| *** wanghao has joined #openstack-zaqar | 00:36 | |
| wanghao | flwang: ping | 00:40 |
|---|---|---|
| *** openstackgerrit has joined #openstack-zaqar | 01:17 | |
| openstackgerrit | Ngo Quoc Cuong proposed openstack/zaqar master: Replace deprecated oslo.messaging.get_transport with get_notification_transport https://review.openstack.org/470071 | 01:17 |
| openstackgerrit | wanghao proposed openstack/zaqar-specs master: Service Queue in Zaqar https://review.openstack.org/449433 | 01:50 |
| flwang | wanghao: yep | 02:27 |
| wanghao | flwang: Just let you know I have see your discussion and also talked with wxy about service queue. | 02:28 |
| wanghao | flwang: there is a poc patch | 02:28 |
| wanghao | https://review.openstack.org/#/c/469343/ | 02:29 |
| wanghao | flwang: use service token to post messages in other project's queue. | 02:29 |
| wxy | Very simple, but effective i think | 02:29 |
| wanghao | yep | 02:29 |
| wanghao | so we can see if it's what we want. | 02:30 |
| *** mpanetta has quit IRC | 02:30 | |
| wanghao | BTW, since Zaqar cann't support service.xxx name in queue. So I use service- prefix. | 02:30 |
| *** mpanetta has joined #openstack-zaqar | 02:31 | |
| wanghao | Spec also be updated according our discussion. | 02:31 |
| wxy | I think we need searchlight guys to take a look at the spec since they need do some work for service token | 02:31 |
| wanghao | yes, and also the new HTTP Header they should take in reqeust. | 02:32 |
| flwang | wxy: do you know how to generate a service token? | 02:32 |
| flwang | i'd like to get a script to simulate sending notifications to zaqar as a service user | 02:33 |
| wanghao | flwang: it like user token I think, just use tenant name is service and user name is like 'nova'. | 02:34 |
| wanghao | I use them to generate the service token. | 02:34 |
| wxy | Actually in keystone sight, there is no difference between service token and user token. It's called service token because the header is "X-Service-Token" | 02:35 |
| wanghao | yes | 02:35 |
| wxy | we need config Zaqar to let it know what token is service token | 02:36 |
| wanghao | the process of authorization is same in keystone | 02:36 |
| wxy | There are some conifg option in keystonemiddleware | 02:36 |
| wanghao | wxy: no need, if you take the X-Service-Token in request, keytonemiddler will set service token headers in request. | 02:37 |
| wanghao | wxy: so just get them from request if they exist | 02:38 |
| wxy | but it will check the role in token | 02:38 |
| wxy | "Service " by default | 02:39 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/zaqar master: Updated from global requirements https://review.openstack.org/470149 | 02:39 |
| wxy | The check is turned off by default | 02:40 |
| flwang | i know what you said, i just want to figure out what the change searchlight need to do in their patch, see https://review.openstack.org/#/c/271958/2/searchlight/publisher/plugins/zaqar/zaqar_publisher.py | 02:41 |
| wxy | https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L184-L196 | 02:42 |
| wxy | Searchlight should pass "X-Service-Token" and "X-Service-Delegated-Project-ID" headers to Zaqar. Right? | 02:43 |
| flwang | wxy: that's my question :D | 02:43 |
| wanghao | flwang: they need to generate the service token by using their service credentials | 02:46 |
| wxy | flwang: hah, I guess yes. Searchlight should provide that which project/tenant will receive the message. My concern here is whether it's possible. Can searchlight do it? | 02:46 |
| wanghao | flwang: and also add a new HTTP header "X-Service-Delegated-Project-ID" | 02:46 |
| wanghao | wxy: flwang: searchligh should know the user project ids which it will send the messages. | 02:47 |
| wanghao | flwang: that's we didn't ensure, how it know those user projects? | 02:48 |
| flwang | i don't think it's real problem, when searchlight got the notifications, see line 35 https://review.openstack.org/#/c/271958/2/searchlight/publisher/plugins/zaqar/zaqar_publisher.py | 02:48 |
| flwang | or line 68 | 02:49 |
| wxy | where the project_id come from? | 02:51 |
| wxy | by the resource? | 02:52 |
| flwang | see line 65 | 02:52 |
| flwang | it's in the data | 02:52 |
| wanghao | but the token is from line 33 | 02:53 |
| wanghao | it seems not the user project token. | 02:53 |
| *** mpanetta has quit IRC | 02:54 | |
| *** mpanetta has joined #openstack-zaqar | 02:55 | |
| flwang | that's what we need to change, right? | 02:55 |
| flwang | you guys just asked where to get the project id | 02:55 |
| wxy | yeah, I asked Kevin just now. The notification stored by Searchlight contains the resource's project_id. I think we can use it. | 02:58 |
| *** wanghao has quit IRC | 02:59 | |
| *** wanghao has joined #openstack-zaqar | 03:00 | |
| wanghao | yes, and we also need to take service token in searchlight | 03:00 |
