*** Raildo has quit IRC | 00:02 | |
*** samueldmq2 has joined #openstack-keystone | 00:03 | |
*** samueldmq2 has quit IRC | 00:03 | |
samueldmq | ayoung: hi, you around ? | 00:04 |
---|---|---|
samueldmq | ayoung: I suppose you saw the diagram in that wiki ? let me know what you think about tht approach :) | 00:05 |
samueldmq | ayoung: whether you agree or not, and why | 00:05 |
gyee | wtf's Oslo Guru Meditation? https://review.openstack.org/#/c/184172/ | 00:05 |
samueldmq | gyee: lol haha, I have no idea :) | 00:07 |
gyee | samueldmq, funny naming though | 00:08 |
samueldmq | gyee: ++ | 00:09 |
*** gyee has quit IRC | 00:27 | |
*** ankita_w_ has quit IRC | 00:30 | |
*** r-daneel has quit IRC | 00:34 | |
*** dims has joined #openstack-keystone | 00:39 | |
ayoung | samueldmq, yep, I'm here. WHere is the source for the diagram? | 00:45 |
*** dims has quit IRC | 00:47 | |
*** dims has joined #openstack-keystone | 00:47 | |
samueldmq | ayoung: http://www2.lsd.ufcg.edu.br/~samuel/dynamic-policies-workflow.diag | 00:49 |
samueldmq | ayoung: I thought I had sent it already | 00:49 |
*** spandhe has joined #openstack-keystone | 00:49 | |
ayoung | samueldmq, maybe you did...didn't see it. Thnaks | 00:49 |
samueldmq | ayoung: I saw there are some 'requests' from keystone to CMS, I think that is just formatting, you can understand the logic behind | 00:50 |
samueldmq | ayoung: I think the descriptuons there are pretty accurate, you'll understand how I see | 00:50 |
samueldmq | ayoung: let me know if you agree , etc :) | 00:50 |
ayoung | samueldmq, hold on. Let me go through it and I'll understand better | 00:50 |
samueldmq | ayoung: sure | 00:52 |
*** zzzeek has joined #openstack-keystone | 00:52 | |
*** zzzeek has quit IRC | 00:52 | |
*** openstack has joined #openstack-keystone | 00:54 | |
*** markvoelker has joined #openstack-keystone | 00:56 | |
*** diazjf has joined #openstack-keystone | 00:58 | |
ayoung | samueldmq, it looks pretty close. One technical issue you had was that a return call, say from nova to the user needs to be written as user <- nova; | 01:00 |
ayoung | samueldmq, I might break this up into threee diags | 01:00 |
*** ankita_wagh has joined #openstack-keystone | 01:01 | |
*** markvoelker has quit IRC | 01:02 | |
samueldmq | ayoung: what would be the three diags ? I'd be happy to break that up | 01:02 |
samueldmq | ayoung: glad to hear you like what is in there :) | 01:02 |
*** kfox1111 has quit IRC | 01:08 | |
*** bknudson has joined #openstack-keystone | 01:10 | |
*** ChanServ sets mode: +v bknudson | 01:10 | |
*** charlesw has joined #openstack-keystone | 01:11 | |
*** ncoghlan has joined #openstack-keystone | 01:11 | |
*** ccrouch has quit IRC | 01:14 | |
samueldmq | ayoung: ah got it, instead of nova -> user : user <- nova | 01:14 |
samueldmq | ayoung: ++ | 01:14 |
ayoung | samueldmq, yeah...the diag also expects that what ever you start with has a lifeline that lasts the whole diagram | 01:18 |
samueldmq | ayoung: that's why it's weird with lifelines | 01:20 |
samueldmq | ayoung: :) | 01:20 |
samueldmq | ayoung: otherwise you agree on that direction for Liberty? | 01:20 |
ayoung | samueldmq, its designed to show a single use case. The case where user and admin both ask things, but don't talk to each other is hard to represent | 01:20 |
samueldmq | ayoung: or do you have any other concertn ? etc | 01:20 |
ayoung | samueldmq, lets treat it as a good set of tools for guiding the discussion. It does not show everything | 01:21 |
*** dsirrine has quit IRC | 01:21 | |
samueldmq | ayoung: not sure I follow | 01:21 |
ayoung | samueldmq, let me do a touch more editing and put them into the Wiki | 01:21 |
ayoung | and I'll explain at that point | 01:22 |
samueldmq | ayoung: sure | 01:23 |
*** ankita_wagh has quit IRC | 01:29 | |
*** ankita_wagh has joined #openstack-keystone | 01:30 | |
*** woodster_ has quit IRC | 01:31 | |
ayoung | samueldmq, https://wiki.openstack.org/wiki/DynamicPolicies#Workflows_-_Liberty_Scope | 01:42 |
ayoung | the source for the diagrams are embedded in the files | 01:42 |
ayoung | if you click on the image, you should see the source | 01:42 |
ayoung | samueldmq, I don't think there is enough detail there yet. We need to discuss the relationship between the files shipped with Nova that are pre-exisitng on the system and the ones from dynamic policy. | 01:44 |
*** _cjones_ has quit IRC | 01:44 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Document policy target for operation https://review.openstack.org/168521 | 01:49 |
*** fangzhou has quit IRC | 01:49 | |
*** vilobhmm1 has quit IRC | 01:51 | |
*** markvoelker has joined #openstack-keystone | 01:57 | |
*** tsufiev has quit IRC | 02:01 | |
samueldmq | ayoung: you mean what I am called the Defaults and Custom policies? | 02:01 |
samueldmq | ayoung: Default is what is uploaded by the CMS at bootstrapping / when a service is updated | 02:01 |
samueldmq | ayoung: Custom is what the admin changed (a kind of diff) | 02:01 |
ayoung | samueldmq, drop the term default | 02:02 |
ayoung | I think it is confusing | 02:02 |
*** aix has quit IRC | 02:02 | |
samueldmq | ayoung: Base policy | 02:02 |
samueldmq | ? | 02:02 |
ayoung | there is the policy.json from the remote service git repos | 02:02 |
*** markvoelker has quit IRC | 02:02 | |
ayoung | the default policy was supposed to be the unified one...lets leave that out for now | 02:02 |
samueldmq | ayoung: ok, can I call it Base policy? or something like that ? | 02:05 |
samueldmq | ayoung: it should be the olicy.json shipped with the code | 02:05 |
samueldmq | ayoung: which is uploaded/updated to keystone | 02:05 |
ayoung | how about stock policy? | 02:05 |
*** tsufiev has joined #openstack-keystone | 02:06 | |
samueldmq | ayoung: and when the admin changes that, i.e, puts something in the custom (the diff) he receives warnings (what nova wants!!) | 02:06 |
ayoung | something like that, yeah | 02:06 |
samueldmq | ayoung: oh great :) | 02:06 |
*** davechen has joined #openstack-keystone | 02:07 | |
*** davechen1 has joined #openstack-keystone | 02:10 | |
*** davechen has quit IRC | 02:12 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Refactor extract function load_auth_method https://review.openstack.org/187004 | 02:15 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Use stevedore for auth drivers https://review.openstack.org/182102 | 02:15 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Update sample config file https://review.openstack.org/182138 | 02:15 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Short names for auth plugins https://review.openstack.org/182107 | 02:15 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Unit tests catch deprecated function usage https://review.openstack.org/189145 | 02:21 |
openstackgerrit | Brant Knudson proposed openstack/python-keystoneclient: Switch from deprecated isotime https://review.openstack.org/189147 | 02:21 |
samueldmq | ayoung: the split you made looks great, very clear | 02:23 |
samueldmq | ayoung: that single diagram was very big | 02:23 |
*** tobe has joined #openstack-keystone | 02:24 | |
openstackgerrit | Brant Knudson proposed openstack/keystone-specs: Add side-by-side comparison of v2 and v3 APIs https://review.openstack.org/187027 | 02:25 |
*** kiran-r has joined #openstack-keystone | 02:33 | |
davechen1 | dolphm: hi, | 02:34 |
davechen1 | dolphm: I saw your comment here: https://bugs.launchpad.net/keystone/+bug/1466116/comments/1 | 02:35 |
openstack | Launchpad bug 1466116 in Keystone "With using V3 cloud admin policy, domain admin cannot issue a token for the project in his domain" [Undecided,Incomplete] - Assigned to Dave Chen (wei-d-chen) | 02:35 |
davechen1 | dolphm: Do you mean we should set inherited = 1 then we that use will has access to the project? | 02:35 |
*** marzif has quit IRC | 02:36 | |
*** ankita_wagh has quit IRC | 02:39 | |
*** cburgess has quit IRC | 02:39 | |
*** diazjf has quit IRC | 02:40 | |
*** cburgess has joined #openstack-keystone | 02:44 | |
davechen1 | figure it out, just need enable os_inherit in the keystone.conf. :) | 02:45 |
*** vilobhmm has joined #openstack-keystone | 02:45 | |
*** spandhe has quit IRC | 02:45 | |
*** jamielennox is now known as jamielennox|away | 02:46 | |
*** jamielennox|away is now known as jamielennox | 02:53 | |
*** stevemar has joined #openstack-keystone | 03:01 | |
*** ChanServ sets mode: +v stevemar | 03:01 | |
*** wuhg has joined #openstack-keystone | 03:03 | |
*** cburgess has quit IRC | 03:04 | |
*** ankita_wagh has joined #openstack-keystone | 03:05 | |
*** cburgess has joined #openstack-keystone | 03:05 | |
*** dims has quit IRC | 03:06 | |
*** cburgess has quit IRC | 03:07 | |
*** cburgess has joined #openstack-keystone | 03:10 | |
*** richm has quit IRC | 03:18 | |
*** stevemar has quit IRC | 03:22 | |
*** rm_work has quit IRC | 03:25 | |
*** stevemar has joined #openstack-keystone | 03:26 | |
*** ChanServ sets mode: +v stevemar | 03:26 | |
*** rm_work|away has joined #openstack-keystone | 03:31 | |
*** rm_work|away is now known as rm_work | 03:31 | |
*** rm_work has joined #openstack-keystone | 03:31 | |
*** charlesw has quit IRC | 03:40 | |
*** browne has joined #openstack-keystone | 03:40 | |
*** kiran-r has quit IRC | 03:44 | |
*** markvoelker has joined #openstack-keystone | 03:46 | |
*** markvoelker has quit IRC | 03:51 | |
*** htruta_ has quit IRC | 03:55 | |
*** rm_you has joined #openstack-keystone | 04:37 | |
*** _cjones_ has joined #openstack-keystone | 04:45 | |
*** markvoelker has joined #openstack-keystone | 04:47 | |
*** _cjones_ has quit IRC | 04:49 | |
*** markvoelker has quit IRC | 04:51 | |
openstackgerrit | Merged openstack/keystone-specs: Add side-by-side comparison of v2 and v3 APIs https://review.openstack.org/187027 | 04:59 |
*** boris-42 has quit IRC | 05:12 | |
*** rm_you has quit IRC | 05:19 | |
*** ankita_wagh has quit IRC | 05:24 | |
*** vilobhmm has quit IRC | 05:28 | |
*** belmoreira has joined #openstack-keystone | 05:57 | |
*** kiran-r has joined #openstack-keystone | 06:02 | |
*** Kennan2 has joined #openstack-keystone | 06:07 | |
*** Kennan has quit IRC | 06:07 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/192983 | 06:09 |
*** stevemar has quit IRC | 06:10 | |
*** vilobhmm has joined #openstack-keystone | 06:15 | |
*** fangzhou has joined #openstack-keystone | 06:16 | |
*** ankita_wagh has joined #openstack-keystone | 06:18 | |
*** e0ne has joined #openstack-keystone | 06:25 | |
*** e0ne has quit IRC | 06:31 | |
*** ankita_wagh has quit IRC | 06:35 | |
*** markvoelker has joined #openstack-keystone | 06:36 | |
*** vilobhmm has quit IRC | 06:38 | |
*** vilobhmm has joined #openstack-keystone | 06:39 | |
*** markvoelker has quit IRC | 06:40 | |
*** vilobhmm has quit IRC | 06:46 | |
*** vilobhmm has joined #openstack-keystone | 06:49 | |
*** vilobhmm has quit IRC | 07:01 | |
*** henrynash has joined #openstack-keystone | 07:01 | |
*** ChanServ sets mode: +v henrynash | 07:01 | |
*** chlong has quit IRC | 07:06 | |
*** rlt_ has joined #openstack-keystone | 07:06 | |
*** ihrachyshka has joined #openstack-keystone | 07:17 | |
jamielennox | lifeless: my pycon-au proposal was always fairly generic, it's actually not that far off | 07:22 |
