Il 06/03/2018 11:13, Ronny Aasen ha scritto:
On 06. mars 2018 10:26, Max Cuttins wrote:
Il 05/03/2018 20:17, Gregory Farnum ha scritto:

You're not wrong, and indeed that's why I pushed back on the latest attempt to make deleting pools even more cumbersome.

But having a "trash" concept is also pretty weird. If admins can override it to just immediately delete the data (if they need the space), how is that different from just being another hoop to jump through? If we want to give the data owners a chance to undo, how do we identify and notify *them* rather than the admin running the command? But if admins can't override the trash and delete immediately, what do we do for things like testing and proofs of concept where large-scale data creates and deletes are to be expected?

I'm talking about my experience:

  * Data Owner are a little bit in their LA LA LAND, and think that they
    can safely delete some of their data without losses.
  * Data Owner should think that their pool have been really deleted
  * Data Owner should not been akwnoledge about the existance of the
  * So Data Owner ask to restore from backup (but instead we'll use
    easily the trash).

Said so, we also have to think that:

  * Administrator is always GOD, so he need to be in the possibility to
    override if needed whenever he needs.
  * However Administrator should just put in status delete without
    override this behaviour if there is not need to do so.
  * Override should be allowed only with many cumbersome telling you

I don't like that the software can limit administrators to do his job... in the end Administrator'll always find its way to do what he want (it's the root). Of course I like the feature to push the Admin to follow the right behaviour.

some sort of active/inactive toggle both on RBD images, pools, buckets and filesystems trees is nice to allow admins to perform scream tests.

"data owner requests deletion - admin disables pool(kicks all clients) - data owner screams - admin reactivates"

sounds much better then the last step beeing admin checking if the backups are good.,..

i try to do something similar by renaming pools to be deleted but that is not allways the same as inactive.

I like the name "scream test"... it really look like that! :)

ceph-users mailing list

Reply via email to