openstackgerrit | Rick Aulino proposed openstack/searchlight: Standard error logging https://review.openstack.org/355689 | 01:51 |
---|---|---|
openstackgerrit | Rick Aulino proposed openstack/searchlight: Document the Searchlight architecture https://review.openstack.org/350336 | 02:39 |
*** alisha has joined #openstack-searchlight | 03:52 | |
*** GB21 has joined #openstack-searchlight | 04:01 | |
*** yingjun has quit IRC | 04:13 | |
*** yingjun has joined #openstack-searchlight | 04:13 | |
*** GB21 has quit IRC | 04:17 | |
*** yingjun has quit IRC | 04:18 | |
*** GB21 has joined #openstack-searchlight | 05:03 | |
*** yingjun has joined #openstack-searchlight | 05:23 | |
*** alisha has quit IRC | 05:46 | |
*** alisha has joined #openstack-searchlight | 06:08 | |
*** alisha has quit IRC | 06:13 | |
*** alisha has joined #openstack-searchlight | 06:43 | |
*** alisha has quit IRC | 06:51 | |
*** GB21 has quit IRC | 07:28 | |
*** GB21 has joined #openstack-searchlight | 07:50 | |
*** shu-mutou is now known as shu-mutou-AFK | 08:07 | |
*** yingjun has quit IRC | 08:11 | |
*** yingjun has joined #openstack-searchlight | 08:11 | |
*** yingjun has quit IRC | 08:16 | |
*** yingjun has joined #openstack-searchlight | 08:23 | |
*** GB21 has quit IRC | 09:18 | |
*** yingjun has quit IRC | 09:34 | |
*** GB21 has joined #openstack-searchlight | 09:51 | |
*** GB21 has quit IRC | 11:24 | |
*** GB21 has joined #openstack-searchlight | 11:29 | |
*** GB21 has quit IRC | 11:37 | |
*** matt-borland has joined #openstack-searchlight | 12:49 | |
*** itisha has quit IRC | 12:50 | |
*** yingjun has joined #openstack-searchlight | 13:47 | |
*** TravT has joined #openstack-searchlight | 13:47 | |
*** sjmc7 has joined #openstack-searchlight | 14:06 | |
*** yingjun has quit IRC | 14:12 | |
openstackgerrit | Matt Borland proposed openstack/searchlight-ui: Adding summary views for Searchlight resources https://review.openstack.org/350115 | 14:12 |
*** yingjun has joined #openstack-searchlight | 14:12 | |
*** yingjun has quit IRC | 14:17 | |
*** yingjun has joined #openstack-searchlight | 14:30 | |
*** yingjun has quit IRC | 14:35 | |
*** yingjun has joined #openstack-searchlight | 14:37 | |
*** tyr_ has joined #openstack-searchlight | 15:02 | |
*** lcastell has quit IRC | 15:03 | |
*** itisha has joined #openstack-searchlight | 15:09 | |
*** lcastell has joined #openstack-searchlight | 15:14 | |
openstackgerrit | Matt Borland proposed openstack/searchlight-ui: Adding summary views for Searchlight resources https://review.openstack.org/350115 | 16:02 |
*** yingjun has quit IRC | 16:22 | |
*** yingjun has joined #openstack-searchlight | 16:23 | |
*** alisha has joined #openstack-searchlight | 16:24 | |
*** yingjun has quit IRC | 16:27 | |
*** alisha has quit IRC | 16:35 | |
*** tyr_ has quit IRC | 16:56 | |
*** david-lyle_ has joined #openstack-searchlight | 17:09 | |
*** sjmc7 has quit IRC | 17:13 | |
*** david-lyle has quit IRC | 17:13 | |
*** david-lyle_ is now known as david-lyle | 17:13 | |
openstackgerrit | Matt Borland proposed openstack/searchlight-ui: Adding summary views for Searchlight resources https://review.openstack.org/350115 | 17:21 |
*** tyr_ has joined #openstack-searchlight | 17:50 | |
*** sjmc7 has joined #openstack-searchlight | 18:16 | |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Toggle Live Search https://review.openstack.org/341638 | 18:17 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Poll "dirty" items on paused searches https://review.openstack.org/352650 | 18:18 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Show items in-transition https://review.openstack.org/353661 | 18:18 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Add a unique hit identifier to search results https://review.openstack.org/353777 | 18:18 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Toggle Live Search https://review.openstack.org/341638 | 18:19 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Poll "dirty" items on paused searches https://review.openstack.org/352650 | 18:19 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Show items in-transition https://review.openstack.org/353661 | 18:19 |
openstackgerrit | Merged openstack/searchlight-ui: Add translation support https://review.openstack.org/353070 | 18:48 |
