Friday, 2023-05-19

*** timburke_ is now known as timburke06:46
opendevreviewMridula Joshi proposed openstack/openstacksdk master: Adding support for image upload  https://review.opendev.org/c/openstack/openstacksdk/+/88193906:52
opendevreviewMridula Joshi proposed openstack/openstacksdk master: image: Support for stores_info  https://review.opendev.org/c/openstack/openstacksdk/+/88349307:08
opendevreviewPolina Gubina proposed openstack/ansible-collections-openstack master: Shared file system module  https://review.opendev.org/c/openstack/ansible-collections-openstack/+/88320108:57
opendevreviewMerged openstack/openstacksdk master: Add find_share() for shared file system share resource  https://review.opendev.org/c/openstack/openstacksdk/+/88297910:06
opendevreviewMerged openstack/openstacksdk master: ironic: Add support for Introspection Rules  https://review.opendev.org/c/openstack/openstacksdk/+/77587810:13
opendevreviewPolina Gubina proposed openstack/ansible-collections-openstack master: Shared file system module  https://review.opendev.org/c/openstack/ansible-collections-openstack/+/88320110:37
thomasb06gtema: hey12:59
thomasb06gtema: eventually setting up an OpenStack prototype...12:59
thomasb06What's up here since last year?12:59
noonedeadpunkhey there! I was trying to re-use issued tokens in openstackclient in client 6.2.0 using https://docs.openstack.org/python-openstackclient/latest/cli/authentication.html#authentication-plugins  and smth feels quite off 16:20
noonedeadpunkSo, assuming I issue token like that: token=$(openstack token issue -c id -f value --os-cloud default)16:22
noonedeadpunkopenstack --os-auth-url http://172.29.236.101:5000/v3 --os-token $token image list does ask for password16:23
noonedeadpunkok, adding `--os-auth-type token`, but that results in `The service catalog is empty.`16:24
gtemaHmm, i never tried it this way. Will try in next days. Can you maybe try also setting --os-auth-type token (or smth like that)16:24
noonedeadpunk`openstack catalog list --os-cloud default` ofc prints out catalog including image16:24
gtemaAaah, that would be a really interesting case. Catalog is being received with auth response, which you in this case don't issue16:25
noonedeadpunkthen I've tried to add more scope, like --os-project-name and --os-domain-name, but that get even weirder16:25
gtemaNo, scopes are only going into the auth16:26
noonedeadpunkAs eventually issuing tokens takes quite some time, and when couple of actions need to be done in a row, it makes sense to re-use tokens...16:26
gtemaFor that you can use auth caching 16:27
noonedeadpunkOfc I tried that with openstack.cloud.auth module and feed token to other modules, which didn't work as well 16:27
noonedeadpunkbut auth caching happens on keystone side?16:27
noonedeadpunkso you still need to issue that API request16:28
gtemahttps://docs.openstack.org/openstacksdk/latest/user/config/configuration.html#cache-settings16:28
gtemaBut it requires you have keering lib installed16:29
gtemaIt is not described precisely sadly16:29
noonedeadpunkI'm not sure that will help with my ansible usecase16:29
noonedeadpunkwell, it uses clouds.yaml though...16:29
gtemaRight, in pure server usage will not that much16:29
noonedeadpunkcan oslo.cache drivers be used there?16:30
gtemaKeering requires some backend, which on server side is itself eventually require "unsealing"16:30
gtemaNo, oslo.cache is not used16:30
gtemaYou can build such backend plugin though16:31
noonedeadpunkAs I was thinking to use memcahced with encryption like keystone does 16:33
gtemaI am sure you can build such plugin for keering 16:34
noonedeadpunkBut yeah, I guess my main thing was that this module seems pretty much useless now https://opendev.org/openstack/ansible-collections-openstack/src/branch/master/plugins/modules/auth.py16:34
noonedeadpunkas re-using token you get like this is not trivial at all16:35
gtemaWell, for that case we could improve SDK to try to fetch catalog when it is not present yet16:35
gtemaThere is sadly no guarantee this can be received, since not every cloud may allow this call16:35
noonedeadpunkyou mean some super old crappy clouds?:)16:37
gtemaYes, or ones with not proper identify policies16:38
noonedeadpunkum, but if it's policy - then you won't be able to get catalog at all?16:39
gtemaNot definitely, catalog in the auth response it is not managed by policies afaik16:42
gtemaAnd anyway - if no catalog => try fetch. If not available=> fail16:43
gtemaIt is anyway already some exception handling case16:43
noonedeadpunkWell, responding with catalog when policy disallows that is kinda weird from keystone side then....16:45
noonedeadpunkbut yeah, I never tried that16:45
noonedeadpunkbut catalog is weird overall I'd say....16:46
*** timburke_ is now known as timburke16:48
gtemaCatalog is one of the best things of Openstack in my eyes. It is not without issues, but still is a very good thing 17:06
noonedeadpunkThe problem I have with it, is that it exposes internal/admin endpoints17:08
noonedeadpunkWhich is weird, as I'd say it should return only endpoint that was in request (or was accessed through)17:09
noonedeadpunklike if you pass interface: public, in return you get internal&admin as well17:09
*** melwitt_ is now known as melwitt17:11
noonedeadpunkand that disables ability to do some kind of reselling, ie create random interfaces and URI's for it (with different FQDNs). But then you ask for catalog and in return you have like everything...17:11
gtemaI guess this will not be a hard stuff to fix, and I agree, this is one of the issues17:11
gtemaAt a very least it is very easy to build a filtering proxy to be deployed for public 17:12
noonedeadpunkugh, wrappers17:18
noonedeadpunkvery-very slippery path17:19
noonedeadpunkanyway :)17:19
noonedeadpunkhave a good weekend!17:20
gtemathks, you too17:22

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!