lifeless | jamielennox: sure, I know. | 07:27 |
lifeless | jamielennox: but that wouldn't be heckling you. And we do want it touched up please :) | 07:27 |
jamielennox | lifeless: yea, no worries - i sat down to do it thinking it was going to be a PITA, but it's not that bad | 07:28 |
*** ncoghlan has quit IRC | 07:36 | |
jamielennox | lifeless: done | 07:47 |
*** fangzhou_ has joined #openstack-keystone | 07:48 | |
*** browne has quit IRC | 07:49 | |
*** fangzhou has quit IRC | 07:49 | |
*** fangzhou_ is now known as fangzhou | 07:49 | |
lifeless | cool thanks | 07:58 |
*** jamielennox is now known as jamielennox|away | 08:00 | |
*** pnavarro has joined #openstack-keystone | 08:09 | |
*** boris-42 has joined #openstack-keystone | 08:17 | |
*** e0ne has joined #openstack-keystone | 08:18 | |
*** rushiagr_away is now known as rushiagr | 08:18 | |
*** markvoelker has joined #openstack-keystone | 08:25 | |
*** afazekas has joined #openstack-keystone | 08:25 | |
*** e0ne has quit IRC | 08:25 | |
*** markvoelker has quit IRC | 08:29 | |
*** aix has joined #openstack-keystone | 08:32 | |
*** henrynash has quit IRC | 08:45 | |
*** viktors has quit IRC | 09:03 | |
*** e0ne has joined #openstack-keystone | 09:28 | |
*** tobe has quit IRC | 09:28 | |
*** jasondotstar has joined #openstack-keystone | 09:41 | |
*** Kennan2 is now known as Kennan | 09:49 | |
*** e0ne is now known as e0ne_ | 09:52 | |
*** e0ne_ is now known as e0ne | 09:54 | |
openstackgerrit | Dave Chen proposed openstack/keystone: Remove redundant config https://review.openstack.org/193477 | 09:55 |
*** davechen1 has left #openstack-keystone | 09:56 | |
*** dims has joined #openstack-keystone | 10:09 | |
*** markvoelker has joined #openstack-keystone | 10:13 | |
*** markvoelker has quit IRC | 10:18 | |
*** fangzhou has quit IRC | 10:20 | |
*** fmarco76 has joined #openstack-keystone | 10:21 | |
*** fmarco76 has quit IRC | 10:21 | |
*** afazekas has quit IRC | 10:44 | |
*** fangzhou has joined #openstack-keystone | 10:45 | |
*** samueldmq has quit IRC | 10:51 | |
*** dims has quit IRC | 10:57 | |
*** vg_ has joined #openstack-keystone | 11:00 | |
vg_ | Hello Community folksd | 11:00 |
*** henrynash has joined #openstack-keystone | 11:00 | |
*** ChanServ sets mode: +v henrynash | 11:00 | |
vg_ | I need help with the Identity service policy assignments | 11:01 |
vg_ | I have a very specific ques. for that | 11:01 |
vg_ | https://ask.openstack.org/en/question/68616/openstack-policy-enforcement-for-custom-role-project_admin/ | 11:02 |
*** samuel has joined #openstack-keystone | 11:02 | |
marekd | vg_: i suggest waiting for ayoung | 11:02 |
marekd | he should be here soon | 11:02 |
*** samuel has quit IRC | 11:02 | |
marekd | he is the policy master | 11:03 |
marekd | as well as samuelmmq who apparently is not here now. | 11:03 |
*** samuel has joined #openstack-keystone | 11:03 | |
*** samuel has quit IRC | 11:03 | |
*** samueldmq has joined #openstack-keystone | 11:04 | |
*** wuhg has quit IRC | 11:04 | |
vg_ | thanks much <+marekd> I am eagerly waiting | 11:04 |
vg_ | <samuelmq> would you be able to help me on policy for keystone please | 11:05 |
samueldmq | morning | 11:05 |
marekd | samueldmq: vg_ has a question for ya | 11:05 |
vg_ | I posted it in ask ..https://ask.openstack.org/en/question/68616/openstack-policy-enforcement-for-custom-role-project_admin/ | 11:05 |
samueldmq | marekd: vg_ hi, sure | 11:05 |
*** dims has joined #openstack-keystone | 11:06 | |
samueldmq | vg_: I'll be glad if I can help | 11:06 |
vg_ | I am defining the custom role policies , but even after modifying it , my changes are not getting reflected | 11:06 |
vg_ | thanks <samueldmq> | 11:06 |
vg_ | i am here if you need more elaboration on the ques. or use case | 11:07 |
*** afazekas has joined #openstack-keystone | 11:07 | |
samueldmq | vg_: reading your message in the ML (once I get some coffee) :) | 11:08 |
vg_ | thanks no worries... | 11:08 |
openstackgerrit | Merged openstack/keystone: Imported Translations from Transifex https://review.openstack.org/192983 | 11:10 |
samueldmq | vg_: on your third point in there .. when you say http://<openstack-server-ip>/identity/<project-id>/detail/ | 11:11 |
samueldmq | vg_: you're talking about horizon, right ? | 11:11 |
vg_ | yes | 11:11 |
samueldmq | vg_: k I got what you want | 11:13 |
samueldmq | vg_: users are not owned by projects | 11:13 |
samueldmq | vg_: so in project_id:%(target.project.id)s, this second part will evaluate to None, and the whole rule fails | 11:14 |
vg_ | ok | 11:14 |
samueldmq | vg_: so you can't perform any action contaning that check | 11:14 |
samueldmq | vg_: users are owned by domains | 11:15 |
samueldmq | vg_: I'd suggest you to allow the domain_admin to manage users instead, and then check domain scope | 11:15 |
samueldmq | vg_: so it should be something like : domain_id:%(target.domain.id)s, which means | 11:16 |
samueldmq | vg_: the scope in the token (the first domain_id) must be equal to the target (user) domain id | 11:17 |
samueldmq | vg_: adding role:domain_admin to that rule would mean that you allow, let's say, create_user for someone who has domain_admin role on a given domain and is trying to add users to the domain he/she admins | 11:18 |
samueldmq | vg_: is that clear so far ? | 11:18 |
*** e0ne is now known as e0ne_ | 11:19 | |
vg_ | yea , the domain part is clear to me that users should be maintained by domain | 11:20 |
vg_ | I am trying to map a rule , is it like this ? | 11:20 |
vg_ | "Tenant_Admin": "role:domain_admin or rule: domain_id:%(target.domain.id)s", | 11:20 |
vg_ | "identity:create_user": "rule:admin_required or rule:Tenant_Admin", | 11:20 |
samueldmq | vg_: makes sense, however Tenant_Admin could be called domain_admin :) | 11:20 |
samueldmq | vg_: so with this, you need a user with a domain scoped token | 11:21 |
samueldmq | vg_: (so the domain is in the token, its scope more specifically) | 11:22 |
samueldmq | vg_: however Horizon does not understand/use domain scoped tokens | 11:22 |
vg_ | yes...how would i show that up in Horizon dashboard | 11:23 |
vg_ | from the dashboard i fire up the API , which should be mapped to this rule for any user | 11:24 |
samueldmq | vg_: I am not sure we could have a workaround that works the same for Horizon | 11:25 |
samueldmq | henrynash: morning, you around ? ^ | 11:26 |
samueldmq | vg_: at very least you could specify just the role | 11:27 |
samueldmq | vg_: but in that case, one would be able to CRUD users in any domain (since we weren't doing scope checking) | 11:27 |
samueldmq | vg_: and having 'domain_admin' or 'user_admin' role in a project sounds weird | 11:28 |
henrynash | samueldmq: hi | 11:28 |
*** markvoelker has joined #openstack-keystone | 11:29 | |
*** e0ne_ has quit IRC | 11:29 | |
vg_ | so i have the project_admin role created and in my keystone policy,json file i just added a role "Domain_Admin": "role:project_admin or rule: domain_id:%(target.domain.id)s", | 11:30 |
samueldmq | henrynash: vg_ wants to create a domain_admin role which defines whether one can CRUD users or not | 11:30 |
vg_ | <samueldmq> yes both doesn't make sense | 11:30 |
vg_ | yes | 11:31 |
henrynash | ok, sur | 11:31 |
henrynash | sure | 11:31 |
samueldmq | henrynash: I told him rules on the user CRUD should look like 'role:domain_admin or rule: domain_id:%(target.domain.id)s' | 11:31 |
samueldmq | henrynash: however he wants to use that through Horizon, which does not understand domain scoped tokens | 11:31 |
samueldmq | henrynash: do you know any workaround that could provide similar behavior ? | 11:31 |
henrynash | samueldmq: I thought they started supporting domain tokens in Kilo, no? | 11:31 |
samueldmq | henrynash: I don't think so .. let me check | 11:32 |
henrynash | samueldmq: I though there was a patch to add that support…or so I heard | 11:32 |
vg_ | no even though their docs say it so , but I just stood up new kilo instance and it doesn't have that | 11:33 |
*** markvoelker has quit IRC | 11:34 | |
samueldmq | henrynash: so it doesn't, just confirmed in #horizon | 11:36 |
henrynash | samueldmq: ouch | 11:37 |
samueldmq | henrynash: what I suggested him is to create 'user_admin' and assign this in a project, where the user can get a token | 11:37 |
samueldmq | henrynash: and we could at very least check the project's domain id matches the domain where you're trying to create the usre | 11:38 |
henrynash | samueldmq: yes, I have seen that done before | 11:38 |
samueldmq | henrynash: I think that's the best we can do without domain scoped tokens | 11:38 |
henrynash | samueldmq: I’m stunned that this didn’t yet get into Horizon | 11:38 |
samueldmq | henrynash: and as far as I can tell, they don't intend to | 11:39 |
samueldmq | henrynash: should domain-as-a-project be solving this somehow ? maybe .. | 11:39 |
*** jasondotstar has quit IRC | 11:43 | |
henrynash | samueldmq: welll…that was the whole thing about have dual tokens! | 11:47 |
samueldmq | henrynash: we could even do that with a project scoped token .. for example | 11:49 |
samueldmq | henrynash: 'role:domain_admin and project_id:%(target.domain.id)s' | 11:50 |
samueldmq | henrynash: if the project has is_domain=True, project_id:%(target.domain.id)s should match pretty fine :) | 11:51 |
vg_ | <samueldmq> so you suggest that i create new user with name "user_admin" assign it to project and then you are trying to get a token for this user (which we can get by simple curl call ) and then you want to check the domain of the project and match the domain_id? | 11:51 |
samueldmq | vg_: first, one of your requirements is to managing users thorugh Horizon, right? | 11:52 |
*** boris-42 has quit IRC | 11:52 | |
vg_ | yes | 11:52 |
samueldmq | vg_: I suggest you to create a role called 'user_admin' (which can be assigned to a user on a given project) | 11:53 |
samueldmq | vg_: and yes, your last sentence is fine : 'check the domain of the project and match the domain_id' | 11:53 |
henrynash | samueldmq: interesting idea.... | 11:55 |
samueldmq | vg_: however not sure we can do this with our current policy capabilities (the way we define the roles)... | 11:55 |
samueldmq | vg_: I am not sure you can define something like : project.domain_id:%(target.domain.id)s | 11:56 |
vg_ | nopes I don't think project.domain_id would work | 11:57 |
samueldmq | vg_: since that first part is what comes from the token, and we have only the project_id in there | 11:57 |
samueldmq | vg_: and if you don't put any constraint on the scope, one with that role would be able to create users everywhere | 11:58 |
samueldmq | henrynash: yes that makes sense, it is a good idea, isn't it ? :) | 11:58 |
