Wednesday, 2015-01-28

« Tuesday, 2015-01-27 Index Thursday, 2015-01-29 »
*** wendar_ has joined #storyboard05:39
*** wendar has quit IRC05:40
*** mrmartin has joined #storyboard06:07
*** jtomasek has joined #storyboard07:14
*** jcoufal has joined #storyboard07:23
*** alexismonville has joined #storyboard07:26
*** alexismonville has quit IRC07:35
*** coolsvap|afk is now known as coolsvap07:37
*** alexismonville has joined #storyboard07:38
*** jeblair has quit IRC08:09
*** jeblair has joined #storyboard08:11
*** alexismonville has quit IRC08:15
*** alexismonville1 has joined #storyboard08:15
*** mrmartin has quit IRC08:41
*** MaxV has joined #storyboard08:49
*** CTtpollard has joined #storyboard09:12
*** Piet has quit IRC09:29
*** ssam2 has joined #storyboard09:40
*** mase_x200 has joined #storyboard10:09
*** mase_x200 has quit IRC10:13
*** jedimike has joined #storyboard10:15
*** openstackgerrit has quit IRC10:50
*** openstackgerrit has joined #storyboard10:50
*** mrmartin has joined #storyboard12:00
openstackgerritAleksey Ripinen proposed openstack-infra/storyboard: Added branches to storyboard  https://review.openstack.org/15044712:02
*** mase_x200 has joined #storyboard12:04
yolandahere, spec for integration tests: https://review.openstack.org/15074312:21
yolandahappy to get feedback! as much as possible :)12:21
openstackgerritAleksey Ripinen proposed openstack-infra/storyboard: Added branches to storyboard  https://review.openstack.org/15044712:51
*** CTtpollard has quit IRC13:20
*** CTtpollard has joined #storyboard13:22
openstackgerritAleksey Ripinen proposed openstack-infra/storyboard: Added branches to storyboard  https://review.openstack.org/15044713:27
*** mase_x200 has quit IRC13:35
*** mase_x200 has joined #storyboard13:39
yolandaNikitaKonovalov, i saw your comments, i think it needs to be fixed in both areas13:44
yolandafirst, if the backend is sending date_created, date_updated, it needs to accept that if they come back13:44
yolandaand in the frontend, we need to ensure that we don't send crap, of course13:44
NikitaKonovalovyolanda: so if a client is sending create_at=null or created_at=<something_wrong>, what should a server do?13:49
NikitaKonovalovand if it is sending created_at=<time_that_it_has_from_a_server> what is the reason to send it back to the server?13:51
yolandaclient is just sending what it gets from server, so it gets a data that it supposes that it's from the model, and just sent it back untouched13:52
yolandain our case, frontend is not sending only the updated fields, but all13:52
*** mase_x200 has quit IRC13:53
yolandai think that accepting them from the backend is fine, because it sends it, but not update that, because they don't belong to the model really13:53
yolandagenerally i think that everything that is sent from the server, should be accepted back, but not using that if not declared in the model13:54
yolandaa different thing should be if the frontend sends a new field, not declared in any way or not expected, this should cause an erro13:54
*** CTtpollard has quit IRC13:57
*** CTtpollard has joined #storyboard13:58
openstackgerritAleksey Ripinen proposed openstack-infra/storyboard: Added branches to storyboard  https://review.openstack.org/15044714:08
*** mattfarina has joined #storyboard14:21
*** MaxV has quit IRC15:03
*** jcoufal_ has joined #storyboard15:27
*** jcoufal has quit IRC15:30
*** MaxV has joined #storyboard15:31
*** MaxV has quit IRC15:43
*** MaxV has joined #storyboard15:43
*** reed has joined #storyboard16:06
rcarrillocruzfolks16:39
rcarrillocruzyou getting this exception when running storyboard-worker-daemon:16:40
rcarrillocruz"ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option"16:40
rcarrillocruzwanted to double-check before opening a story16:40
*** coolsvap is now known as coolsvap|afk16:45
*** jtomasek has quit IRC16:56
mrmartinre17:00
*** yolanda has quit IRC17:03
*** yolanda has joined #storyboard17:04
*** yolanda has quit IRC17:04
*** yolanda has joined #storyboard17:05
*** wendar_ is now known as wendar17:09
*** MaxV has quit IRC17:46
*** MaxV has joined #storyboard17:47
yolandahi rcarrillocruz, haven't tested that recently17:49
yolandasorry17:49
*** MaxV has quit IRC17:51
mrmartinyolanda, a quick question maybe you know, what is the proper way of alembic usage, if I want to create a new revision?17:59
yolandahi mrmartin18:01
yolandaso we have the storyboard/db/migrations folder18:01
mrmartinyeap18:02
yolandathere is that directory inside storyboard/db/migration/alembic_migrations/versions/18:02
yolandaso you create a new entry there, checking the oldest one18:02
yolandai think that with aripinen changes we are on 03518:02
yolandathen you just create a upgrade method and a downgrade method, something like that18:03