openstackgerrit | Merged openstack/searchlight: Add nova server groups plugin https://review.openstack.org/334871 | 18:52 |
*** tyr__ has joined #openstack-searchlight | 19:21 | |
*** tyr_ has quit IRC | 19:22 | |
david-lyle | hey sjmc7 I finally submitted some feedback on policy, was OOO for a bit | 19:35 |
openstackgerrit | Rick Aulino proposed openstack/searchlight: Standard error logging https://review.openstack.org/355689 | 19:35 |
david-lyle | can discuss if I'm crazy or off base | 19:35 |
sjmc7 | i saw, thanks! i glanced over it, makes sense | 19:35 |
david-lyle | ok, I'm not sure if trying to extract rule values is the right path, wonder if just another composite rule for the actual check in searchlight (in the case of no policy) would be a better path | 19:36 |
sjmc7 | one sec while i parse the comment :) | 19:37 |
sjmc7 | it is possible to parse rules as long as they are as simple as “!” (i.e. not composite or references to other targets) | 19:38 |
RickA-HP | david-lyle: We do we need to do a separate check for the "!" rule? | 19:38 |
david-lyle | RickA-HP: well, if I read correctly, and I must admit I looked mostly at patch set 4 because gerrit sucks | 19:39 |
RickA-HP | Steve gets the blame for Gerrit suc king :) | 19:39 |
david-lyle | sjmc7 is building in logic to short-circuit policy file support by blocking all access in etc/policy.json by using ! | 19:40 |
sjmc7 | well, you could put whatever rule in | 19:40 |
sjmc7 | but yeah, that’d be the primary usage, or restricting to admins | 19:40 |
RickA-HP | Do you mean that in addition to a rule for a specific resource type, that all resource types can be blocked by a "!" rule? | 19:41 |
david-lyle | it seems to be serving two purposes IMO | 19:41 |
david-lyle | yes, even if say nova_policy.json is present | 19:41 |
david-lyle | could be I'm missing something | 19:42 |
sjmc7 | right. yes, if no policy file is there, it’s the only rule. if there is a policy file, it becomes the first rule evaluated before any in the policy file | 19:42 |
sjmc7 | where there is no policy file is where the question arises | 19:43 |
david-lyle | right which should take precedence | 19:43 |
sjmc7 | (or even where there is one but it doesn’t define a target) | 19:43 |
david-lyle | neutron sub-entities start to get interesting | 19:44 |
sjmc7 | right now things can only be overridden to be more restrictive, so you can’t use SL’s policy to be more permissive than nova’s | 19:44 |
david-lyle | for example with targets | 19:44 |
david-lyle | or more open, no? | 19:44 |
sjmc7 | no, it can’t be more open | 19:44 |
sjmc7 | the checks can only shortcut to deny access, not allow it | 19:44 |
david-lyle | right because the short-circuit is only negative | 19:44 |
sjmc7 | so a SL policy rule of “” is essentially a no-op, it won’t bypass nova's | 19:45 |
sjmc7 | yeah | 19:45 |
sjmc7 | yes, neutron’s subtypes are also unpleasant, although that starts to go to phase 2 - turning policy into RBAC filtering | 19:45 |
david-lyle | but if there are no policy files in place, does it fallback to the old mechanism in the plugin? | 19:46 |
david-lyle | maybe I'm over-thinking it | 19:46 |
david-lyle | or under-thinking it | 19:46 |
sjmc7 | if there’s no policy file we can either deny or allow | 19:46 |
sjmc7 | your question i guess was whether to make that configurable as policy? | 19:47 |
sjmc7 | like “has_nova_policy AND whatever_nova_says” | 19:48 |
* david-lyle looking again | 19:49 | |
sjmc7 | if you’ve configured to say “there is a nova policy file” and it isn’t there, the server won’t start | 19:49 |
sjmc7 | so it does fail safe in that regard | 19:49 |
david-lyle | ok | 19:50 |
sjmc7 | where there is no service file defined, that’s where we need to decide allow or reject | 19:51 |