samueldmq | henrynash: keep that in mind and mull a bit on that, it may work pretty fine | 11:58 |
henrynash | samueldmq: you’re a genious | 11:59 |
henrynash | and a genius | 11:59 |
samueldmq | vg_: henrynash haha not that much :-) | 11:59 |
*** pc_m has joined #openstack-keystone | 11:59 | |
samueldmq | vg_: oops .. for you I wanted to say ... without scope checking , we're falling in bug #968696 | 11:59 |
openstack | bug 968696 in Keystone ""admin"-ness not properly scoped" [High,Confirmed] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung) | 11:59 |
samueldmq | ayoung: cc ^ bug "9 6 8 6 9 6" :-) | 12:00 |
vg_ | i am not happy they missed the major functionality to have Horizon have this feature....it should be there asap | 12:00 |
vg_ | yes , i was just about to mention that | 12:00 |
samueldmq | vg_: well there are alternatives way to solve that issue, one is as I just mentioned with henrynash | 12:00 |
samueldmq | vg_: we are moving very well towards those directions in this cycle | 12:01 |
*** bknudson has quit IRC | 12:01 | |
samueldmq | vg_: we're working towards : v3 compability everywhere (v3 defines domains) + dynamic policies | 12:01 |
samueldmq | vg_: where we will providing a much better way to define policies, with role inheritance, etc | 12:02 |
samueldmq | vg_: and policy changes would occur via api, instead of requiring you to be using an out-of-band mechanism to update policy (the policy.json file) | 12:02 |
*** markvoelker has joined #openstack-keystone | 12:05 | |
samueldmq | henrynash: this way we could even kill domain-scoped tokens, well, at least this is an idea to be considered | 12:07 |
samueldmq | morganfainberg, raildo, htruta cc ^ | 12:08 |
*** e0ne has joined #openstack-keystone | 12:08 | |
*** radez_g0n3 is now known as radez | 12:09 | |
openstackgerrit | henry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config https://review.openstack.org/191976 | 12:09 |
samueldmq | henrynash: and dynamic policies is moving ... ayoung and I had an agreement yesterday on the scope for L, we had some diagrams, roadmap at https://wiki.openstack.org/wiki/DynamicPolicies | 12:10 |
samueldmq | henrynash: make sure to check it out once you have some time :) | 12:10 |
henrynash | samueldmq: well, we’d need to add the is_domain to the token…or support a “lookip” via the poliy rule | 12:11 |
samueldmq | henrynash: to make sure someone has role 'domain_admin' in the domain with id X instead of in the project with id X ? | 12:13 |
samueldmq | henrynash: we woudln't need if we unified assignments, which may have other implications thought | 12:13 |
samueldmq | though* | 12:13 |
henrynash | samuelmq: a (say) user create have just a domain ID (which will be the same as the project ID acting as the domain)….but for it to check that this project ID really is a domain, you’d want the is_domain to be in the token | 12:16 |
samueldmq | henrynash: sure, unless we had a kind of dual-scoped token, which could be implemented by just unifying the assignments | 12:17 |
samueldmq | henrynash: and providing the scope in the token as 'project' anyway | 12:17 |
samueldmq | henrynash: I think the guys here who are working with reseller are considering this possibility | 12:18 |
henrynash | samueldmq: that’s what I’m saying….we only have project scoped tokens, we just always include the is_domain=True/False maybe in every token….then it’s up the the poly rule to refer to it | 12:18 |
henrynash | samueldmq: I *think* this woud work :-) | 12:19 |
henrynash | samueldmq: to you want to write this up…or I’m happy to (and will credit you with the idea) | 12:21 |
htruta | morganfainberg has strongly rejected the is_domain on the token request | 12:22 |
htruta | samueldmq, henrynash ^ | 12:22 |
henrynash | htruta: this isn’t in the request, it’s in the token that gets generated | 12:23 |
henrynash | htruta: morganfainberg & I have just agreed to disagree, but I respect his call to not do this on the request. | 12:23 |
henrynash | htruta: the token contents are different however….we’ll see later if he also has an issue with ths | 12:24 |
samueldmq | henrynash: I think we don't even need to put that in the token, if unifying assignments isn't an issue | 12:24 |
henrynash | samueldmq: that’s the bit I don’t follow…where does the polciy rule get is_domain from? | 12:25 |
samueldmq | henrynash: so if you request a project scoped token, and that has user_admin role, you should be able to manage users, making checks on the domain_id i nhte policy | 12:25 |
samueldmq | henrynash: that's whether we unify assignments or not, if we unify, you have a single entity (a project) that represents both the domain and the porject side | 12:25 |
*** bknudson has joined #openstack-keystone | 12:25 | |
*** ChanServ sets mode: +v bknudson | 12:25 | |
htruta | we discussed that yesterday, and morganfainberg gave us two options | 12:26 |
htruta | 1 - do not allow getting project scoped token to is_domain projects (at least not in liberty) | 12:26 |
*** fangzhou has quit IRC | 12:26 | |
htruta | 2 - kill domain scoped tokens | 12:26 |
henrynash | samueldmq: not sure how that works….you do need in policy rules to make domain special somehow, or someone can make their own project special | 12:27 |
samueldmq | henrynash: that'd be aligned with 2. above (as htruta said) | 12:27 |
samueldmq | henrynash: oh wait | 12:27 |
henrynash | I’m all for killing domain tokens | 12:27 |
samueldmq | henrynash: when you check 'project_id:%(target.domain.id)s' | 12:28 |
samueldmq | henrynash: in let's say, create_user | 12:28 |
henrynash | samueldmq: we just look in the user entity | 12:28 |
henrynash | samueldmq: “target” here is a user entity | 12:29 |
samueldmq | henrynash: you indeed check that project_id is a domain , in the create_user in the controller, it will validate target.domain.id as a valid domain | 12:29 |
henrynash | samueldmq; yep…which is why I said it eitehr needs to be in the token | 12:29 |
samueldmq | henrynash: it already validates domains in the controller level | 12:30 |
henrynash | samueldmq: or we add some kind of lookup to teh policy support (which I don’t like) | 12:30 |
samueldmq | henrynash: where a domain is expected to be provided | 12:30 |
samueldmq | henrynash: controller/manager level | 12:30 |
henrynash | samueldmq: I guess that’s true…..hmmm…but not sure if I like the split checks | 12:31 |
henrynash | samueldmq: it would be hard to know what you are limiting when writinga policy rule without knowing the code…. | 12:32 |
samueldmq | henrynash: we already have that today, yes I agree that's a kinf of hacking | 12:32 |
samueldmq | henrynash: that is not very explicit/clear in the policy definition | 12:32 |
samueldmq | henrynash: but for sure an idea to be considered :) | 12:32 |
henrynash | samueldmq: Ok, let me take a crack at a quick blueprint for this! | 12:33 |
samueldmq | htruta: henrynash is 100% for killing domain scoped tokens ;) | 12:33 |
samueldmq | henrynash: nice, htruta and guys here will consider this as well, they are the right guys to be synchronizign with | 12:34 |
samueldmq | thanks | 12:34 |
henrynash | samueldmq: good ideas, guys | 12:35 |
samueldmq | ayoung: I am updating that sequence diagrams to start with the right numbers (some of them start with action 14, etc) | 12:36 |
samueldmq | ayoung: let me know when you're available so we can talk more about details on that thing | 12:36 |
samueldmq | ayoung: and I am planning to start missing specs today, at least to have a first version | 12:37 |
ayoung | samueldmq, ok, so question: what happens to the stock policy when a dynamic policy is fetched? | 12:37 |
samueldmq | ayoung: since we've agreed on that workflow, let's define the specs, to have something very nicely defined by the end of next week | 12:37 |
samueldmq | ayoung: how does keystone generate the dynamic policy based on the stock policy ? | 12:38 |
ayoung | samueldmq, I think the two things we need up front are the Keystone API changes and the ability to fetch the policy from Auth token middleware | 12:38 |
ayoung | lets put that question aside | 12:38 |
samueldmq | ayoung: so keystone stores 1) stock policy and 2) custom policy (a kind of diff for what the admin has customized) | 12:38 |
ayoung | we can deal with that later, here is what I am thinking | 12:38 |
samueldmq | ayoung: so it gets stock policy for that endpoint, and overrides with what is in the custom policy | 12:39 |
ayoung | 1. There is always a stock policy on the server, so that it can run even if Keystone has nothing for it | 12:39 |
ayoung | we need that as a migration strategy if nothing else | 12:39 |
samueldmq | ayoung: if the CMS has not uploaded a stock policy for an endpoint | 12:39 |
samueldmq | ayoung: we fall bakc, and do not apply the dynamic policy mechanism | 12:39 |
samueldmq | ayoung: the admin ccan't even customize, since there is nothing to be based on | 12:40 |
ayoung | At start up, or upon first user request, the service requests a policy from keystone. Let's say keystone has something for it. Where does it go? Same directory as the stock policy? are they additive? | 12:40 |
*** woodster_ has joined #openstack-keystone | 12:40 | |
samueldmq | ayoung: the CMS is expected to be uploading the policy which is shipped with the code as the stock policy | 12:41 |
ayoung | Or, do we say it is all or nothing; either we use the stock policy, or we use the dynamic policy, not both together | 12:41 |
ayoung | so, one thing we could do is this | 12:41 |
*** raildo has joined #openstack-keystone | 12:41 | |
samueldmq | ayoung: so at very last, it would be overwriting it with itself | 12:41 |
ayoung | upon start up, create a cache dir. copy the stock policy into cache. Then, upon fetch, we wipe out the cache | 12:41 |
*** jasondotstar has joined #openstack-keystone | 12:43 | |
ayoung | samueldmq, so upon starting Nova, it could try to post its stock policy to Keystone | 12:44 |
ayoung | and then we need to merge. How do we determine if the stock policy is new or not? I'm thinking SHA256 and Keystone tracks all the uploaded policy files. | 12:45 |
*** dims has quit IRC | 12:46 | |
ayoung | samueldmq, when doing the certs for PKI, we had decided to wait until first request to fetch certs, as we did not want to rqure that the keystone server was up in order to start Nova. We'll have the same concern here, too | 12:46 |
*** dims has joined #openstack-keystone | 12:46 | |
openstackgerrit | henry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config https://review.openstack.org/191976 | 12:47 |
samueldmq | ayoung: let me see if I understand | 12:48 |
samueldmq | ayoung: you propose to have middleware uploading stock policy to keytone, instead of having the cms ? | 12:48 |
samueldmq | ayoung: I think the idea on having the dynamic policy created based on the stock + what the amdin has customized is the key | 12:49 |
samueldmq | ayoung: since when a service upgrades, cms only needs to update stock policy on keystone | 12:50 |
