| *** redrobot2 is now known as redrobot | 05:58 | |
| mor3s | timburke_, what will be the issue if we proceed with updating ring files if gz file is in obsolete state (assuming previous changes either reweight or additional of new drives)? | 05:59 |
|---|---|---|
| reid_g | Got keystone working with swift | 17:25 |
| reid_g | I'm a bit confused as to why | 17:25 |
| reid_g | I deleted my swift user from keystone and recreated it. | 17:26 |
| DHE | didn't give the swift user the right permissions? | 17:28 |
| reid_g | Originally I created it as openstack create --domain MyNonDefaultDomain --password-prompt swift; openstack role add --project myproject --user swift MyCustomRole | 17:30 |
| reid_g | Today I did openstack project create --domain default --description "Service Project" service; openstack user create --domain default --password-prompt swift; openstack role add --project service --user swift admin | 17:31 |
| reid_g | Does swift user need to be in a project called service and have admin role to function? | 17:32 |
| reid_g | or does it just need admin role? | 17:32 |
| timburke_ | reid_g, this was for the service user, used to validate the tokens swift receives? i think it'll depend on how keystone's configured... there's probably a way to get it working with non-default domain and non-default role, but idk myself | 17:36 |
| reid_g | I think so. It is the user that is specifed under authtoken (do you need authtoken with keystone or is that just to be able to use a token instead of user/pw?) | 17:38 |
| timburke_ | is this for Swift api access, or S3 api? | 17:41 |
| reid_g | It was for swift api | 17:42 |
| timburke_ | so the request flow looks like this: client auths with keystone (most commonly, with username/password, but there are other ways), gets a token. client sends token when it talks to swift; swift passes the token to keystone to find out (1) whether it's valid and (2) assuming it is, what roles are associated with it | 17:45 |
| timburke_ | the user specified in the authtoken section is the one that's validating tokens; to my knowledge the most common setup is like you've done now, to give it a role of "admin" in a "service" project | 17:46 |
| reid_g | Makes sense. Maybe the project doesn't matter so much as the admin role. | 17:49 |
| reid_g | Is authtoken required to use keystone? | 17:54 |
| reid_g | I guess it would be, otherwise how would swift know that you are allowed to access it. | 17:55 |
| timburke_ | yes -- authtoken (owned by keystone) is responsible for talking to keystone and populating the WSGI env with role info, then keystoneauth (owned by swift) is responsible for comparing those roles against its operator_roles and reseller_admin_roles (as well as per-container ACLs) and deciding whether to allow or deny a particular request | 17:58 |
| timburke_ | s3token is kind of the authtoken-equivalent for s3api users | 17:59 |
| timburke_ | i've thought about exposing a new middleware that would wrap up authtoken, s3token, and keystoneauth so you could be assured that they were in the correct order and only have to define a single service user to be used by both authtoken and s3token... but haven't had the time/inclination to actually try to implement it | 18:02 |
| reid_g | Yeah it's probably not that big of a gain | 18:05 |
| reid_g | now to get s3 working and then I can do my testing | 18:11 |
| reid_g | Looks like it is working as well | 18:28 |
| reid_g | exciting | 18:28 |
| reid_g | first cluster I setup from scratch | 18:29 |
| DHE | re auth: administrative access is required to the Swift user for Keystone to be willing to decode arbitrary tokens for swift. Swift takes a user's token and shows it to Keystone to see the token's project, role(s), and when it expires for authentication | 19:26 |
| reid_g | Makes sense | 20:37 |
| timburke__ | #startmeeting swift | 21:00 |
| opendevmeet | Meeting started Wed Nov 3 21:00:02 2021 UTC and is due to finish in 60 minutes. The chair is timburke__. Information about MeetBot at http://wiki.debian.org/MeetBot. | 21:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 21:00 |
