| *** kei-ichi has joined #openstack-swift | 00:43 | |
| notmyname | merry christmasa | 01:07 |
|---|---|---|
| notmyname | viks__: re account undeletes, you will like https://review.openstack.org/#/c/507808/ (and I'd like to see it land sometime soon) | 01:09 |
| patchbot | patch 507808 - swift - Add ability to undelete an account. - 19 patch sets | 01:09 |
| openstackgerrit | Kazuhiro MIYAHARA proposed openstack/swift master: Enable to configure object-expirer in object-server.conf https://review.openstack.org/601950 | 02:41 |
| *** psachin has joined #openstack-swift | 02:51 | |
| viks__ | notmyname: ok... thank you | 04:22 |
| openstackgerrit | Kazuhiro MIYAHARA proposed openstack/swift master: Enable to configure object-expirer in object-server.conf https://review.openstack.org/601950 | 04:29 |
| openstackgerrit | Kazuhiro MIYAHARA proposed openstack/swift master: Enable to configure object-expirer in object-server.conf https://review.openstack.org/601950 | 04:52 |
| openstackgerrit | Kazuhiro MIYAHARA proposed openstack/swift master: Add object-expirer new mode to execute tasks from general task queue https://review.openstack.org/517389 | 05:32 |
| *** galaxyblr has joined #openstack-swift | 06:18 | |
| openstackgerrit | Kazuhiro MIYAHARA proposed openstack/swift master: Add object-expirer new mode to execute tasks from general task queue https://review.openstack.org/517389 | 06:30 |
| viks__ | DHE: notmyname : I have an `admin` user which has reseller admin role on the default domain. So with domain scoped token, i can access containers and object of all the projects in that domain. I can delete objects and containers of any projects in the default domain. But if i try to issue `DELETE` for account as you have mentioned, it gives the following response: | 06:36 |
| viks__ | i.e. `curl -g -i -X DELETE -H "X-Auth-Token: $TOKEN" "https://<HOSTNAME/IP>/v1/$PROJECT_ID"` | 06:36 |
| viks__ | ``` | 06:36 |
| viks__ | HTTP/1.1 405 Method Not Allowed | 06:36 |
| viks__ | Content-Length: 91 | 06:36 |
| viks__ | Content-Type: text/html; charset=UTF-8 | 06:36 |
| viks__ | Allow: HEAD, GET, POST, OPTIONS | 06:36 |
| viks__ | X-Trans-Id: tx828f868473d145a3bbd58-005c231a07 | 06:36 |
| viks__ | X-Openstack-Request-Id: tx828f868473d145a3bbd58-005c231a07 | 06:36 |
| viks__ | Date: Wed, 26 Dec 2018 06:04:55 GMT | 06:36 |
| viks__ | <html><h1>Method Not Allowed</h1><p>The method is not allowed for this resource.</p></html> | 06:36 |
| viks__ | ``` | 06:36 |
| *** galaxyblr has quit IRC | 07:24 | |
| openstackgerrit | Kazuhiro MIYAHARA proposed openstack/swift master: Add object-expirer new mode to execute tasks from general task queue https://review.openstack.org/517389 | 07:44 |
| *** e0ne has joined #openstack-swift | 07:48 | |
| openstackgerrit | Kazuhiro MIYAHARA proposed openstack/swift master: Add object-expirer new mode to execute tasks from general task queue https://review.openstack.org/517389 | 07:54 |
| *** gkadam has joined #openstack-swift | 13:02 | |
| *** psachin has quit IRC | 13:17 | |
| *** gkadam_ has joined #openstack-swift | 14:24 | |
| *** gkadam has quit IRC | 14:26 | |
| *** gkadam_ is now known as gkadam-afk | 14:51 | |
| *** gkadam-afk is now known as gkadam | 15:23 | |
| *** mvkr has quit IRC | 15:41 | |
| *** mvkr has joined #openstack-swift | 16:01 | |
| *** e0ne has quit IRC | 16:11 | |
| *** gkadam has quit IRC | 17:06 | |
| *** brimestone has joined #openstack-swift | 19:06 | |
| *** brimestone has left #openstack-swift | 19:07 | |
| *** baojg has quit IRC | 19:08 | |
| timburke | so what do we think about https://github.com/openstack/swift/blob/2.20.0/swift/common/middleware/s3api/s3api.py#L272-L310 ? as things currently stand, conf['__file__'] is *never* set, so the whole thing is a no-op... i'm kind of inclined to just rip it out, as i've had troubles with it in the past where filters (or even the app) aren't named how swift3/s3api expects... | 20:06 |
| timburke | if we *were* to keep something like that, i'd much rather use get_swift_info and make sure all appropriate middlewares register themselves... i should double check, but i'm pretty sure registering goes in pipeline order, right to left, so you could even make inferences about whether things make sense or not that way... | 20:10 |
| timburke | long-term, we'd probably want to do something like we did for encryption, where we roll up a few different middlewares just to reduce the opportunities for misconfiguration. like, have a keystone meta-middleware that rolls up keystoneauth, authtoken, and s3token and keeps them all in the correct order | 20:15 |
| timburke | this also reminds me of torgomatic's https://review.openstack.org/#/c/504472/ ... | 20:26 |
| patchbot | patch 504472 - swift - Shorten typical proxy pipeline. - 4 patch sets | 20:26 |
| notmyname | viks__: you need to check that "allow_account_management" is set to true in the proxy config. in many cases, operators will keep that turned off (the default) for public-facing proxies and turn it on on a special internal proxy server. that way, even if a token or creds were to leak, it will still not be able to create or delete accounts | 23:01 |
| timburke | notmyname: you reminded me of https://bugs.launchpad.net/swift/+bug/1740326 | 23:12 |
| openstack | Launchpad bug 1740326 in OpenStack Object Storage (swift) "tempauth: Account ACLs allow users to delete their own accounts" [Undecided,New] | 23:12 |
| timburke | though i'm pretty certain that it requires allow_account_management=true | 23:12 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!