samueldmq | ayoung: stcok policy can be associated to url, region or service, where we find hierarchically for a stock poliyc of a given endpoint | 12:50 |
raildo | henrynash, ping, I totally agree with kill domain tokens, but I understand the other side, so imo, now in Liberty we can stay with don't allow getting project scoped token to is_domain-True, and in M we can discuss a better solution for that issue. What do you think? | 12:59 |
samueldmq | raildo: so the option 5 ? | 13:00 |
raildo | samueldmq, unfortunately :( | 13:00 |
samueldmq | raildo: I think that may be a wise choice, since we introduce domain hierarchies, and have more time to think how to do it the best we can | 13:00 |
samueldmq | raildo: not against having is-domain or any other option, but we would have more time to think about, as you said | 13:01 |
samueldmq | raildo: I am with you on this point o/ | 13:01 |
openstackgerrit | henry-nash proposed openstack/keystone: Relax newly imposed sql driver restriction for domain config https://review.openstack.org/191976 | 13:01 |
henrynash | raildo: let’s see…I’ll push for L !! | 13:01 |
raildo | henrynash, haha | 13:02 |
raildo | henrynash, so, what we have to do to convince the other guys? | 13:02 |
samueldmq | henrynash: that's something great, however we can't do that when cores are 50% for and 50% against doing it now :) | 13:03 |
samueldmq | raildo: ++ | 13:03 |
henrynash | raildo: my argument is….this (unless there’s a gremlin we haven’t thought of) will fix Horizon and everyone’s issuson domain tokens. We won’t kill them yet (you can still ask for one), but by inluding is_domain=True in the token it lets us write policy files that don’t need domain tokens | 13:04 |
samueldmq | ayoung: do what I said above make sense ? | 13:05 |
samueldmq | ayoung: that's related to the default policy thing, if no policy is specified for an endpoint | 13:05 |
*** HenryG has quit IRC | 13:05 | |
*** HenryG has joined #openstack-keystone | 13:05 | |
samueldmq | ayoung: in that case, I believe we should step-back, and let the old mechanism in place (i.e do not touch /etc/nova/policy.json) | 13:06 |
ayoung | samueldmq, it can be either CMS or Nova itself, depending. CMS is probably better workflow, less surprise | 13:06 |
*** HenryG has quit IRC | 13:06 | |
samueldmq | ayoung: nova uploading would be thorugh something like /policy API | 13:06 |
samueldmq | ayoung: but nothing says we cna't go for that in M if we decide | 13:06 |
ayoung | so, when policy is fetched from Keystone, it will remove whatever is in the cache. | 13:06 |
samueldmq | ayoung: CMS is better for now | 13:07 |
ayoung | we start by populating the cache from stock | 13:07 |
*** HenryG has joined #openstack-keystone | 13:07 | |
samueldmq | ayoung: exactly, it would be overwritting /etc/nova/policy.json | 13:07 |
ayoung | that *can* happen at startup | 13:07 |
raildo | henrynash, in the other way, we age kind of mix project and domain admin and this can be a mess... that is the main argument to doesn't kill domains tokens now. | 13:07 |
samueldmq | ayoung: since stock on keystone is the same as that initially | 13:07 |
ayoung | samueldmq, OK, I think we should create a sequence diagrams with the cache, and show the relationship between Auth token, the cache, Nova, and oslo.policy | 13:08 |
raildo | henrynash, I want to do this, but I don't want to have 90% of core team hates me hahahaha | 13:08 |
samueldmq | ayoung: ++ do you want to do so or can I grab that ? | 13:09 |
vg_ | <samueldmq> <+ayong> <HenryG> sorry i went for long meeting in here , can anyone of you please address this question here as well as to what we discussed above - https://ask.openstack.org/en/question/68616/openstack-policy-enforcement-for-custom-role-project_admin/ | 13:09 |
ayoung | samueldmq, take a first swipe at it, please | 13:09 |
samueldmq | ayoung: I am available to do so, but I am ok if you want to | 13:09 |
henrynash | raildo: that’s ok, 45% can hate you, and the other 45% can hate me….the it’s less than 505 each | 13:09 |
samueldmq | ayoung: sure! | 13:09 |
vg_ | I will anyway try that policy changes as suggested | 13:09 |
henrynash | (50% each) | 13:09 |
ayoung | samueldmq, if you want to start with one of the existing diagrams, that may make sense, too | 13:09 |
dstanek | ah, boy. talking hierarchies again | 13:09 |
ayoung | or do it as a stand alone, either way | 13:09 |
samueldmq | ayoung: that's exactly what I was thinking | 13:10 |
samueldmq | ayoung: that's something that exists, but will contain more details | 13:10 |
samueldmq | ayoung: ok will look what could be better | 13:11 |
samueldmq | dstanek: that's part of the fun here :-) | 13:11 |
marekd | boy, how do i run any osc command with existing token ? | 13:16 |
*** richm has joined #openstack-keystone | 13:16 | |
marekd | OS_TOKEN=token openstack --os-auth-type v3token server list is correct? | 13:16 |
dstanek | henrynash: i had a good discussion with htruta last night and i think i managed to confuse myself. | 13:16 |
henrynash | dstanek: join the clud | 13:17 |
henrynash | club | 13:17 |
marekd | dstanek: what was it about ? | 13:17 |
htruta | dstanek: lol | 13:17 |
htruta | is that a good thing? | 13:17 |
dstanek | htruta: no | 13:17 |
dstanek | A<is_domain=True> is a domain obviously, but is also a project that is a child of that domain. Still blows my mind. | 13:18 |
marekd | heh, what happens when you remove this project? | 13:19 |
dstanek | marekd: you can't physically because it's the same database record | 13:19 |
*** vg_ has quit IRC | 13:20 | |
marekd | dstanek: but logically you want it to appear in your project list. | 13:20 |
marekd | or you don't ? | 13:20 |
htruta | dstanek: it is a project. but it's not a child. | 13:20 |
dstanek | marekd: if it holds resources like other projects (compute, etc) it would have to | 13:20 |
htruta | it is a suoer-powerful project | 13:20 |
htruta | super* | 13:20 |
dstanek | htruta: but logically it acts as a child | 13:20 |
dstanek | it i told you i had a project named A that was part of a domain A, would you know if it's is_domain=True? | 13:24 |
dstanek | or like schrodinger's cat is it both until you check the box? | 13:25 |
*** dguerri` is now known as dguerri | 13:26 | |
samueldmq | ayoung: would you be ok with adding those diagrams to the main wiki page itself | 13:27 |
samueldmq | ayoung: so we don't need to open a new page to see the diagrams | 13:27 |
htruta | dstanek: hah. you would have to be clearer. if you say that it's part of a domain, I'd say that it's is_domain=false | 13:27 |
htruta | otherwise, it'll b both | 13:28 |
dstanek | htruta: i'm not worried about the way to get tokens, i'm worried about how to explain what is actually happening | 13:30 |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain https://review.openstack.org/193543 | 13:31 |
openstackgerrit | henry-nash proposed openstack/keystone-specs: Add is_domain to tokens for projects acting as a domain https://review.openstack.org/193543 | 13:32 |
*** HT_sergio has joined #openstack-keystone | 13:33 | |
samueldmq | henrynash: "identity:create_user": "rule:admin_required and project_id:%(user.domain_id)s and is_domain:True" :-) | 13:33 |
dstanek | henrynash: what is the actual difference between having a domain scoped token and a project scoped token with is_domain=True? | 13:34 |
*** kiran-r has quit IRC | 13:34 | |
htruta | dstanek: you just need to say that you have powerful projects that hold users and regular projects that, as it works today, don't | 13:34 |
henrynash | dstanek: nothing (in theory)… | 13:34 |
*** charlesw has joined #openstack-keystone | 13:35 | |
henrynash | dtsanek: it’s just that you don’t need to understand domain tokens in order to get the later | 13:35 |
dstanek | htruta: but now you have siblings with the same name! so confusing | 13:35 |
henrynash | dtsanek: so (for instance), Horizon would just *work* | 13:35 |
dstanek | henrynash: they'd have to change horizon to know enough about the domain concept to know when to ask for an is_domain=True though, right? | 13:36 |
samueldmq | dstanek: unless we merge assignments and make the token work for both domain + project sides | 13:37 |
samueldmq | dstanek: but I am nt sure about the implications of merging assignments, just seeing the possibility | 13:37 |
dstanek | samueldmq: i don't get that. to get around the ambiguity we've created they would have to know to ask for an is_domain=True token at least some of the time, but i would guess all of the time | 13:39 |
*** dguerri is now known as dguerri` | 13:40 | |
samueldmq | dstanek: requesting a token on a project which has is_domain -> True would always return a token with is_domain = True, meaning you could act as a domain orproject with that token | 13:42 |
samueldmq | dstanek: kind of dual scoped token, that was being proposed by the guys here | 13:42 |
dstanek | samueldmq: but you'll have to specify is_domain=True in the token request because of the ambiguity | 13:42 |
samueldmq | dstanek: k I got your point, you don't want a token to act as both project and domain | 13:44 |
samueldmq | ayoung: btw, talking to morganfainberg a few days ago, he suggested to make the policy fetch in its own middleware | 13:44 |
dstanek | samueldmq: ++ | 13:44 |
samueldmq | ayoung: i.e, a separate filter from auth_tokne | 13:44 |
ayoung | samueldmq, nope | 13:44 |
ayoung | samueldmq, it is going to go along with gyee_ 's code for endpoint binding | 13:44 |
ayoung | he's going to need it , too | 13:44 |
*** dguerri` is now known as dguerri | 13:45 | |
samueldmq | ayoung: I'd be for splitting both :( | 13:45 |
samueldmq | ayoung: auth_token should be only about tokens | 13:45 |
ayoung | so, since he insisted that gyee_ 's goes into ATM, policy fetch goes there too. We can't do a check before a fetch | 13:45 |
samueldmq | ayoung: auth_TOKEN :( | 13:45 |
samueldmq | ayoung: who said we couldn't put the policy filter on top of auth_token | 13:46 |
samueldmq | ayoung: instead of running after it ? | 13:46 |
samueldmq | :-) | 13:46 |
samueldmq | ayoung: that's an independent task | 13:46 |
ayoung | its all Keystone work | 13:47 |
*** henrynash has quit IRC | 13:47 | |
ayoung | making each service update pipelines is no more viable for Policy fetch than for endpoint binding | 13:47 |
marekd | rodrigods: FYI, i am playing with our k2k auth plugin and it happens to work | 13:47 |
samueldmq | ayoung: k if you guys want me to write that on auth_token, I will hapilly do that | 13:47 |
samueldmq | ayoung: I really don't want to struggle on that point | 13:48 |
marekd | i have small problems with scoping the token, but i think this might actually be a problem with server. | 13:48 |
samueldmq | ayoung: already ahving enough fun with the roadmap/scope ;) | 13:48 |
samueldmq | ayoung: oh that's a great point, so it'd require services updating their pipelines .. | 13:48 |
