| *** openstackgerrit has quit IRC | 00:01 | |
| *** openstackgerrit has joined #swift3 | 00:02 | |
| *** openstack has joined #swift3 | 00:04 | |
| *** chsc has quit IRC | 00:33 | |
| *** kota_ has joined #swift3 | 00:39 | |
| *** lyrrad has quit IRC | 00:43 | |
| *** kota_ has quit IRC | 01:00 | |
| *** bill_az has quit IRC | 01:33 | |
| *** kota_ has joined #swift3 | 02:19 | |
| *** chsc has joined #swift3 | 03:37 | |
| *** kota_ has quit IRC | 04:11 | |
| *** chsc has quit IRC | 04:31 | |
| *** hrou has quit IRC | 05:40 | |
| *** kota_ has joined #swift3 | 08:36 | |
| *** kota_ has quit IRC | 12:57 | |
| *** hrou has joined #swift3 | 13:12 | |
| *** chsc has joined #swift3 | 14:12 | |
| *** chsc has quit IRC | 15:19 | |
| *** chsc has joined #swift3 | 15:24 | |
| *** lyrrad has joined #swift3 | 15:42 | |
| *** DjamOlsky has joined #swift3 | 15:49 | |
| *** DjamOlsky has left #swift3 | 15:49 | |
| *** chsc has quit IRC | 16:31 | |
| *** chsc has joined #swift3 | 17:15 | |
| *** openstackgerrit has quit IRC | 18:16 | |
| *** openstackgerrit has joined #swift3 | 18:17 | |
| *** openstackgerrit has quit IRC | 18:46 | |
| *** openstackgerrit has joined #swift3 | 18:46 | |
| *** kota_ has joined #swift3 | 20:53 | |
| *** hrou has quit IRC | 20:53 | |
| *** kota_ has quit IRC | 22:00 | |
| *** hrou has joined #swift3 | 22:17 | |
| *** chsc has quit IRC | 22:23 | |
| *** hrou has quit IRC | 22:42 | |
| *** lyrrad has quit IRC | 22:47 | |
| *** lyrrad has joined #swift3 | 22:47 | |
| *** kota_ has joined #swift3 | 22:56 | |
| *** chsc has joined #swift3 | 22:59 | |
| kota_ | hello | 23:01 |
|---|---|---|
| lyrrad | Hi. | 23:01 |
| chsc | hi | 23:01 |
| alpha_ori | hello! | 23:02 |
| kota_ | Could we start? | 23:03 |
| alpha_ori | Do we have an agenda? | 23:04 |
| *** bill_az has joined #swift3 | 23:04 | |
| kota_ | yup | 23:04 |
| kota_ | #link https://wiki.openstack.org/wiki/Meetings/swift3 | 23:05 |
| bill_az | Hi - sorry I'm late! | 23:05 |
| kota_ | bill_az: no worries | 23:05 |
| kota_ | just started now | 23:05 |
| chsc | I also have looked into some of the s3 acl test failures. Either we could touch on that now, or discuss that separately. | 23:05 |
| kota_ | chsc: ok | 23:06 |
| kota_ | chsc: you get a room. | 23:06 |
| chsc | Ok. Should we start with that or put it towards the end? | 23:07 |
| kota_ | chsc: I'd like to hear that at first :) | 23:07 |
| kota_ | please | 23:08 |
| chsc | ok. First is bug 1488623. swift3 does not validate a grantee, you can just put arbitrary names. | 23:08 |
| openstack | bug 1488623 in Swift3 "swift3 fails to validate grantee in acl" [Undecided,New] https://launchpad.net/bugs/1488623 | 23:08 |
| chsc | I opened the bug since i thought that this could be addressed, but could not find an easy way. | 23:08 |
| chsc | Would be be possible to query auth if a certain user name exists? | 23:09 |
| chsc | If not, i can cancel the bug again. | 23:09 |
| chsc | Second is 1488646. swift3 seems to implicitly grant FULL_CONTROL to the owner, instead of WRITE_ACP. | 23:10 |
| chsc | I tried a simple patch to fix that, but that broke unit tests. I can look closer at that, but in the end it is also a minor issue. | 23:10 |
| chsc | (WRITE_ACP means you can grant yourself FULL_CONTROL anyway) | 23:10 |
| chsc | Then there are some test failures due to s3-tests using unauthenticated requests. | 23:11 |
| chsc | e.g. in s3tests.functional.test_s3:test_object_copy_canned_acl | 23:11 |
| chsc | changing that to authenticated requests makes the test pass | 23:11 |
| chsc | Last item is that s3tests.functional.test_s3:test_bucket_header_acl_grants and s3tests.functional.test_s3:test_object_header_acl_grants fail for me and could be fixed with a simple patch: | 23:12 |
| chsc | --- a/s3tests/functional/test_s3.py | 23:12 |
| chsc | +++ b/s3tests/functional/test_s3.py | 23:12 |
| chsc | @@ -73,8 +73,8 @@ def check_grants(got, want): | 23:12 |
| chsc | in any order. | 23:12 |
| chsc | """ | 23:12 |
