| *** sigmavirus24 is now known as sigmavirus24_awa | 00:46 | |
| *** lakshmiS has joined #openstack-searchlight | 04:20 | |
| *** lakshmiS_ has joined #openstack-searchlight | 05:01 | |
| *** lakshmiS has quit IRC | 05:02 | |
| *** lakshmiS_ has quit IRC | 07:56 | |
| *** lakshmiS_ has joined #openstack-searchlight | 07:56 | |
| *** lakshmiS_ has quit IRC | 09:43 | |
| *** lakshmiS has joined #openstack-searchlight | 11:17 | |
| *** sigmavirus24_awa is now known as sigmavirus24 | 14:03 | |
| *** lakshmiS has quit IRC | 14:15 | |
| *** lakshmiS has joined #openstack-searchlight | 14:54 | |
| TravT | Courtesy Searchlight meeting reminder in #openstack-meeting-4: lakshmiS, mclaren, nikhil_k, rosmaita, sigmavirus24, TravT, krykowski, david-lyle, wokuma, kragniz, sjmc7 | 15:01 |
|---|---|---|
| * sigmavirus24 nods | 15:01 | |
| sigmavirus24 | lakshmiS: ping | 15:44 |
| lakshmiS | sigmavirus24: wasnt watching this window | 15:50 |
| *** nikhil_k has joined #openstack-searchlight | 16:01 | |
| david-lyle | just letting people know we're a ways off on keystone | 16:01 |
| david-lyle | :( | 16:01 |
| sigmavirus24 | lakshmiS: so, that devstack change is only for devstack | 16:03 |
| sigmavirus24 | but I am worried that it will not let us catch things appropriately | 16:03 |
| sigmavirus24 | i.e., we're still people to make a searchlight service user and use that, right? | 16:03 |
| sigmavirus24 | (for production) | 16:04 |
| sigmavirus24 | so something might work in devstack that will then fail in production and be hard to reproduce | 16:04 |
| sigmavirus24 | make sense? | 16:04 |
| sigmavirus24 | I'm not opposed to the change, but I'm concerned we'll introduce more bugs this way | 16:05 |
| sigmavirus24 | Is it the case that the searchlight service user needs to have the admin role? | 16:05 |
| lakshmiS | yes with the tests it looks like it needs admin role | 16:05 |
| TravT | hey guys, which patch are you discussing? | 16:07 |
| sigmavirus24 | So would it be better to just add that role in devstack? | 16:07 |
| sigmavirus24 | TravT: the one you asked me to review | 16:07 |
| sigmavirus24 | in the meeting | 16:07 |
| TravT | ah, ok | 16:07 |
| sigmavirus24 | lakshmiS:'s devstack patch | 16:07 |
| lakshmiS | https://review.openstack.org/#/c/211047/ | 16:07 |
| sigmavirus24 | If we need the admin role, would it make sense to have devstack create the searchlight service user with the admin role? | 16:07 |
| sigmavirus24 | We'll probably have to document that though | 16:07 |
| sigmavirus24 | Alternatively, we should advise the use of an admin_readonly role for searchlight to use which should be added to policies for only retrieval roles | 16:08 |
| sigmavirus24 | *rules | 16:08 |
| * sigmavirus24 shrugs | 16:08 | |
| TravT | hmm, i think i had given the user admin role, but still saw some issues because it was admin role on service project | 16:08 |
| sigmavirus24 | Yeah I'm not sure | 16:11 |
| TravT | in reading this | 16:11 |
| TravT | http://docs.openstack.org/developer/keystone/configuringservices.html#creating-service-users | 16:11 |
| sigmavirus24 | I just think that this will lead to people having to deploy searchlight with admin/admin user/role | 16:11 |
| sigmavirus24 | (for it to work as expected) | 16:11 |
| TravT | well, would we just need to also give searchlight user admin read only on admin project? | 16:12 |
| sigmavirus24 | Well so I don't think there's a readonly flag for that | 16:12 |
| sigmavirus24 | But we could make an admin_readonly role, assign it to the user, and then advise people to add it to their policy files for each project | 16:12 |
| TravT | that makes sense for documentation. | 16:13 |
| nikhil_k | ]/win 19 | 16:18 |
| nikhil_k | :) | 16:18 |
| *** lakshmiS has quit IRC | 16:27 | |
| sigmavirus24 | lol | 17:02 |
| sigmavirus24 | nikhil_k: weechat supremacy sir | 17:02 |
| david-lyle | sigmavirus24: admin_readonly | 17:03 |
| david-lyle | funny :) | 17:03 |
| david-lyle | perfect answer, but sad current state | 17:04 |
| sigmavirus24 | david-lyle: basically waht I mean is "look but don't touch" | 17:04 |
| david-lyle | oh I understand fully | 17:04 |
| david-lyle | and it should work | 17:04 |
| sigmavirus24 | lol | 17:04 |
| david-lyle | just doesn't | 17:04 |
| sigmavirus24 | So | 17:04 |
| sigmavirus24 | All that's necessary is for deployers to create the role | 17:04 |
| sigmavirus24 | Assign it to searchlight | 17:04 |
| sigmavirus24 | And update their policy.json files | 17:04 |
| sigmavirus24 | It's simple /s | 17:04 |
| sigmavirus24 | For os-ansible-deployment it's actually pretty simple | 17:04 |
| sigmavirus24 | Otherwise | 17:05 |
| david-lyle | sigmavirus24: but the admin check is not purely a policy check in many services | 17:08 |
| sigmavirus24 | True | 17:08 |
| david-lyle | it's handled uniquely before you even get to a policy check | 17:08 |
| sigmavirus24 | I'm thinking about the services we're currently supporting | 17:08 |
| david-lyle | nova being one of them | 17:09 |
| david-lyle | unless that has changed recently | 17:09 |