*** henrynash has joined #openstack-keystone | 13:48 | |
*** ChanServ sets mode: +v henrynash | 13:48 | |
*** dims is now known as dimsum__ | 13:57 | |
*** jdennis has quit IRC | 14:00 | |
*** morgan has quit IRC | 14:02 | |
*** morgan has joined #openstack-keystone | 14:03 | |
*** morgan is now known as Guest93126 | 14:03 | |
*** pballand has quit IRC | 14:04 | |
*** f13o has joined #openstack-keystone | 14:05 | |
*** morganfainberg is now known as morgan-devserver | 14:06 | |
*** morgan-devserver is now known as CaptainMorgan | 14:08 | |
*** ihrachyshka has quit IRC | 14:09 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 14:12 | |
*** stevemar has joined #openstack-keystone | 14:24 | |
*** ChanServ sets mode: +v stevemar | 14:24 | |
CaptainMorgan | ayoung: samueldmq: fwiw, the policy fetch and cache is going to be the hard part. Especially with multiple worker processes (mod_wsgi). This is cache coherency...it is not easy to do right. | 14:25 |
ayoung | CaptainMorgan, Is that Army Captain or Navy Captain? | 14:27 |
CaptainMorgan | Pirate captain | 14:27 |
ayoung | So...Navy | 14:27 |
*** r-daneel has joined #openstack-keystone | 14:27 | |
CaptainMorgan | Rum running pirate captain. :P | 14:27 |
CaptainMorgan | Sure. | 14:28 |
samueldmq | CaptainMorgan: haha | 14:28 |
samueldmq | CaptainMorgan: don't we solve a similar problem with certificates (or something else) ? | 14:28 |
*** archers has joined #openstack-keystone | 14:29 | |
*** stevemar is now known as stevedoor | 14:29 | |
CaptainMorgan | samueldmq: sortof we store them to disk and load them every time. | 14:29 |
CaptainMorgan | Policy is harder because they change more often. And almost no one uses pki tokens. | 14:29 |
samueldmq | CaptainMorgan: and yes, finally we are in agreement, I am working on a couple of new diagrams and will pin g you later to get you view | 14:30 |
CaptainMorgan | We also don't refectory certs | 14:30 |
CaptainMorgan | Refetch* | 14:30 |
CaptainMorgan | Unless the cache on disk is removed. | 14:30 |
CaptainMorgan | Now imagine running multiple nova api behind ha proxy on separate machines. | 14:31 |
samueldmq | CaptainMorgan: let me understand the issue | 14:31 |
CaptainMorgan | Then cache coherency becomes a real headache, as all the policies need to be in sync. | 14:31 |
samueldmq | CaptainMorgan: separate machines mean differetn URLs, right? | 14:31 |
*** josecastroleon has quit IRC | 14:31 | |
CaptainMorgan | You can't have some workers for an endpoint with different policy files. | 14:31 |
samueldmq | CaptainMorgan: or is the proxy URL the endpoint URL, | 14:32 |
breton | what's the problem with cache coherence if we use multiple memcaches? | 14:32 |
CaptainMorgan | No, you can have separate machines behind ha proxy meaning same url | 14:32 |
samueldmq | CaptainMorgan: HMMM ;; so updating policy should be an atomic operation through different machines | 14:32 |
CaptainMorgan | breton: forcing the use of memcache is one option. | 14:32 |
breton | CaptainMorgan: s/memcache/redis/ | 14:32 |
CaptainMorgan | samueldmq: it has to be atomic for all api processes for a given endpoint. | 14:33 |
CaptainMorgan | This is a hard problem. It always will be a hard problem. | 14:33 |
samueldmq | CaptainMorgan: great sentence, captain | 14:33 |
* samueldmq is going to have lunch, back in a bit | 14:33 | |
CaptainMorgan | breton: sure that is an option, it likely means we will see a slow adoption of dynamic policy. I'm not opposed to it though. | 14:34 |
breton | hm, ok. | 14:34 |
*** jasondotstar has quit IRC | 14:35 | |
samueldmq | CaptainMorgan: if policy was stored into db prior to policy.json file, this problem should be solved | 14:35 |
CaptainMorgan | Doesn't matter how you cut it, it is adding either a lot of developer overhead or a lot of operator overhead. | 14:35 |
CaptainMorgan | samueldmq: how? | 14:35 |
samueldmq | CaptainMorgan: I mean, db coherency/replication would take care of the hard part for us | 14:35 |
CaptainMorgan | How? You can't wave hands and say db solves it :P | 14:35 |
* samueldmq waves hands | 14:36 | |
breton | also, /me hit all the caveats of per-domain config and openldap and using v3 in juno | 14:36 |
samueldmq | CaptainMorgan: services would need to store their policies into their dbs | 14:36 |
samueldmq | CaptainMorgan: this solves, but not sure this is the best soltuion/can be adopted | 14:36 |
CaptainMorgan | samueldmq: unlikely to fly. The services own their dbs. Keystone owns the policy and fetcher. | 14:36 |
CaptainMorgan | Also the db then has to be queried on every request for policy updates. | 14:37 |
breton | there is not enough docs about domains | 14:37 |
samueldmq | CaptainMorgan: ok | 14:37 |
*** jasondotstar has joined #openstack-keystone | 14:37 | |
samueldmq | CaptainMorgan: tell me ... | 14:37 |
CaptainMorgan | breton: you should bug henrynash about that too. | 14:37 |
samueldmq | CaptainMorgan: how to admins update a policy when they have multiple machines representing a single endpoint ? | 14:37 |
samueldmq | CaptainMorgan: how to they update N policies atomically ? we should solve this similarly | 14:38 |
CaptainMorgan | samueldmq: they use cms and restart the endpoint sorry have a small window of an outage. | 14:38 |
CaptainMorgan | With auto updates across nodes and processes you have less control of when this happens. | 14:38 |
CaptainMorgan | A lot less control. | 14:39 |
samueldmq | CaptainMorgan: that's an interesting challenge, captain, I will mull on it a bit more | 14:40 |
* samueldmq 's gonna have lunch | 14:40 | |
*** charlesw has quit IRC | 14:43 | |
*** dguerri is now known as dguerri` | 14:44 | |
samueldmq | CaptainMorgan: each process behind the proxy has its own middleware, right ? | 14:45 |
*** charlesw has joined #openstack-keystone | 14:45 | |
samueldmq | CaptainMorgan: so each middleware is in charge of fetching/updating the cache of the policy for its service | 14:47 |
samueldmq | CaptainMorgan: so updating isn't an issue, but the time window between middlwares updating their policies | 14:47 |
samueldmq | CaptainMorgan: is that right ? | 14:47 |
*** dvorak is now known as clayton | 14:49 | |
*** archers has quit IRC | 14:50 | |
*** dguerri` is now known as dguerri | 14:50 | |
*** spandhe has joined #openstack-keystone | 14:51 | |
*** f13o has quit IRC | 14:53 | |
dstanek | anyone have any thoughts on this: https://bugs.launchpad.net/keystone/+bug/1466893 | 14:53 |
openstack | Launchpad bug 1466893 in Keystone "Keystone wsgi will not start after upgrade on neutron grenade jobs some times" [Critical,New] | 14:53 |
*** f13o has joined #openstack-keystone | 14:54 | |
stevedoor | dstanek, don't use neutron | 14:56 |
bknudson | dstanek: is the first error "Target WSGI script '/var/www/keystone/admin' cannot be loaded as Python module." causing the next error? | 14:56 |
bknudson | or is it really one error message? | 14:56 |
samueldmq | henrynash: @david-lyle | samueldmq: there is a set of patches to support domain-scoped tokens, but they have not merge yet | 14:56 |
samueldmq | henrynash: @david-lyle | https://review.openstack.org/#/c/141153/ and https://review.openstack.org/#/c/148082/ | 14:57 |
stevedoor | maybe it's the monkey patching? | 14:57 |
bknudson | I wonder what /var/www/keystone/admin looks like ... if it's normal or not? | 14:57 |
dstanek | bknudson: it's the kilo version | 14:57 |
bknudson | you can look at it? | 14:58 |
dstanek | no, but i asked sdague | 14:58 |
*** diazjf has joined #openstack-keystone | 14:58 | |
charlesw | Hi folks, we have a swift cluster using keystone PKI token to authN. The token expiration time is 8h. In swift's keystone middleware config, the default revocation_cache_time is 10 (seconds), and token_cache_time is 300 (s). Sometimes we saw in swift proxy-server.error log: WARNING:swift:Fetch revocation list failed, fallback to online validation WARNING:swift:Authorization failed for... | 14:58 |
charlesw | ...token. Seems like the service user's token becomes invalid quickly even though exp time is 8h. We see 401 errors frequently when fetching revocation_list from keystone server which cause re-authentication for the service user to retry to fetch revocation_list. We also see GET / call to keystone server right after the re-authentication. Keystone server uses memcached to store revocation... | 14:58 |
charlesw | ...list. Any clues? | 14:58 |
charlesw | 14:58 | |
*** Ephur has joined #openstack-keystone | 14:59 | |
dstanek | bknudson: i think that "could not be loaded" is part of the exception below it | 14:59 |
bknudson | dstanek: it looks like the startup worked in several cases but then one of them fails | 15:00 |
bknudson | there's lots of "Deprecated: direct import of driver is deprecated as of Liberty in favor of entrypoints and may be removed in N." so it's running the new code already | 15:01 |
*** charlesw_ has joined #openstack-keystone | 15:01 | |
dstanek | yeah, i don't quite get it | 15:01 |
marekd | rodrigods: ping. | 15:01 |
dstanek | it's kilo wsgi running against master code | 15:01 |
rodrigods | marekd, hi | 15:01 |
bknudson | dstanek: http://logs.openstack.org/19/193519/2/check/check-grenade-dsvm-neutron/e0a1dbe/logs/apache/keystone.txt.gz#_2015-06-19_13_35_48_117594 | 15:01 |
dstanek | it seems like configure() is called twice, but i can't see how that could be | 15:02 |
bknudson | here's another similar failure | 15:02 |
bknudson | but it's not configure, it's can't import ec2. | 15:02 |
*** rushiagr is now known as rushiagr_away | 15:02 | |
dstanek | that's interesting - missing deps? | 15:02 |
marekd | stevedoor: rodrigods: do you agree that after we scope federated token, the groups should also be present in user['OS-FEDERATION']['group_ids'] ? | 15:02 |
*** zzzeek has joined #openstack-keystone | 15:03 | |
stevedoor | marekd, isn't that what we do now? | 15:03 |
bknudson | dstanek: it doesn't look like it's really on startup. Apache just starts a new worker whenever it feels like it. | 15:03 |
*** charlesw has quit IRC | 15:03 | |
*** charlesw_ is now known as charlesw | 15:03 | |
marekd | stevedoor: i just need confirmation... | 15:04 |
marekd | because i also think we do that. | 15:04 |
*** browne has joined #openstack-keystone | 15:04 | |
stevedoor | marekd, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L533-L566 | 15:05 |
stevedoor | y we do | 15:05 |
rodrigods | marekd, yep, but just not sure if they are already there too | 15:05 |
stevedoor | marekd, we do it for unscoped only i think | 15:05 |
marekd | stevedoor: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L558-L566we don't.... | 15:05 |
bknudson | dstanek: keystone is started with L code at around 13:33:16 and this failure occurs at 13:35:56 | 15:05 |
marekd | stevedoor: if we scope the project the groups are not added, just roles. | 15:06 |
stevedoor | wait... | 15:06 |
rodrigods | marekd, stevedoor maybe a bit confusing displaying groups that don't have role_assignment in the project/domain of the token scope? | 15:06 |