| chsc | eq(len(got), len(want)) | 23:12 |
| chsc | - got = sorted(got, key=operator.attrgetter('id')) | 23:12 |
| chsc | - want = sorted(want, key=operator.itemgetter('id')) | 23:12 |
| chsc | + got = sorted(got, key=operator.attrgetter('id', 'permission')) | 23:12 |
| chsc | + want = sorted(want, key=operator.itemgetter('id', 'permission')) | 23:12 |
| chsc | for g, w in zip(got, want): | 23:12 |
| chsc | w = dict(w) | 23:12 |
| chsc | eq(g.permission, w.pop('permission')) | 23:12 |
| chsc | It would be useful if someone could verify that. | 23:12 |
| timburke | on bug 1488646 (and patch 227035), i think we need to differentiate between the default ACL set on bucket creation, and the implicit permissions present even if you attempt to remove all ACLs | 23:13 |
| patchbot | timburke: https://review.openstack.org/#/c/227035/ - Grant correct implicit permissions to owner | 23:13 |
| openstack | bug 1488646 in Swift3 "swift3 does not enforce missing write permission for owner on bucket" [Undecided,New] https://launchpad.net/bugs/1488646 | 23:13 |
| chsc | yes | 23:13 |
| chsc | I can take another look at that. | 23:14 |
| kota_ | thanks, tim | 23:15 |
| chsc | Other thoughts on these acl tests? If not, then we can probably move on. | 23:15 |
| kota_ | the first one might be possible to solve I think. | 23:15 |
| kota_ | currently we have a way to collect the user is there or not by authentication. | 23:16 |
| kota_ | i.e. send backend swift auth request | 23:16 |
| kota_ | i guess, it absolutely fail because no roles but | 23:17 |
| kota_ | if there is the user, we could get the account name from swift. | 23:17 |
| chsc | Ok. Would that be similar to the auth requests sent with the information from the Authorization header? | 23:18 |
| kota_ | for implemetaition, use pure swift request format from swift3 | 23:18 |
| kota_ | like...wait | 23:19 |
| kota_ | https://github.com/stackforge/swift3/blob/master/swift3/request.py#L488-L489 | 23:20 |
| kota_ | I cannot point out the implementaion immediately | 23:20 |
| chsc | Ok. I can also take a closer look there. | 23:21 |
| kota_ | you should look at the auth mechanism also tempauth or auth_token | 23:21 |
| chsc | ok | 23:22 |
| kota_ | that will translate account name in the path like s/account:account/AUTH_acccount/ | 23:22 |
| chsc | ok | 23:22 |
| kota_ | And I'll take a look at the last thing in next 2 week. | 23:23 |
| chsc | thank you | 23:23 |
| timburke | what if you have multiple auth systems (say, both keystone and tempauth), and you want to allow users of either to use swift3? we might be able to change the auth systems so that whoever is first adds some flag to the wsgi environment to say "hey, i know someone by that name, but the creds don't seem right" (and let the last one still send up the decisive 401) | 23:23 |
| kota_ | chsc: thanks for bringing up them, here. | 23:23 |
| kota_ | timbuke: nice thought | 23:24 |
| chsc | I am not sure what to about the unauthenticated request failures. | 23:25 |
| chsc | We could patch a fork of s3-tests to avoid these, but then we have to maintain that fork. | 23:25 |
| lyrrad | I thought we were planning on using a known failures file to keep track of tests that we know won’t pass. | 23:26 |
| kota_ | yeah, that is one of today's agenda i suppose. | 23:26 |
| lyrrad | That’s a feature of the s3compat script. | 23:27 |
| kota_ | ok, let's move on to that. | 23:27 |
| lyrrad | So, I released the scripts last week though I haven't received any feedback yet. Let me know if anyone else needs access. | 23:27 |
| kota_ | lyrrad invited me to contribute s3compat team, thanks. | 23:27 |
| chsc | Access works, i just have not had the time to test the scripts. | 23:28 |
| kota_ | but sorry I didn't take a time to look at because I was crazy busy for Swift and Prep for tokyo summit :\ | 23:28 |
| timburke | i figured you were a bit busy. thanks for approving those two patches despite the craziness! | 23:29 |
| kota_ | timburke: :) | 23:30 |
