-mistral07:33
*** jpich has joined #openstack-mistral07:46
*** Kiall_ has quit IRC07:50
openstackgerrityushangbin proposed openstack/python-mistralclient: change method of mistralclient getting mistral url.  https://review.openstack.org/33641207:52
*** shardy has joined #openstack-mistral08:01
*** openstackgerrit has quit IRC08:18
*** openstackgerrit has joined #openstack-mistral08:18
rakhmerovxavierhardy: for validation yes, https://blueprints.launchpad.net/mistral/+spec/mistral-preconditions08:20
rakhmerovas for function, seriously I would take something simple for now08:20
rakhmerovsomething like I mentioned in the comment08:20
xavierhardyyou mean this comment08:24
xavierhardyXavier, it's up to you. For example, it could a function that chooses minimal value from iterable of provided values. But if you come up with something more interesting please go ahead. Per my previous comment, I think some interesting functions will be using specific Mistral functions like querying DB.08:24
xavierhardy?08:24
xavierhardyok08:24
xavierhardyso you think it should one big YAQL expression to validate the whole action input (I assume from the blueprint)?08:29
xavierhardyI was thinking about a dict with the action input names as key and the validation expression as value08:30
xavierhardybut it's true what you're proposing seems more flexible08:30
*** saphi has joined #openstack-mistral09:00
saphihi ddeja. I haven't still solved my proble. I think I have to post data with {"evacuate": {"onSharedStorage": false}}. But I don't know how to input to mistral-action nova.servers_evacuate09:02
openstackgerritRenat Akhmerov proposed openstack/python-mistralclient: WIP: Add KeyCloak authentication  https://review.openstack.org/33594409:34
openstackgerritRenat Akhmerov proposed openstack/python-mistralclient: Add KeyCloak OpenID Connect authentication  https://review.openstack.org/33594409:36
ddejasaphi: hi. please take a look at how I was doing it https://github.com/gryf/mistral-evacuate/blob/6c5052cb2de07062bf9ab144634ad89aafb170a8/host-evacuate.yaml09:36
ddejahope it helps :)09:37
openstackgerrithardik proposed openstack/mistral: Allow to use both name and id to access action definitions  https://review.openstack.org/32589409:49
*** cheneydc has quit IRC09:55
openstackgerrithardik proposed openstack/python-mistralclient: Change action-get help to get action info by ID  https://review.openstack.org/32592109:57
openstackgerrithardik proposed openstack/python-mistralclient: Changed argument names as per other python clients  https://review.openstack.org/33095810:03
openstackgerritLingxian Kong proposed openstack/mistral: Add db models for event trigger  https://review.openstack.org/32049710:08
openstackgerritLingxian Kong proposed openstack/mistral: Add event engine service  https://review.openstack.org/32050010:08
openstackgerritLingxian Kong proposed openstack/mistral: Add event trigger REST API  https://review.openstack.org/32050910:08
openstackgerritLingxian Kong proposed openstack/mistral: Add functional tests for event engine functions  https://review.openstack.org/33646310:08
openstackgerritRenat Akhmerov proposed openstack/mistral: Remove obsolete config option "use_mistral_rpc"  https://review.openstack.org/33646610:12
openstackgerritRenat Akhmerov proposed openstack/mistral: Remove obsolete config option "use_mistral_rpc"  https://review.openstack.org/33646610:14
saphihi ddeja. It is working. Thankyou verymuch. I writen on_shared_storage=False It isn't working. But it has to "false"10:24
ddejasaphi: No problem. But please also think about 'zombie pets' that I write you yesterday, because it may hit you badly at some point10:27
saphiYes. I will think about that. I have to test many times :D10:29
*** Ravikiran_K has quit IRC10:34
openstackgerritRenat Akhmerov proposed openstack/python-mistralclient: Add KeyCloak OpenID Connect authentication  https://review.openstack.org/33594410:38
openstackgerritRenat Akhmerov proposed openstack/mistral: Add authentication options for KeyCloak OIDC  https://review.openstack.org/33648810:52
jtomasekrakhmerov: Hi, what is the correct way to cancel a workflow? deleting a workflow execution?10:52
rakhmerovjtomasek: hi, change its state to PAUSED, SUCCESS or ERROR10:53
jtomasekrakhmerov: ok, thanks10:54
