Saturday, 2015-05-30

woodster_kfox1111: rm_work should be on containers as well, but policy is not cascaded to secrets underneath00:09
kfox1111hmm... so when I create the heat resource for acl, I need to recurse and handle all the secrets too... fun. :/ Ok.00:10
kfox1111would it make sense to support it as a param to the container acl? Would it just end up being a single db update that way?00:11
kfox1111IE, add this one user to the acl, and all secrets?00:12
woodster_kfox1111: yeah the problem is that secrets can exist in multiple containers00:12
kfox1111hmm.... then there's the reference counting issue....00:12
kfox1111hmm... but its unknownable outside of barbican.00:12
kfox1111so its gota be fixed there. :/00:12
woodster_kfox1111: containers are for loose grouping of secrets00:13
kfox1111I know. but If I need to create a template that takes in a container, and makes all the secrets available to the vm to use,00:14
kfox1111then I need to acl the container, and all the secrets.00:14
kfox1111if there's more then one container, that shares a secret, that could get ugly.00:14
kfox1111hmmm... difficult issue.00:15
woodster_kfox1111: well individual secret policy rules the day so just because in container doesn't mean you can retrieve it00:15
woodster_kfox1111: miguelgrinberg in #openstack-api was curious about the user add/remove race condition use case in Heat that a PATCH would be good for...he's concerned it adds complexity00:17
kfox1111I mean from the heat resource managing the acl's standpoint. It might get very racy since it doesn't have the whole view of things. :/00:17
woodster_kfox1111: yeah that seems like a design issue to me though...seems only one Heat engine should setup a VM at a time?00:18
kfox1111heat can run engines on multiple hosts for scaling. they are unaware of each other.00:46
kfox1111otherwise heat would be really really slow on a huge cloud. :/00:46