bknudson | dstanek: it's like maybe mod_wsgi isn't cleaning up after itself properly | 15:06 |
openstackgerrit | Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816 | 15:06 |
stevedoor | marekd, right, after a scoping its just the roles | 15:06 |
bknudson | dstanek: one obvious workaround is to catch the exception | 15:06 |
marekd | stevedoor: which basically means you cannot rescope from existing token... ? | 15:07 |
stevedoor | marekd, explain that more please | 15:08 |
*** belmoreira has quit IRC | 15:08 | |
openstackgerrit | Alexander Makarov proposed openstack/keystone-specs: Unified delegation spec https://review.openstack.org/189816 | 15:08 |
*** amakarov_away is now known as amakarov | 15:09 | |
marekd | stevedoor: wait, once I have a normal token, and a user exists in the backend, how does he rescope the token (to different project). Is it even possible? | 15:09 |
marekd | stevedoor: actually i don't understand why would we even put roles in OS-FEDERATION ? | 15:09 |
marekd | rodrigods: ^^ | 15:10 |
marekd | in the token['user'][OS-FEDERATION'] | 15:10 |
dstanek | bknudson: i guess it would be possible to get a dirty process from apache, but that seems unlikely | 15:10 |
stevedoor | marekd, we don't put roles in user.os-federation, we put it at the top level | 15:11 |
dstanek | bknudson: according to sdague then happens mostly on neutron jobs and ever then it isn't all of the time | 15:11 |
dstanek | so why is neutron different? | 15:11 |
*** henrynash has quit IRC | 15:11 | |
marekd | stevedoor: ah, ok | 15:11 |
dstanek | charlesw: so you are seeing your service user's tokens expiring too quickly? | 15:12 |
stevedoor | marekd, i'm not sure the user can rescope the token? | 15:12 |
marekd | stevedoor: stevedoor you are right, my bad. | 15:12 |
marekd | stevedoor: shall we put groups in the scoped tokens too ? | 15:13 |
charlesw | @dstanek: yes. It's strange. Swift client's token seems fine though. | 15:13 |
dstanek | charlesw: is there something in the revocation list maybe saying that it was invalidated? | 15:14 |
*** jsavak has joined #openstack-keystone | 15:14 | |
pc_m | stevedoor: hi. Do you have time for some questions? morganfainberg pointed me your way. | 15:15 |
rodrigods | marekd, I'm worried about the semantics of having groups in a scoped token (groups that don't have role assignment in the token scope) | 15:15 |
marekd | rodrigods: it's about your identity | 15:15 |
marekd | rodrigods: it's all you get ,as an ephemeral user. | 15:16 |
bknudson | dstanek: neutron jobs might drive more token creation | 15:16 |
bknudson | more communication with keystone | 15:16 |
bknudson | and more concurrency | 15:16 |
rodrigods | marekd, but the identity in a scoped token is a "targeted" identity IMHO | 15:16 |
david8hu | samueldmq, ayoung, CaptainMorgan, The sequence diagram step 8 from the wiki calls for overriding of default policy with custom policy. Is there a plan to provide an API to indicate default verses custom policy? I assume not, so it should be a policy orverriding a previous policy already in the db. The previous policy does not need to be the default policy that originally shiped with each service. It could a policy tha | 15:16 |
david8hu | t already overriden the default policy, and service simply overrides it with an update. | 15:16 |
marekd | rodrigods: can we rescope scoped token today? | 15:17 |
dstanek | bknudson: in your example i'm wondering what sys.module['keystoneclient'] actually is | 15:17 |
rodrigods | marekd, I believe we can | 15:17 |
*** Zanatoz has joined #openstack-keystone | 15:17 | |
bknudson | dstanek: example? | 15:17 |
stevedoor | pc_m, whats up | 15:18 |
pc_m | stevedoor: I'm doing some researching/investigating and would like to know if/how to support the scenario I have. | 15:19 |
charlesw | @dstanek, the revocation list fetching failed with 401 error. Could it be the service user's token is revoked? It has to re-authN and re-fetch the revocation list. | 15:20 |
stevedoor | pc_m, what's your scenario look like? | 15:20 |
*** jlibosva has joined #openstack-keystone | 15:20 | |
bknudson | dstanek: https://bugzilla.redhat.com/show_bug.cgi?id=677735#c14 ? | 15:20 |
openstack | bugzilla.redhat.com bug 677735 in z_other "Pulp process becomes unresponsive after a few days" [High,Closed: currentrelease] - Assigned to jslagle | 15:20 |
bknudson | that's pretty old | 15:21 |
pc_m | stevedoor: Essentially an AWS Direct Connect scenario, where user Joe, wants to give Sally (someone external to OpenStack) authorization to perform some Neutron commands, like add a subset/network, set a GW IP, etc. | 15:21 |
jlibosva | hi, we have issue on gate in grenade job with Neutron. I'm not very familiar with keystone logs, is there anybody willing to help me to understand? | 15:21 |
dstanek | bknudson: well, it python thinks that keystoneclient.contrib.ec2 doens't exist maybe in got the wrong module in the import pth or something | 15:21 |
pc_m | morganfainberg suggested OAuth1.1. Would that work? | 15:22 |
dstanek | jlibosva: that's probably the issue we are talking about now | 15:22 |
bknudson | dstanek: oh, y, I didn't notice it was keystoneclient and not keystone | 15:22 |
pc_m | stevedoor: We don't want to give Sally, Joe's auth credentials. | 15:22 |
jlibosva | dstanek: can you give me tl;dr? | 15:22 |
jlibosva | I just joined channel | 15:22 |
stevedoor | pc_m, and you dont want to give sally her own credentials? | 15:23 |
dstanek | jlibosva: we are looking into https://bugs.launchpad.net/keystone/+bug/1466893 | 15:23 |
openstack | Launchpad bug 1466485 in Keystone "duplicate for #1466893 keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Confirmed] | 15:23 |
jlibosva | dstanek: thanks! | 15:23 |
jlibosva | dstanek: yep, thats it! :) | 15:23 |
bknudson | dstanek: the documentation for mod_wsgi doesn't expire confidence: https://modwsgi.readthedocs.org/en/master/#status | 15:23 |
pc_m | stevedoor: Not sure. Sally would be an Internet Provider, for example. | 15:23 |
bknudson | https://modwsgi.readthedocs.org/en/master/_images/dead-parrot.jpg | 15:23 |
stevedoor | pc_m, then i think the oauth module is what you want | 15:23 |
pc_m | stevedoor: I did see a link from morganfeinberg on OAuth, some questions for you on that... | 15:24 |
stevedoor | pc_m, it essentially enables an openstack user to delegate a role on a project to an external party | 15:24 |
pc_m | stevedoor: Yeah, that is what I'm looking for. | 15:24 |
stevedoor | pc_m, sure (leaving for lunch in ~ 15 minutes) - but fire away | 15:24 |
pc_m | stevedoor: I'll try to be quick... | 15:25 |
stevedoor | pc_m, meh, there's always email :) | 15:25 |
pc_m | stevedoor: What release supports OAuth? | 15:25 |
stevedoor | oh it's been there for a while, grizzly/havana? | 15:25 |
pc_m | stevedoor: I can do that, can you PM me your email? | 15:25 |
stevedoor | done | 15:26 |
*** pballand has joined #openstack-keystone | 15:26 | |
pc_m | stevedoor: thanks! Let me shoot you an email. | 15:26 |
*** jasondotstar has quit IRC | 15:26 | |
stevedoor | pc_m, cool cool | 15:26 |
bknudson | dstanek: I guess they switched to https://bugs.launchpad.net/grenade/+bug/1466485 | 15:26 |
openstack | Launchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Confirmed] | 15:26 |
dstanek | bknudson: yeah, i mentioned in -qa this morning that the bug was already reported | 15:27 |
*** jasondotstar has joined #openstack-keystone | 15:28 | |
dstanek | bknudson: the example you found was using ksc 1.3.1 which i'm assuming has that module | 15:29 |
*** edmondsw has joined #openstack-keystone | 15:30 | |
*** vilobhmm has joined #openstack-keystone | 15:31 | |
bknudson | dstanek: it just randomly switches from one version of ksc to another? | 15:31 |
dstanek | do you see it using a different version? | 15:32 |
bknudson | or does apache report that error if it's been running for a while and an exception escapes? | 15:32 |
*** pnavarro has quit IRC | 15:32 | |
bknudson | dstanek: I don't see it using a different version, but why is the error reported only once and not every time? | 15:32 |
*** browne has quit IRC | 15:33 | |
bknudson | or does apache only report the error on startup? | 15:33 |
dstanek | not sure. i would expect apache to report that for each process | 15:34 |
bknudson | dstanek: !!! -- http://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/apache/keystone.txt.gz#_2015-06-18_09_08_31_715671 | 15:35 |
bknudson | ?? | 15:35 |
bknudson | this is just random | 15:35 |
bknudson | I guess it's back to eventlet since mod_wsgi is such a turd | 15:35 |
dstanek | whoa...something is getting seriously messed up | 15:36 |
bknudson | maybe there's some docs that indicate we're doing something totally wrong | 15:36 |
stevedoor | bknudson, from oslo_utils import excutils | 15:36 |
*** jsavak has quit IRC | 15:37 | |
stevedoor | maybe it's a library issue? | 15:37 |
*** Lactem has joined #openstack-keystone | 15:37 | |
Lactem | Hey @dolphm. | 15:37 |
dstanek | stevedoor: probably not in all of the libs | 15:37 |
*** jsavak has joined #openstack-keystone | 15:38 | |
*** _cjones_ has joined #openstack-keystone | 15:38 | |
dstanek | bknudson: could there be some stevedore recursion in there? | 15:38 |
bknudson | dstanek: why would it only happen once and not every time? | 15:39 |
dstanek | the line before the error indicates that something is loading by the full class path, but the traceback show stevedore loading stuff | 15:39 |
* bknudson thought dstanek was going to fix all this dependency stuff. | 15:40 | |
*** vilobhmm has quit IRC | 15:40 | |
dstanek | i don't think this is a dependency issue :-P | 15:40 |
dstanek | and you guys keep slowing down my patches! | 15:41 |
bknudson | I guess we could add a LOG.debug so we know what driver is being loaded. | 15:43 |
Lactem | Is dolphm around at this time of day usually? | 15:44 |
dstanek | Lactem: sometimes | 15:44 |
dstanek | Lactem: need help? | 15:44 |
bknudson | I'm going to keep trolling through the mod_wsgi docs in case it says we're doing something wrong. | 15:46 |
dstanek | bknudson: i'll add some debugs to maybe help us catch the issue | 15:46 |
bknudson | dstanek: a log in httpd/keystone.py saying that it's calling "application = wsgi_server.initialize_application(name)" would help, too | 15:47 |
*** kfox1111 has joined #openstack-keystone | 15:47 | |
bknudson | in case it's getting called multiple times in the same process | 15:47 |
bknudson | because that's something that we wouldn't be expecting | 15:47 |
dstanek | bknudson: that would have to be back ported to kilo | 15:48 |
bknudson | dstanek: maybe... but the logs where it fails are in L | 15:48 |
openstackgerrit | ayoung proposed openstack/keystone-specs: certmonger https://review.openstack.org/134099 | 15:48 |
dstanek | bknudson: it's L version of keystone but the wsgi script installed from kilo | 15:48 |
bknudson | whaaa? | 15:49 |
bknudson | there's no diff in that file for L -> k | 15:49 |
bknudson | it changed from J in K | 15:50 |