| kota_ | lyrrad: could you paste the s3compat link? | 23:30 |
| lyrrad | I’ve also been working on classifying the tests manually for the report, but I haven’t released that patch yet. | 23:31 |
| lyrrad | https://github.com/swiftstack/s3compat | 23:31 |
| kota_ | ok | 23:31 |
| kota_ | nice, thanks | 23:31 |
| lyrrad | I think you need to be invited to access it. | 23:31 |
| kota_ | oh, yeah, I belong to the team, already. | 23:31 |
| lyrrad | Let me know your Git username if you need an invitation. | 23:32 |
| lyrrad | Kota: Did you get a chance to look at the security patch I sent you? | 23:34 |
| kota_ | ah | 23:34 |
| kota_ | I still don't have the permittion to look at | 23:34 |
| kota_ | even though I logged in launchpad | 23:34 |
| lyrrad | Weird. I sent you all the details in an email. | 23:35 |
| kota_ | which organization the seculity issue is open? | 23:36 |
| kota_ | in lp | 23:37 |
| kota_ | yup, I already got your E-mail, anyways, I'll look at the E-mail. | 23:37 |
| lyrrad | I just tried adding you to it. Maybe you can see it now. | 23:38 |
| kota_ | timburke: How do you think of that? I guess you got same E-mail in c.c. | 23:38 |
| *** hrou has joined #swift3 | 23:38 | |
| timburke | seems legit. replay attacks are possible | 23:40 |
| timburke | (though only if the client was doing dumb things originally) | 23:40 |
| kota_ | ok, feel like to set priority high or critical even though I cannot access lp :/ | 23:42 |
| lyrrad | I thought I just added you to the bug as a subscriber. Tim is able to see it now. | 23:42 |
| lyrrad | This could happen with valid client requests, as described at the end of the second to last paragraph of the bug description | 23:44 |
| kota_ | I got! thanks | 23:44 |
| kota_ | for seccurity issue, we should discuss in lp private page in detail. | 23:45 |
| kota_ | I'll ack in today's work. | 23:45 |
| kota_ | ok, let's move on... which? | 23:46 |
| kota_ | I guess we still have a couple of items | 23:47 |
| kota_ | versioining and packaging. | 23:47 |
| kota_ | timburke, alpha_ori: is there some updates for versioning stuff? | 23:48 |
| alpha_ori | kota_: not at the present time. We're looking at how to move symlink forward. | 23:49 |
| kota_ | k | 23:50 |
| kota_ | thanks for the information, alpha_ori | 23:50 |
| kota_ | and last item is packaging. | 23:50 |
| kota_ | this one is brought from me. | 23:51 |
| kota_ | so currently swift3 doesn't follow the openstack release cycle | 23:51 |
| kota_ | but someone want to follow to support that. | 23:52 |
| kota_ | tbh, I don't mind we don't bump the version so frequently. | 23:53 |
| bill_az | swift doesn't follow openstack release cycle either :-) | 23:53 |
| kota_ | bill_az: exactly :-) | 23:53 |
| bill_az | I think it is better to not be locked in to 2 times / year - make a release when it makes the most sense | 23:54 |
| notmyname | that's not fair ;-) | 23:54 |
| notmyname | we do. we just also release more often | 23:54 |
| kota_ | notmyname! | 23:54 |
| timburke | doesn't matter too much for us (swiftstack); we tend to build our own packages off of master anyway | 23:54 |
| notmyname | many other openstack projects are also moving to be more swift-like in their releases | 23:54 |
| kota_ | make sense | 23:55 |
| bill_az | kota: is someone asking that we move to openstack release cycle? | 23:55 |
| kota_ | no, just my question | 23:56 |
| bill_az | better to stay flexible IMO | 23:56 |
| kota_ | but originaly it brings up to me by request for bumping to v1.8 2 monthes ago. | 23:56 |
| kota_ | someone wants to version tag for making distribution. | 23:57 |
| bill_az | it makes sense to bump version when there is new features - like your acl enhancements | 23:58 |
| kota_ | If possible, I want to bring up again to consider bumping after solving the recent security issue we have. | 23:58 |
| kota_ | bill_az: yup, but we still have a tons of works for acls, maybe :/ | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!