rakhmerovPOST /v2/executions/<id> {'state': <PAUSED | SUCCESS | ERROR>}10:54
rakhmerovor through python client10:55
rakhmerovnot POST sorry10:55
rakhmerovPUT10:55
jtomasekrakhmerov: thanks10:56
d0ugalWhat happens when a workflow is cancelled? Could we end up with half executed workflows?10:57
d0ugalrakhmerov, jtomasek - ^10:57
rakhmerovd0ugal: all currently running workflow tasks will complete but new won't start10:58
rakhmerovand execution object will have a corresponding state10:58
rakhmerovif it's needed it can also be removed from DB but it may be tricky because it's a graph of objects in DB (with foreign keys etc.)10:58
rakhmerovdependencies maybe handled though, I don't remember exactly (need to check)10:59
d0ugalInteresting, thanks. I'll need to try this out at some point :)10:59
rakhmerovgive me a sec..10:59
rakhmerovyeah, if you remove workflow execution objects then all related stuff such as task executions will be removed too11:00
rakhmerovbecause they are configured to be removed if they become orphans11:00
rakhmerovjust recalled that we have a mechanism called Execution Expiration Policy11:01
rakhmerovit allows to automatically remove executions according to certain criteria11:01
rakhmerove.g. if they are older than a configured age11:02
d0ugalIs that what removes old executions after a period of time?11:02
d0ugalcool, yeah it is :)11:02
rakhmerovright11:02
rakhmerovnot sure whether we have docs for that11:02
rakhmerovlet me see11:02
rakhmerovyeah, here it is: http://docs.openstack.org/developer/mistral/main_features.html#execution-expiration-policy11:03
d0ugalThanks, useful to know11:04
rakhmerovpretty bad english though in this section :)11:04
rakhmerovneed to fix11:04
rakhmerovnp11:05
d0ugalI noticed a few gramatical errors, I should send over some doc patches sometime11:05
rakhmerovyes, I wish people were doing it11:05
rakhmerovdocs are hard to maintain11:05
d0ugalYup, I was concerned I didn't know enough about the project yet to write docs, but I can try.11:06
rakhmerovideally, it'd be cool to have a native speaker go over the whole docs (not too much work actually) and fix whatever is broken11:06
d0ugalI am not a great writer, but I am a native speaker. I'll add it to my todo list :)11:07
rakhmerovhaha :)11:07
rakhmerovgreat, that'd be awesome11:07
*** saphi has quit IRC11:07
rakhmerovkong: hey, I see that you've been very active in the last few days )11:08
rakhmerovit feels like you're somewhere close to finish with your BP, no?11:09
openstackgerritRenat Akhmerov proposed openstack/python-mistralclient: Add KeyCloak OpenID Connect authentication  https://review.openstack.org/33594411:40
openstackgerritRenat Akhmerov proposed openstack/mistral: Add authentication options for KeyCloak OIDC  https://review.openstack.org/33648811:44
jtomasekrakhmerov: so deleting the execution is also valid way to stop the execution?12:05
rakhmerovjtomasek: well, yes, you can do this but engine will be cursing that some objects are not found12:06
rakhmerovwhen e.g. a running task will be completing12:06
jtomasekrakhmerov: ah, I see, yeah I am seeing some foreign key errors from time to time when testing this12:07
jtomasekrakhmerov: so if I update the state of execution to lets say 'ERROR', the running task will finish and no other will get run?12:08
rakhmerovcorrect12:09
jtomasekrakhmerov: so this is generic -> anytime the execution gets updated, it will stop?12:09
rakhmerovwhen its state goes to any of the terminal states (although PAUSED is not not exactly terminal)12:10
rakhmerovyes12:10
rakhmerovthere's also possible to have PAUSED->RUNNING transition12:11
rakhmerovor even ERROR-RUNNING12:11
rakhmerovthis is opposite12:11
jtomasekrakhmerov: nice, thanks12:12
d0ugalI feel like we shouldn't be allowed to delete a running execution12:13
d0ugalYou should be forced to stop it first.12:13
rakhmerovd0ugal: yeah, makes sense12:14
d0ugalrakhmerov: Should I open a bug?12:14
rakhmerovfeel free )12:15
d0ugaljtomasek, rakhmerov: https://bugs.launchpad.net/mistral/+bug/159813512:18
openstackLaunchpad bug 1598135 in Mistral "Deleting executions shouldn't be allowed unless they have finished (SUCCESS/ERROR)" [Undecided,New]12:18
rakhmerovok, thanks12:19
openstackgerritDougal Matthews proposed openstack/mistral: Don't create actions when attempting to update one that doesn't exist  https://review.openstack.org/33155412:19