bknudson | http://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py?h=stable%2Fkilo | 15:50 |
bknudson | it's only 1 line of code, so not the most complicated | 15:50 |
*** marzif has joined #openstack-keystone | 15:50 | |
bknudson | I'm not sure if you can call log function in httpd/keystone.py since logging wouldn't be configured yet | 15:51 |
*** kiran-r has joined #openstack-keystone | 15:51 | |
*** marzif has quit IRC | 15:51 | |
dstanek | bknudson: that i'm not sure about. but we would have to backport - not saying that's hard, just that it has to be done | 15:51 |
Lactem | dstanek: Kind of. We were going to pick up from yesterday. | 15:52 |
dstanek | Lactem: what troubles are you running into? | 15:52 |
*** marzif has joined #openstack-keystone | 15:52 | |
Lactem | I'm not really sure what he was saying. https://bugs.launchpad.net/keystone/+bug/1098564 http://pastebin.com/D16WXLEV | 15:55 |
openstack | Launchpad bug 1098564 in Keystone "Cannot delete a service or endpoint" [Low,Incomplete] | 15:55 |
Lactem | He told me to use keystone catalog and give him the output. It's in the pastebin. | 15:56 |
CaptainMorgan | charlesw: what version of middleware are you running? My guess is 1.0.0 | 15:56 |
CaptainMorgan | charlesw: that version has issues and Ubuntu and other distributions have not updated. | 15:56 |
dstanek | Lactem: are you seeing the log statements when you run the tests? | 15:56 |
bknudson | dstanek: have you heard of mod_wsgi express? https://pypi.python.org/pypi/mod_wsgi | 15:56 |
Lactem | I don't think so. He said neither of them are there. | 15:57 |
*** charlesw_ has joined #openstack-keystone | 15:57 | |
bknudson | I don't have mod_wsgi express installed on my system for some reason. | 15:57 |
dstanek | bknudson: nope, but that's kinda neat | 15:58 |
CaptainMorgan | samueldmq: each process has its own middleware running (instance). So all of them in an Apache group...or behind a single ha proxy must have policy updated at the same time. | 15:58 |
*** jlibosva has quit IRC | 15:58 | |
dstanek | Lactem: i think he was giving you hints on where to debug | 15:58 |
*** belmoreira has joined #openstack-keystone | 15:58 | |
bknudson | dstanek: looks like it just stands up a private apache instance. | 15:58 |
*** marzif has quit IRC | 15:58 | |
dstanek | that's a cool idea for testing | 15:59 |
CaptainMorgan | samueldmq: or some requests can break erroneously (or succeed). Basically the entire group of processes behind an endpoint url must be updated atomically | 15:59 |
*** charlesw has quit IRC | 15:59 | |
bknudson | I think I'd rather use a lighter-weight container.. nginx or something | 15:59 |
*** charlesw_ is now known as charlesw | 15:59 | |
CaptainMorgan | david8hu: not sure. | 15:59 |
dstanek | i prefer nginx -> gunicorn -> application | 15:59 |
CaptainMorgan | dstanek: I like uwsgi these days | 16:00 |
bknudson | we should do that | 16:00 |
bknudson | rather than mess around with apache | 16:00 |
CaptainMorgan | bknudson: for? | 16:00 |
dstanek | bknudson: we still have to support apache for federation afaik | 16:01 |
*** RichardRaseley has joined #openstack-keystone | 16:01 | |
dstanek | apache giveth and apache sucketh | 16:01 |
CaptainMorgan | Apache has a better set of modules | 16:01 |
bknudson | apache -> gunicorn | 16:01 |
bknudson | forward the headers | 16:01 |
CaptainMorgan | bknudson: don't know how well that works. But Apache supports uwsgi pretty well | 16:01 |
dstanek | that's easy enough, but i'm not sure how that plays with the other modules | 16:01 |
CaptainMorgan | Haven't tried unicorn with Apache | 16:02 |
*** vilobhmm has joined #openstack-keystone | 16:02 | |
bknudson | it's just reverse proxy | 16:02 |
CaptainMorgan | I also am generally not a fan of gunicorn. But that is a separate concern | 16:02 |
*** RichardRaseley has quit IRC | 16:03 | |
*** RichardRaseley has joined #openstack-keystone | 16:03 | |
*** RichardRaseley has quit IRC | 16:03 | |
CaptainMorgan | Personal bias. | 16:03 |
CaptainMorgan | No real reason not to use it here. | 16:04 |
bknudson | must have been attacked by a unicorn | 16:04 |
CaptainMorgan | Nah, just a pain in the ass in the past with lots of weird crashes | 16:04 |
CaptainMorgan | Like I said, strictly a personal bias. | 16:04 |
*** RichardRaseley has joined #openstack-keystone | 16:04 | |
bknudson | that's what we're seeing with keystone in apache mod_wsgi | 16:04 |
CaptainMorgan | mod_wsgi has very tightly controlled requirements | 16:05 |
CaptainMorgan | And none of these will easily show when we break | 16:05 |
CaptainMorgan | When something goes wrong the errors and traces are not intuitive unless you're already past the wsgi loading | 16:06 |
CaptainMorgan | It's always been that way, always will be. | 16:06 |
CaptainMorgan | And you can't call log from the keystone.py file. | 16:07 |
bknudson | that's a real downer. | 16:07 |
CaptainMorgan | That error looks like a bad library ^^^ btw. | 16:08 |
CaptainMorgan | The one that sparked this convo | 16:08 |
dstanek | CaptainMorgan: which library? seems arbitrary | 16:08 |
bknudson | we've seen errors from oslo.config, keystoneclient, and oslo.utils | 16:09 |
CaptainMorgan | dstanek: not sure. But also re,ember these wsgi wrappers will occasionally spawn a new worker and kill old workers. So if it has worked for a while and then suddenly breaks, I look at "what did you install between now and then" | 16:09 |
openstackgerrit | David Stanek proposed openstack/keystone: Adds some debugging statements https://review.openstack.org/193619 | 16:09 |
CaptainMorgan | Whenever an install of a lib is done that could affect Apache/wsgi a restart is needed. | 16:09 |
dstanek | bknudson: i was thinking something like that. what other logging would be useful? | 16:10 |
bknudson | maybe it's worth checking the grenade logs and see if it's installing stuff. | 16:10 |
*** e0ne has quit IRC | 16:10 | |
bknudson | odd but possible. | 16:10 |
dstanek | well, maybe not so odd | 16:10 |
dstanek | it's upgrading keystone from K->L | 16:11 |
CaptainMorgan | Ok so this is likely oslo_utils | 16:11 |
dstanek | maybe the error happens before it restarts apache | 16:11 |
CaptainMorgan | The oslo config error is because you hit an error before. | 16:11 |
CaptainMorgan | And the conf object already has things loaded. | 16:11 |
samueldmq | CaptainMorgan: k so as each process has its own middleware, they will all be updated with the new policy, for sure | 16:12 |
CaptainMorgan | So reregistering opts causes subsequent errors. | 16:12 |
samueldmq | CaptainMorgan: the concern is that they all need to be atomic | 16:12 |
bknudson | stupid global variables! | 16:12 |
dstanek | so an apache worker restarts during the keystone upgrade and the deps would be all out of whack | 16:12 |
CaptainMorgan | samueldmq: yes they need to be atomic across all of them. | 16:12 |
samueldmq | CaptainMorgan: and what windows we could consider them as being atomic .. | 16:12 |
bknudson | that does make some sense. apache would discard the application | 16:12 |
CaptainMorgan | dstanek: yep. Possibly. | 16:12 |
bknudson | and in both cases they happened in pairs. | 16:13 |
CaptainMorgan | bknudson: yep. Ignore the oslo_config error it's a red herring here | 16:13 |
bknudson | not sure what we'd do about it? | 16:13 |
samueldmq | CaptainMorgan: sure, they would be updated in the first incoming request where timeout has been reached .. | 16:13 |
bknudson | catch the exception in initializing and reset somehow? | 16:13 |
*** ankita_wagh has joined #openstack-keystone | 16:13 | |
bknudson | there might be all sorts of global state that's messed up. | 16:14 |
bknudson | drivers half-loaded | 16:14 |
CaptainMorgan | bknudson: this isn't something you can reset out of. | 16:14 |
CaptainMorgan | This is a broken workflow in grenade | 16:14 |
samueldmq | CaptainMorgan: but if timeouts may be reached in different timings in different processes .. or we shouldn't consider this | 16:14 |
bknudson | maybe just need to restart apache again at end of upgrading | 16:14 |
*** gyee has joined #openstack-keystone | 16:14 | |
*** ChanServ sets mode: +v gyee | 16:14 | |
bknudson | if that's not happening already | 16:14 |
samueldmq | CaptainMorgan: (I am assuming you can talk about this subject at the same time as well :)) | 16:14 |
CaptainMorgan | You cannot live upgrade keystone or mod_wsgi - it needs a restart. | 16:15 |
CaptainMorgan | samueldmq: that is the issue of cache coherency. You need all the processes to update at the same time. Not at different times. The timeout must be synchronized | 16:15 |
bknudson | ok, time to check out grenade | 16:15 |
CaptainMorgan | samueldmq: this *is* the hardest part of this update for policy. And honestly why I think the central policy stuff cannot make it this cycle at this point. Scaffolding for it will happen. Centralization and consumption from keystone likely won't | 16:16 |
bknudson | http://git.openstack.org/cgit/openstack-dev/grenade/tree/projects -- doesn't bode well | 16:16 |
bknudson | keystone is first in the list | 16:16 |
samueldmq | CaptainMorgan: k got it, that must be in the spec as well ;) | 16:17 |
CaptainMorgan | bknudson: grenade makes the assumption that pip install does 100% the right thing. | 16:17 |
CaptainMorgan | bknudson: so likely something has stomped on keystone's deps somehow. Also mod_wsgi the way we have it configured doesn't load the worker until the first request. | 16:18 |
CaptainMorgan | So Apache might restart fine and explode down the line | 16:18 |
bknudson | not loading the worker until the request what made me think we'd be safe | 16:18 |
dstanek | it looks like grenade shuts down keystone, does the upgrade and then restarts it | 16:18 |
bknudson | since it wouldn't make requests until grenade is all done? | 16:18 |
CaptainMorgan | bknudson: it may make some requests before. Requests will trickle in as services are started | 16:19 |
bknudson | although maybe it does make requests during upgrade... checking service catalog | 16:19 |
CaptainMorgan | Due to middleware, etc catalog. | 16:19 |
*** spandhe has quit IRC | 16:19 | |
Lactem | dstanek: I thought he was saying that this bug might not require code changes / it's not really a bug. | 16:19 |
* CaptainMorgan is on a mobile device, so just talking about the stuff I know - not actually debugging it atm. | 16:19 | |
dstanek | Lactem: i read that as him giving hints for where you can look to see if that's the case | 16:20 |
*** kiran-r has quit IRC | 16:21 | |
dstanek | i don't understand where the grenade pip-freeze.txt comes from | 16:22 |
dstanek | log clearly show upgrade installs ksk 1.6.0 http://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/grenade.sh.txt.gz#_2015-06-18_09_05_35_228 | 16:23 |
dstanek | pip-freeze.txt says 1.3.1 http://logs.openstack.org/66/185066/3/check/check-grenade-dsvm-neutron/45d8663/logs/pip-freeze.txt.gz | 16:23 |
CaptainMorgan | Awesome. | 16:23 |