sjmc7 | i guess that could be a setting | 19:51 |
sjmc7 | if in doubt, more settings :) | 19:52 |
david-lyle | it may be fine | 19:56 |
david-lyle | I forget about the policy fallback in the plugin | 19:56 |
david-lyle | so the "" is really just not making it more restrictive | 19:57 |
sjmc7 | yeah, the “” means “do whatever is configured by service policy file”, where it not being configured is treated as allow | 19:59 |
sjmc7 | this also won’t replace the ‘default’ RBAC | 19:59 |
david-lyle | sjmc7: I'll change my feedback then | 20:08 |
sjmc7 | i just added reply comments | 20:08 |
david-lyle | ok | 20:08 |
sjmc7 | the policy stuff is a bit weird. that admin_or_owner thing, particularly | 20:08 |
sjmc7 | if all you’re doing is listing servers, it evaluates to “are you some kind of admin or is this a tenant-scoped token" | 20:09 |
david-lyle | how does this work for true plugins then? | 20:09 |
sjmc7 | true plugins as in out of tree? | 20:09 |
david-lyle | that the resource type isn't registered in the default policy.json | 20:09 |
david-lyle | yeah | 20:09 |
david-lyle | just bops along | 20:09 |
sjmc7 | the default policy.json should just be a suggestion, same as horizon | 20:09 |
david-lyle | I guess | 20:09 |
sjmc7 | yeah, if the default is to allow it’ll allow it | 20:09 |
sjmc7 | if you’re deploying anything i’d expect you not to use the default settings files | 20:10 |
david-lyle | WFM | 20:10 |
sjmc7 | incidentally, on this note - was there ever any thought in horizon to multi-region setups where the region policy files aren’t the same for a service? | 20:10 |
sjmc7 | say nova in one of them doens’t allow resize, migrate etc | 20:10 |
david-lyle | don't you bring this back on me :P | 20:11 |
sjmc7 | it’s kismet i spent an hour yesterday updating all our horizon policy files | 20:11 |
david-lyle | no, I must admit that case isn't covered | 20:12 |
david-lyle | unless you rerouted to particular horizon servers | 20:12 |
sjmc7 | yeah. it’s a bit of an edge case | 20:12 |
sjmc7 | every time i say that it happens a week later | 20:13 |
david-lyle | hehe | 20:13 |
david-lyle | that's because your PMs monitoring these rooms trolling for sadistic ideas | 20:14 |
sjmc7 | :) | 20:14 |
*** TravT has quit IRC | 20:19 | |
*** TravT has joined #openstack-searchlight | 20:22 | |
openstackgerrit | Rick Aulino proposed openstack/searchlight: Document the Searchlight architecture https://review.openstack.org/350336 | 21:38 |
*** matt-borland has quit IRC | 21:51 | |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Add a unique hit identifier to search results https://review.openstack.org/353777 | 21:51 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Poll "dirty" items on paused searches https://review.openstack.org/352650 | 21:53 |
openstackgerrit | Tyr Johanson proposed openstack/searchlight-ui: Show items in-transition https://review.openstack.org/353661 | 21:54 |
openstackgerrit | Merged openstack/searchlight-ui: Adding summary views for Searchlight resources https://review.openstack.org/350115 | 21:58 |
openstackgerrit | Rick Aulino proposed openstack/searchlight: Standard error logging https://review.openstack.org/355689 | 22:39 |
openstackgerrit | Rick Aulino proposed openstack/searchlight: Fix security group rule update defect https://review.openstack.org/355689 | 22:41 |
*** sjmc7 has quit IRC | 22:48 | |
openstackgerrit | Merged openstack/searchlight-ui: Add a unique hit identifier to search results https://review.openstack.org/353777 | 23:30 |
*** tyr__ has quit IRC | 23:30 | |
openstackgerrit | Travis Tripp proposed openstack/searchlight-ui: Toggle Live Search https://review.openstack.org/341638 | 23:37 |
*** yingjun has joined #openstack-searchlight | 23:47 | |
*** shu-mutou-AFK is now known as shu-mutou | 23:48 | |
openstackgerrit | Merged openstack/searchlight-ui: Toggle Live Search https://review.openstack.org/341638 | 23:54 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!