openstackgerritRenat Akhmerov proposed openstack/python-mistralclient: Add KeyCloak OpenID Connect authentication  https://review.openstack.org/33594412:20
*** d0ugal has quit IRC12:54
*** d0ugal has joined #openstack-mistral12:54
*** d0ugal has joined #openstack-mistral12:54
*** d0ugal has quit IRC12:55
*** d0ugal has joined #openstack-mistral12:55
*** d0ugal has quit IRC13:00
*** d0ugal has joined #openstack-mistral13:00
openstackgerritDawid Deja proposed openstack/mistral: New RPC layer implementation  https://review.openstack.org/19411713:02
openstackgerritDawid Deja proposed openstack/mistral: Integrating new RPC layer with Mistral  https://review.openstack.org/19756313:02
openstackgerritDawid Deja proposed openstack/mistral: Make RPC implementation configurable  https://review.openstack.org/19756213:02
openstackgerritDawid Deja proposed openstack/mistral: Adding OsloRPC server and client  https://review.openstack.org/19756113:02
openstackgerritDawid Deja proposed openstack/mistral: Add tests for Kombu driver  https://review.openstack.org/33048313:02
openstackgerritDawid Deja proposed openstack/mistral: Enable 'at-least-once' and 'at-most-once' delivery modes in RPC layer  https://review.openstack.org/33654813:02
*** d0ugal has quit IRC13:02
*** d0ugal has joined #openstack-mistral13:03
*** d0ugal has joined #openstack-mistral13:03
*** d0ugal has quit IRC13:03
*** Guest12790 has joined #openstack-mistral13:03
*** Guest12790 has quit IRC13:04
*** d0ugal has joined #openstack-mistral13:04
*** Ravikiran_K has joined #openstack-mistral13:04
*** bobh has joined #openstack-mistral13:27
*** bobh has quit IRC13:33
d0ugalrakhmerov: writing a doc patch for the expiration policy13:45
*** vishwanathj has joined #openstack-mistral13:54
*** tonytan4ever has joined #openstack-mistral14:03
openstackgerritDougal Matthews proposed openstack/mistral: Update Expiration Policy Documentation  https://review.openstack.org/33658014:06
*** tonytan4ever has quit IRC14:07
*** tonytan4ever has joined #openstack-mistral14:07
*** catintheroof has joined #openstack-mistral14:14
*** rrecio has joined #openstack-mistral14:37
*** jistr is now known as jistr|mtg15:07
*** bobh has joined #openstack-mistral15:19
*** Kiall has joined #openstack-mistral15:26
*** Kiall has quit IRC15:33
*** bobh has quit IRC15:33
*** jistr|mtg is now known as jistr15:50
*** jpich has quit IRC16:19
*** bobh has joined #openstack-mistral16:21
openstackgerrityushangbin proposed openstack/mistral: add mistral data handling on dictionary type.  https://review.openstack.org/33637216:30
*** gyee has joined #openstack-mistral16:33
*** Kiall has joined #openstack-mistral16:41
*** bobh has quit IRC16:42
*** rrecio has quit IRC16:53
*** rrecio has joined #openstack-mistral16:53
*** tonytan4ever has quit IRC16:57
*** bobh has joined #openstack-mistral17:42
*** FL1SK has quit IRC17:44
*** bobh has quit IRC17:47
*** bobh has joined #openstack-mistral18:43
*** bobh has quit IRC18:48
*** bobh has joined #openstack-mistral18:58
openstackgerritShaik Apsar proposed openstack/mistral: [WIP] Add tacker actions in mistral  https://review.openstack.org/33182719:29
*** Ravikiran_K has quit IRC19:31
*** shardy is now known as shardy_afk19:32
*** stevebaker has quit IRC19:41
*** jtomasek has quit IRC19:42
*** stevebaker has joined #openstack-mistral19:46
*** FL1SK has joined #openstack-mistral19:54
*** jtomasek has joined #openstack-mistral19:56
*** achanda has joined #openstack-mistral20:10
*** shardy_afk has quit IRC20:28
*** vishwanathj has quit IRC21:33
*** tonytan4ever has joined #openstack-mistral21:35
*** catintheroof has quit IRC21:36
*** Damjanek has quit IRC21:53
*** harlowja has quit IRC21:53
*** harlowja has joined #openstack-mistral21:53
*** Damjanek has joined #openstack-mistral21:53
*** tonytan4ever has quit IRC22:01
*** tonytan4ever has joined #openstack-mistral22:01
*** bobh has quit IRC22:13
*** achanda has quit IRC22:32
*** achanda has joined #openstack-mistral22:36
*** tonytan4ever has quit IRC22:48
*** tonytan4ever has joined #openstack-mistral22:51
*** harlowja_ has joined #openstack-mistral22:55
*** harlowja has quit IRC22:59
*** tonytan4ever has quit IRC23:27
*** gyee has quit IRC23:33

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!