yolandahttps://review.openstack.org/#/c/150447/6/storyboard/db/migration/alembic_migrations/versions/035_branch_id_in_tasks.py18:03
krotscheckrcarrillocruz: I haven’t looked at that in a while, I usually run the subscriber directly in a debugger.18:03
mrmartinso it means, that I need to write this source code manually?18:04
krotscheckmrmartin: Yep.18:04
*** ssam2 has quit IRC18:07
nibalizerhey everybody we're using storyboard for an infra sprint right now18:11
yolandakrotscheck, we' ve been talking with NikitaKonovalov about the validation problem, what's your opinion here?18:11
krotscheckI’m composing right now18:11
nibalizerand im really impressed at how easy it is to do mappings of people to subtasks18:11
krotscheckIn the review.18:11
nibalizer+118:11
krotschecknibalizer: It’s tabbing all the way down :)18:13
yolandanibalizer, storyboard rocks :)18:13
nibalizerrocks my socks!18:13
nibalizeroh wait i can tab on this thing?18:13
* nibalizer has been point/click like a pleb18:13
*** jedimike has quit IRC18:14
*** openstackgerrit has quit IRC18:14
*** openstackgerrit has joined #storyboard18:14
krotschecknibalizer: Yep, though there’s some questions on whether that’s going to stick around in its current form.18:14
yolandai also love the tab feature18:15
krotscheckyolanda: Long story short- why are we trying to fix something that ain’t broke with more complicated code?18:15
yolandaand you talk about? validations?18:15
*** SotK has quit IRC18:16
krotscheckyolanda: Yep.18:16
yolandaso i think it's healthy to do validations, to prevent malicious code18:16
yolandaif someone is trying to manipulate fields, update something not allowed, etc18:16
krotscheckyolanda: To explicitly filter out fields for various requests is silly18:16
*** jcoufal_ has quit IRC18:17
krotscheckAnd a lot of effort.18:17
yolandakrotscheck, so you would just skip validation of fields?18:17
krotscheckThat’s not what I’m saying.18:18
yolandawe could think that in the reverse way then... if we are interested that some fields cannot be updated for certain roles, have a validation rule for that18:18
krotscheckNot allowing created_at on a PUT or POST request just because it’s technically not a thing we don’t allow users to update is what I think is silly18:18
NikitaKonovalovok, so looks like the soluion is that db-managed fields are passed in a PUT or POST the api should ignore them silently18:18
NikitaKonovalovif something like creator_id or even id is send and it does not match existing -> 400 error18:19
krotscheckI agree that using the json schema to enforce a certain set of fields and types is really useful.18:19
krotscheckRight.18:19
krotscheckWith the exception that some fields are server owned.18:19
krotscheckUNLESS we want to go 100% RESTful18:20
krotscheckIn which case there’s a lot more work we need to do :)18:20
NikitaKonovalovI guess we are not following standards that closely :)18:20
yolandadate_created, updated, are server owned, we don't have to update them if they are passed by the client18:20
krotscheckNikitaKonovalov: We’re really not :)18:20
krotscheckI’m not opposed to being 100% RESTful mind you.18:23
krotscheckBut if that’s what we’re going to do, we need to get everyone on board.18:23
NikitaKonovalovso I guess the plan is that JsonSchema will continue validating the fields and enforce that request has what is should have18:23
krotscheckFor now, yes.18:24
NikitaKonovalovand one more layer should check if the server-managed fields are passed in the request they should be checked18:24
NikitaKonovalovto match the existing in the model18:24
yolandaNikitaKonovalov, krotscheck, either that or just ignore the ones that are server managed?18:25
yolandado we want to waste resources in validating that the server managed fields matches from backend and frontend?18:26
NikitaKonovalovI need to check what happens when the wrong id is send in the body18:26
krotscheckyolanda: Is not wasting resources a premature optimization?18:26
NikitaKonovalovif sqlalchemy tries to change that, that's a problem18:27
krotscheckNikitaKonovalov: I added a test for that, it appears that our API overrides that.18:27
*** Piet has joined #storyboard18:27
krotscheckWhen we do entity_update(id, stuff), it seems to handle that propelry18:27
yolandakrotscheck, it means an extra database access to check if date_created, date_updated, are sent different by the frontend, and why, if we are just going to ignore them?18:27
krotscheckyolanda: If we were handling our database sessions on a per-request basis rather than a per-query basis, that wouldn’t be a problem.18:28
NikitaKonovalovyep I've actually found that line https://github.com/openstack-infra/storyboard/blame/master/storyboard/db/api/base.py#L28418:29
krotscheckOh neat18:29