| david-lyle | but yes, it should be all policy driven so finer grained roles are actually possible | 17:09 |
| david-lyle | It's a dream of mine | 17:11 |
| * sigmavirus24 bets that ayoung has opinions too | 17:12 | |
| sigmavirus24 | Glance is super lazy | 17:12 |
| sigmavirus24 | Our policy enforcement is a bit underwhelming actually | 17:12 |
| sigmavirus24 | We have very high level policy rules | 17:12 |
| sigmavirus24 | I kind of want to keep those but allow for finer-grained policy rules too | 17:12 |
| david-lyle | but glances is really doing two separate things | 17:13 |
| david-lyle | which is fine | 17:13 |
| david-lyle | the second isn't really handled by the policy engine | 17:13 |
| * sigmavirus24 nods | 17:13 | |
| TravT | i think you guys are right with devstack and what images searchlight user could see in glance | 17:14 |
| TravT | when I did manual setup, i did add the admin role | 17:14 |
| TravT | even added to documentation: | 17:14 |
| TravT | https://review.openstack.org/#/c/211047/7/doc/source/authentication.rst | 17:15 |
| TravT | bottom of file | 17:15 |
| TravT | but devstack doesn't set that role. | 17:15 |
| david-lyle | there you go | 17:15 |
| sigmavirus24 | So lakshmi's patch can be ... changed to do that maybe? | 17:16 |
| * sigmavirus24 is concerned about differences in devstack and reality :/ | 17:16 | |
| david-lyle | you can certainly make a role assignment in devstack | 17:17 |
| TravT | yes, it can. i will try out... but my question is, is that enough. | 17:17 |
| david-lyle | for v2.0 yes | 17:17 |
| TravT | david-lyle, is the service project already added to the default domain? | 17:18 |
| david-lyle | have to check | 17:18 |
| david-lyle | but that should be the intent | 17:18 |
| david-lyle | you could create a separate domain, but then trusts are involved | 17:19 |
| TravT | i don't think glance has any domain knowledge yet, though | 17:19 |
| david-lyle | which is much more complicated, but ultimately maybe more correct | 17:19 |
| david-lyle | TravT: doesn't have to | 17:19 |
| david-lyle | project scoped token is understood by keystone | 17:20 |
| david-lyle | v2.0 or v3 | 17:20 |
| david-lyle | unless glance is trying to parse the token | 17:20 |
| TravT | david-lyle: do you want to update that patch accordingly? | 17:20 |
| david-lyle | sure, I'll take a crack | 17:21 |
| TravT | ok, cool. | 17:21 |
| david-lyle | I think trusts is an idea for another day, but maybe the correct one | 17:21 |
| david-lyle | we'll go simple first | 17:21 |
| david-lyle | but not so simple as admin/admin | 17:21 |
| TravT | sounds good to me. i appreciate the extra eyes on it. | 17:22 |
| david-lyle | I have a love/hate relationship with identity :) | 17:24 |
| TravT | i'd call it more of an addiction. | 17:24 |
| david-lyle | I can't quit you identity | 17:25 |
| * david-lyle will actually work on the code now | 17:25 | |
| sjmc7 | hi folks | 17:32 |
| david-lyle | done being a good team member sjmc7? | 17:33 |
| sjmc7 | toe the line! | 17:35 |
| david-lyle | shape up | 17:35 |
| sjmc7 | being remote i have to catch up on 2 months of watercooler talk every time i visit the office | 17:35 |
| david-lyle | the watercooler digest | 17:36 |
| *** TravT_ has joined #openstack-searchlight | 18:16 | |
| *** TravT has quit IRC | 18:18 | |
| *** TravT_ is now known as TravT | 19:11 | |
| *** asahlin has quit IRC | 19:28 | |
| *** asahlin has joined #openstack-searchlight | 19:30 | |
| *** TravT has quit IRC | 20:28 | |
| *** TravT has joined #openstack-searchlight | 20:30 | |
| *** TravT has quit IRC | 20:47 | |
| *** TravT has joined #openstack-searchlight | 20:48 | |
| *** TravT has quit IRC | 20:54 | |
| *** TravT has joined #openstack-searchlight | 21:00 | |
| *** TravT_ has joined #openstack-searchlight | 21:20 | |
| *** TravT has quit IRC | 21:21 | |
| *** sigmavirus24 is now known as sigmavirus24_awa | 21:38 | |
| TravT_ | FYI elastic search install for fresh install in devstack is broken: https://bugs.launchpad.net/devstack/+bug/1484182 with fix https://review.openstack.org/#/c/212092/ | 21:44 |
| openstack | Launchpad bug 1484182 in devstack "elasticsearch install broken" [Undecided,In progress] - Assigned to gordon chung (chungg) | 21:44 |
| *** TravT_ is now known as TravT | 21:44 | |
| *** sigmavirus24_awa is now known as sigmavirus24 | 21:54 | |
| openstackgerrit | David Lyle proposed openstack/searchlight: Fix for Authentication not Happening https://review.openstack.org/211047 | 22:25 |
| openstackgerrit | David Lyle proposed openstack/searchlight: DevStack: Keystone V3 Service/Endpoint Creation https://review.openstack.org/197885 | 22:29 |
| openstackgerrit | Travis Tripp proposed openstack/searchlight: Fix for Authentication not Happening https://review.openstack.org/211047 | 23:08 |
| *** sigmavirus24 is now known as sigmavirus24_awa | 23:18 | |
| openstackgerrit | Travis Tripp proposed openstack/searchlight: Fix for Authentication not Happening https://review.openstack.org/211047 | 23:47 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!