| wanghao | we just need to know user project (get from resource's project_id) and Service token (get from searchlight's service credentials?) | 03:02 |
| wanghao | we don't care about the X-Auth-Token, it just be valid is ok | 03:03 |
| *** wanghao_ has joined #openstack-zaqar | 03:04 | |
| wxy | +1 | 03:06 |
| flwang | i will contact with zhang lei to let him know what's going on and it would be nice if he can try the PoC code | 03:07 |
| *** wanghao has quit IRC | 03:08 | |
| wanghao_ | flwang: sure thanks | 03:09 |
| wanghao_ | wxy: BTW, about the role in token, I agree with you that we should open it. | 03:10 |
| wanghao_ | wxy: to make sure the role in service token is 'service' | 03:10 |
| wxy | wanghao_: :) | 03:10 |
| wxy | flwang: cool. | 03:11 |
| flwang | i'm reviewing the poc patch | 03:12 |
| flwang | so if we can get the X-SERVICE-PROJECT-NAME, that means there is a service token? don't we need to just check if there is a service token? | 03:13 |
| wxy | Yes, the X-SERVICE-PROJECT-NAME is generated by keystonemiddleware after the service token is checked. | 03:17 |
| wanghao_ | X-SERVICE-PROJECT-NAME is set by keystonemiddleware if there is X-Service-Token in request. So it means there is a service token | 03:18 |
| wanghao_ | :) | 03:19 |
| wanghao_ | flwang: and we check the Service-Project-Name to ensure the token is came from 'Service' project | 03:20 |
| wanghao_ | flwang: to avoid some exception case | 03:20 |
| flwang | wanghao_: cool | 03:26 |
| wanghao_ | :) | 03:27 |
| flwang | wanghao_: as for this feature, can we add an option as that operator can turn off it? | 03:32 |
| flwang | and personally, i prefer to use 'service.' instead of 'service-' as the prefix? wxy, concern? | 03:32 |
| wxy | can "service." be analysised analysed in url? | 03:36 |
| wxy | can "service." be analysed in url? | 03:36 |
| flwang | wxy: why not? | 03:43 |
| wxy | paste.openstack.org/show/611266 | 03:51 |
| wxy | flwang: at least we can't at this moment. | 03:52 |
| flwang | ah, right | 03:53 |
| *** lhx__ has joined #openstack-zaqar | 04:22 | |
| openstackgerrit | Merged openstack/zaqar master: Updated from global requirements https://review.openstack.org/470149 | 04:39 |
| wanghao_ | flwang: we can add the option to turn off it. | 04:40 |
| wanghao_ | flwang: and as wxy said we cann't support it now, maybe need some changes, I'll check it later. | 04:41 |
| *** lhx__ has quit IRC | 04:43 | |
| *** rcernin has joined #openstack-zaqar | 05:26 | |
| *** wanghao_ has quit IRC | 05:40 | |
| *** wanghao has joined #openstack-zaqar | 05:41 | |
| openstackgerrit | wangxiyuan proposed openstack/zaqar master: Remove usage of parameter enforce_type https://review.openstack.org/469405 | 06:05 |
| *** lhx__ has joined #openstack-zaqar | 06:38 | |
| *** lhx__ has quit IRC | 06:42 | |
| *** lhx__ has joined #openstack-zaqar | 06:43 | |
| *** lhx__ has quit IRC | 06:45 | |
| *** lhx__ has joined #openstack-zaqar | 06:46 | |
| *** tesseract has joined #openstack-zaqar | 07:04 | |
| openstackgerrit | wanghao proposed openstack/zaqar master: [POC]Service Queue In Zaqar https://review.openstack.org/469343 | 07:12 |
| openstackgerrit | wanghao proposed openstack/zaqar-specs master: Service Queue in Zaqar https://review.openstack.org/449433 | 07:20 |
| openstackgerrit | Van Hung Pham proposed openstack/zaqar master: Optimize the link address https://review.openstack.org/470187 | 07:48 |
| openstackgerrit | Merged openstack/zaqar master: Remove usage of parameter enforce_type https://review.openstack.org/469405 | 08:09 |
| openstackgerrit | wanghao proposed openstack/python-zaqarclient master: Fix the inconsistent command format in openstackclient https://review.openstack.org/470201 | 08:33 |
| *** flwang has quit IRC | 09:00 | |
| *** lhx__ has quit IRC | 09:07 | |
| *** lhx__ has joined #openstack-zaqar | 09:07 | |
| *** wanghao has quit IRC | 09:11 | |
| *** wanghao has joined #openstack-zaqar | 09:25 | |
| *** wanghao has quit IRC | 09:36 | |
| *** flwang has joined #openstack-zaqar | 10:15 | |
| *** lhx__ has quit IRC | 12:40 | |
| *** mpanetta has quit IRC | 14:11 | |
| *** mpanetta has joined #openstack-zaqar | 14:12 | |
| *** mpanetta has quit IRC | 14:55 | |
| *** mpanetta has joined #openstack-zaqar | 14:55 | |
| *** mpanetta has quit IRC | 14:56 | |
| *** mpanetta has joined #openstack-zaqar | 14:56 | |
| *** rcernin has quit IRC | 15:05 | |
| *** tesseract has quit IRC | 16:00 | |
| *** pcaruana has quit IRC | 16:16 | |
| *** harlowja has quit IRC | 17:28 | |
| *** harlowja has joined #openstack-zaqar | 20:04 | |
| *** rcernin has joined #openstack-zaqar | 20:12 | |
| *** kgriffs_alt has joined #openstack-zaqar | 22:34 | |
| *** andreaf has quit IRC | 22:35 | |
| *** rcernin has quit IRC | 22:39 | |
| *** david_cu has quit IRC | 22:40 | |
| *** andreaf has joined #openstack-zaqar | 22:40 | |
| *** kgriffs has quit IRC | 22:40 | |
| *** kgriffs_alt is now known as kgriffs | 22:40 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!