NikitaKonovalovso id will always be correct18:30
NikitaKonovalovthat however does not apply to author_id of a comment or creator_id of a story18:30
krotscheckIs that a DB hook?18:31
yolandaso you both are in favour of double checking all server owned fields rather than just ignoring them? what's the benefit?18:31
NikitaKonovalovkrotscheck: that's entity_update18:31
NikitaKonovalovyolanda: ignoring means there should be a declaration of what should be ignored for each model18:33
NikitaKonovalovand the reques should be checked against that every time18:33
yolandacannot we have a general "server owned" rule?18:33
yolandabtw, you will need to have that declaration if you want to check if they are different, and raise a 400 ...18:34
NikitaKonovalovyolanda: there is a similar rule of public_fileds, which was actually added for User model to keep things like email from public access18:40
NikitaKonovalovwe could have server_managed_fields for models that need them18:40
NikitaKonovalovand check requests with a hook18:41
yolandawell, thinking on your point of view, i can see the advantage that if we check for date_created, date_updated and they are different, it means that someone is trying to attack18:41
yolandaas it's manipulating the json18:41
NikitaKonovalovor trying to steel a coment by changing its author18:42
yolandain that case you raise a validation error and don't allow the update of anything, i can see an advantge there :)18:43
NikitaKonovalovignoring is simple solution here. there is no need to fetch an object for comparison18:43
yolandaok so i'm fine with your proposal18:44
krotscheckI’d say ignore them. if we check for date_updated and it doesn’t match, it could just be that someone else modified the resource in a different API request.18:52
NikitaKonovalovkrotscheck: good point18:53
NikitaKonovalovI guess we'll agree to ignore the fields which should be managed by server only. And all these fields should be declared in a model class (or may be wsme model class) and cleaned out from request with a hook18:54
krotscheckOr, in truly restful fasion, we could throw a 409 conflict and make the client handle the diff.18:54
*** MaxV has joined #storyboard18:57
yolandakrotscheck, -1 for that :)19:00
yolandaeither ignoring or raise validation error has pros and cons19:01
yolandaif we ignore we may be missing attacks, if we raise validation error we may be invalidating proper requests as you point19:01
*** MaxV has quit IRC19:01
*** peristeri has joined #storyboard19:13
peristeriwhat is the tox arguments needed to run the test locally?19:16
*** yolanda has quit IRC19:17
*** yolanda has joined #storyboard19:17
*** yolanda has quit IRC19:18
*** yolanda has joined #storyboard19:22
*** yolanda has quit IRC19:22
*** yolanda has joined #storyboard19:23
*** yolanda has quit IRC19:24
*** yolanda has joined #storyboard19:26
*** yolanda has quit IRC19:27
*** yolanda has joined #storyboard19:28
*** yolanda has quit IRC19:29
openstackgerritMerged openstack-infra/storyboard-webclient: Parse event_info into JSON.  https://review.openstack.org/14912620:10
openstackgerritMichael Krotscheck proposed openstack-infra/storyboard: subscription_helper now supports timeline_events  https://review.openstack.org/15017020:22
openstackgerritMichael Krotscheck proposed openstack-infra/storyboard: Singularized resource names.  https://review.openstack.org/15016920:22
krotscheckzaro: You had a comment here, without much of a suggested solution. Could you go into details on what you meant? https://review.openstack.org/#/c/147734/2/storyboard/plugin/email/factory.py20:34
*** alexismonville1 has quit IRC20:39
*** Piet has quit IRC20:49
*** petefotheringham has joined #storyboard20:53
*** SotK has joined #storyboard21:18
*** SotK has quit IRC21:20
*** SotK has joined #storyboard21:26
*** mrmartin has quit IRC21:30
*** Piet has joined #storyboard21:31
*** yolanda has joined #storyboard21:44
*** mattfarina has quit IRC22:03
*** peristeri has quit IRC22:36
*** openstackgerrit has quit IRC23:06
*** openstackgerrit has joined #storyboard23:06
zarokrotscheck: replied in the review.23:21
krotscheckzaro: Gotcha.23:31
krotscheckzaro: That’s what I figured.23:31
krotscheckIn other news. SEriously, I can monkeypatch python?23:31
krotscheckSomething about that seems wrong.23:32
zarodoesn't that apply to any oop language?23:33
krotscheckzaro: You can’t monkeypatch java at runtime I think.23:34
krotscheckzaro: As in, I can’t go in and say java.lang.Integer = MyOwnImplementation23:34
krotscheck(I think)23:34
* krotscheck may be wrong.23:34
zaroohh maybe not the basic types, so not int, but i'm pretty sure you can for Integer23:36
*** Piet has quit IRC23:38
« Tuesday, 2015-01-27 Index Thursday, 2015-01-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!