| opendevmeet | The meeting name has been set to 'swift' | 21:00 |
| timburke__ | who's here for the swift meeting? | 21:00 |
| kota | o/ | 21:00 |
| acoles | o/ | 21:00 |
| mattoliver | o/ | 21:01 |
| timburke__ | as usual, the agenda's at | 21:02 |
| timburke__ | #link https://wiki.openstack.org/wiki/Meetings/Swift | 21:02 |
| timburke__ | just a couple things to talk about | 21:02 |
| timburke__ | #topic request tracing | 21:02 |
| timburke__ | mattoliver, i saw you pushed up some more patches, how's it going? | 21:02 |
| mattoliver | Ok, I'm following up from ptg. The newest patchset removes a bunch of the initial cruft that's not really needed now that it has open tracing support. | 21:03 |
| mattoliver | I have more of my laptop to push up, more clean up | 21:04 |
| timburke__ | 👍 cool | 21:04 |
| mattoliver | And working on creating spans in make requests | 21:04 |
| timburke__ | anything needed beyond more review? | 21:04 |
| mattoliver | And so it logs on timeout, ie when we don't get a response | 21:04 |
| timburke__ | sounds great | 21:05 |
| acoles | nice | 21:05 |
| mattoliver | So can now see timed out requests (like kota suggested) but only added it to one place ATM. | 21:05 |
| kota | excellent! | 21:06 |
| mattoliver | Annoyingly we have a few different code paths to make requests. | 21:06 |
| mattoliver | Will push another revision up today, then if everyone likes the progress will squash it down into one patch | 21:06 |
| timburke__ | 👍 | 21:07 |
| timburke__ | next up | 21:07 |
| timburke__ | # PTG action item progress | 21:07 |
| mattoliver | Umm.. oops, I mean.. making good progress :p | 21:08 |
| timburke__ | i went ahead and abandoned a bunch of patches, mostyl on old feature branches | 21:08 |
| timburke__ | (sorry for any email noise) | 21:08 |
| timburke__ | we merged the patch to drop a bunch of logging translations from the proxy-server | 21:09 |
| timburke__ | (thanks acoles!) | 21:09 |
| acoles | I volunteered to tackle the backend servers but no progress yet | 21:10 |
| timburke__ | and it sounds like seongsoocho is on the road to being able to translate docs | 21:10 |
| mattoliver | Nice | 21:11 |
| timburke__ | the only action item that actually has an established deadline is the interop feedback -- unfortunately, i still haven't responded on that yet | 21:11 |
| timburke__ | i'll aim to do that this week | 21:11 |
| mattoliver | I had a long weekend, so haven't had as much time this week. Will create some etherpads and start filling them in regarding bug squash and defaults. | 21:12 |
| timburke__ | no worries! thanks mattoliver | 21:12 |
| timburke__ | does anyone else have ptg action item progress to report? | 21:13 |
| zaitcev | I don't even remember what I promised at PTG. It feels like so long ago now. | 21:14 |
| timburke__ | zaitcev, fwiw, i tried to capture ptg action items in the meeting agenda | 21:17 |
| timburke__ | if there's anything i've forgotten, feel free to add it ;-) | 21:17 |
| timburke__ | i'll keep them around and check in every so often. i expect it probably won't be weekly, but it seemed like we *did* manage to make some progress on things, so i figured we may as well highlight that | 21:18 |
| timburke__ | that's all i've got | 21:18 |
| timburke__ | #topic open discussion | 21:19 |
| timburke__ | anything else we ought to bring up this week? | 21:19 |
| timburke__ | all right -- let's make it a short meeting then :-) | 21:21 |
| mattoliver | kk :) | 21:21 |
| timburke__ | thank you all for coming, and thank you for working on swift! | 21:21 |
| timburke__ | #endmeeting | 21:21 |
| opendevmeet | Meeting ended Wed Nov 3 21:21:50 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 21:21 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/swift/2021/swift.2021-11-03-21.00.html | 21:21 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/swift/2021/swift.2021-11-03-21.00.txt | 21:21 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/swift/2021/swift.2021-11-03-21.00.log.html | 21:21 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!