CaptainMorgan | :( | 16:23 |
CaptainMorgan | Well when was pip-freeze run. Pre or post upgrade. | 16:24 |
CaptainMorgan | That might be a pre upgrade. | 16:24 |
*** RichardRaseley has quit IRC | 16:24 | |
CaptainMorgan | From devstack | 16:24 |
bknudson | devstack got support for running services in venv... seems like that would help? | 16:25 |
CaptainMorgan | bknudson: venv and mod_wsgi might have some oddities... Might. | 16:25 |
dolphm | bknudson: lbragstad: \o/ checking out the token provider manager w/ stevedore patch... https://review.openstack.org/#/c/166543/17/keystone/token/provider.py,unified | 16:25 |
lbragstad | bknudson: I have a question | 16:25 |
CaptainMorgan | But other services in venv - yes. | 16:25 |
lbragstad | bknudson: ^ what dolphm said | 16:25 |
*** RichardRaseley has joined #openstack-keystone | 16:26 | |
dolphm | bknudson: lbragstad: does the driver namespace restrict 3rd parties from providing entry points into custom drivers? | 16:26 |
CaptainMorgan | dolphm: no, you can place a driver in any namespace via entry points. | 16:26 |
lbragstad | dolphm: bknudson *if* the only thing I plan on doing is extending the BaseProvider https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L459 | 16:26 |
dolphm | CaptainMorgan: that's what i thought, but ... what does the driver_namespace do then? | 16:27 |
CaptainMorgan | The idea is you are looking in that namespace for the short name | 16:27 |
CaptainMorgan | So if someone calls a module for neutron "password" it is t found for keystone | 16:27 |
CaptainMorgan | For example. | 16:27 |
dolphm | so the third party package would specify a keystone.token.provider entrypoint as well? https://github.com/openstack/keystone/blob/master/setup.cfg#L110-L111 | 16:28 |
CaptainMorgan | Yep | 16:28 |
dolphm | oh ok | 16:28 |
dolphm | easy enough | 16:28 |
lbragstad | jsut as an entrypoint | 16:28 |
lbragstad | hmm | 16:28 |
CaptainMorgan | Yeah, it's meant to make it easy :) | 16:28 |
*** raildo has quit IRC | 16:29 | |
CaptainMorgan | Now... I have no idea what happens if someone specifies a driver name already used | 16:29 |
*** dguerri is now known as dguerri` | 16:29 | |
dolphm | CaptainMorgan: like, provides another 'uuid' entrypoint? | 16:30 |
*** raildo has joined #openstack-keystone | 16:30 | |
dolphm | i'd hope that setuptools or something would puke early | 16:31 |
*** RichardRaseley has quit IRC | 16:31 | |
*** RichardRaseley has joined #openstack-keystone | 16:31 | |
*** RichardRaseley has quit IRC | 16:32 | |
*** kiran-r has joined #openstack-keystone | 16:32 | |
dstanek | dolphm: i believe it does is you dupe the name | 16:32 |
CaptainMorgan | dolphm: i hope so too, but i haven't tried it | 16:33 |
dolphm | maybe not let you install that package at all? :D | 16:33 |
dolphm | that'd be like installing two packages with the same name | 16:33 |
dolphm | into site-packages | 16:33 |
*** jsavak has quit IRC | 16:33 | |
lbragstad | CaptainMorgan: dolphm so that seemed to work (i.e. it didn't puke) | 16:34 |
CaptainMorgan | New way to troll people:, provide conflicting entry points in some common used library | 16:34 |
*** BrAsS_mOnKeY has quit IRC | 16:34 | |
dolphm | lbragstad: sweet | 16:34 |
CaptainMorgan | Make lots of people cry | 16:34 |
CaptainMorgan | ??? | 16:34 |
CaptainMorgan | Profit | 16:34 |
CaptainMorgan | *shiftyeyes* | 16:35 |
Lactem | Hi dolphm. | 16:35 |
dolphm | Lactem: o/ | 16:36 |
Lactem | \o | 16:36 |
*** ChanServ sets mode: +o CaptainMorgan | 16:37 | |
CaptainMorgan | o/ | 16:37 |
CaptainMorgan | \o | 16:37 |
CaptainMorgan | \o/ | 16:37 |
*** rm_work is now known as rm_work|away | 16:37 | |
*** diazjf has quit IRC | 16:38 | |
CaptainMorgan | (>^_^)> | 16:38 |
dstanek | hi fives all around! o/\o | 16:38 |
CaptainMorgan | (╯°□°)╯︵ ┻━┻ | 16:39 |
*** edmondsw has quit IRC | 16:39 | |
samueldmq | haha Friday is fun | 16:40 |
*** diazjf has joined #openstack-keystone | 16:40 | |
Lactem | Sorry to have another problem... I'm trying tools/with_venv.sh bin/keystone-all and getting an error message similar to https://bugs.launchpad.net/mos/+bug/1397518 (ImportError: No module named oslo). | 16:40 |
openstack | Launchpad bug 1397518 in Mirantis OpenStack "python-oslo.concurrency requires python-retrying" [Critical,Fix committed] - Assigned to Max Yatsenko (myatsenko) | 16:40 |
dstanek | see that's PTL rage! going from fun hi fives to flipping tables | 16:40 |
samueldmq | dstanek: hehe | 16:41 |
*** browne has joined #openstack-keystone | 16:42 | |
Lactem | Yeah there's no oslo for me. Is there a link to install it or does it not work like that? | 16:44 |
samueldmq | david8hu: hi, sorry for the late answer | 16:44 |
samueldmq | david8hu: yes a deployer can configure its CMS to upload an already customized policy where is expected to be the default (we're now calling it stock policy) | 16:44 |
*** dguerri` is now known as dguerri | 16:45 | |
samueldmq | david8hu: however he won't be following the documented behavior :) | 16:45 |
samueldmq | david8hu: so that will be taken as the truth, even if he's lying to us | 16:45 |
*** dguerri is now known as dguerri` | 16:46 | |
samueldmq | david8hu: in the future, if we provided a /policy API in each service, this could be solved, but we aren't goign to that directiom | 16:46 |
dstanek | Lactem: i would expect the venv created by with_venv to have it installed. how did you check to see if it's installed? | 16:46 |
samueldmq | david8hu: at least for now, we can revisit that later .. I think it's a suggestion from nova gusy | 16:46 |
samueldmq | david8hu: guys* | 16:46 |
*** jsavak has joined #openstack-keystone | 16:48 | |
dolphm | Lactem: uhh, i don't use tools/with_venv.sh myself... have you used tox to run tests? | 16:49 |
samueldmq | Auth | 16:49 |
*** f13o has quit IRC | 16:49 | |
Lactem | No sorry I'm not familiar with tox. | 16:49 |
Lactem | I'm trying to re-set it up following http://docs.openstack.org/developer/keystone/developing.html and the tutorial directly before that. @dolphm | 16:50 |
dstanek | tox will allow you to run the unit tests | 16:51 |
*** ankita_wagh has quit IRC | 16:51 | |
Lactem | I'm still trying to do this setup. | 16:51 |
Lactem | I think I may have skipped these steps yesterday, so my testing might not be accurate. | 16:51 |
dstanek | you don't need the setup to run the unit tests | 16:51 |
dolphm | Lactem: which branch are you working with, master? | 16:51 |
Lactem | Yes. | 16:51 |
Lactem | http://docs.openstack.org/developer/keystone/setup.html So you're saying I can skip that page? | 16:52 |
dolphm | Lactem: we should maybe update those docs with what we *actually* do nowadays | 16:52 |
Lactem | That would be a good idea. :P | 16:53 |
dolphm | Lactem: can you `pip install tox` ? | 16:53 |
dstanek | if you have a checkout then run 'tox -e py27' to run the unit tests | 16:53 |
Lactem | Okay. | 16:53 |
*** BrAsS_mOnKeY has joined #openstack-keystone | 16:53 | |
dolphm | Lactem: they're not entirely innaccurate, just maybe not today's best practices | 16:53 |
*** rm_work|away is now known as rm_work | 16:53 | |
dstanek | there may be system libraries that need to be installed | 16:53 |
Lactem | I should be in sudo su stack, correct? | 16:53 |
dolphm | oh, this is devstack! | 16:53 |
Lactem | Yes. | 16:53 |
Lactem | I was told to use devstack. | 16:54 |
dolphm | that's fair | 16:54 |
*** thedodd has joined #openstack-keystone | 16:54 | |
dolphm | i'm also an outcast because i raaaarely use devstack | 16:54 |
dolphm | outcast/outlier | 16:54 |
Lactem | Oh. | 16:54 |
Lactem | What do you use and is it easier? | 16:54 |
dstanek | Lactem: devstack already setups up a working instance of keystone - this is the way i usually develop | 16:54 |
dolphm | dstanek: i was going to suggest `tox -e py27` and then `.tox/py27/bin/keystone-all` .. | 16:54 |
dstanek | dolphm: yep, exactly | 16:55 |
Lactem | I actually did that before and it got stuck for a while. I just exited. | 16:55 |
dstanek | Lactem: i don't think it gets too much easier than devstack for starting out | 16:55 |
Lactem | py27 installdeps: -r/opt/stack/keystone/requirements.txt, -r/opt/stack/keystone/test-requirements.txt | 16:55 |
Lactem | It was stuck on that. | 16:55 |
*** raildo has quit IRC | 16:55 | |
dstanek | can your VM talk to the outside world? | 16:56 |
Lactem | Probably? | 16:56 |
dolphm | ping -c 1 google.com ? | 16:56 |
Lactem | I mean I can put stuff on Google Drive and have the VM download from there if that's what you mean. | 16:56 |
*** raildo has joined #openstack-keystone | 16:56 | |
Lactem | Yeah the ping works just fine. | 16:56 |
dstanek | try running tox again then | 16:57 |
dolphm | after running `tox -e py27` successfully, then `source .tox/py27/bin/activate` will get you into a python 2.7 virtualenv containing just keystone | 16:57 |
Lactem | Is tox -e py27 supposed to take a really long time? | 16:57 |
dolphm | Lactem: it runs thousands of tests | 16:58 |
*** bradjones has quit IRC | 16:58 | |
dstanek | yes, a good amount of time | 16:58 |
dolphm | Lactem: and installs lots of packages right off the bat. but it should give you decent feedback once the tests start | 16:58 |
Lactem | It keeps getting stuck on the second line. I'll just wait a while. | 16:58 |
dolphm | Lactem: it's probably downloading all of pypi | 16:58 |
dstanek | Lactem: how long to you normally wait? | 16:58 |
*** bradjones has joined #openstack-keystone | 16:58 | |
*** bradjones has quit IRC | 16:58 | |
*** bradjones has joined #openstack-keystone | 16:58 | |
dolphm | Lactem: (exagerration) it's downloading all the packages specified by requirements.txt and test-requirements.txt | 16:59 |
dolphm | Lactem: stuck on "py27 installdeps" ? | 17:00 |
Lactem | It's moving on now. | 17:00 |
*** RichardRaseley has joined #openstack-keystone | 17:03 | |
*** belmoreira has quit IRC | 17:03 | |
samueldmq | ayoung: I am updating the diagrams by putting more details | 17:06 |
samueldmq | ayoung: see the first I just updated, and let me know if it looks good | 17:06 |
samueldmq | ayoung: http://tinyurl.com/p5f9ljx | 17:06 |
*** bradjones has quit IRC | 17:11 | |
*** bradjones has joined #openstack-keystone | 17:12 | |
*** bradjones has quit IRC | 17:12 | |
*** bradjones has joined #openstack-keystone | 17:12 | |
Lactem | dolphm: It's all done with py27. | 17:15 |
Lactem | Now I do source .tox/py27/bin/activate? | 17:15 |
dolphm | Lactem: yeah, try that | 17:15 |
Lactem | Done. | 17:15 |
Lactem | (py27)stack@Ubuntu64:~/keystone$ | 17:16 |
Lactem | Now I'm in that. | 17:16 |
dolphm | Lactem: can you run `keystone-all` directly? | 17:16 |
Lactem | tools/with_venv.sh bin/keystone-all Like that, right? | 17:16 |
Lactem | That still gives me the problem with "No module named oslo found." | 17:17 |
dolphm | Lactem: no, just `keystone-all` directly | 17:17 |
dolphm | Lactem: you should be in a virtualenv (py27) where keystone is installed | 17:17 |
Lactem | Yes. | 17:18 |
Lactem | I don't see any keystone-all in ls. | 17:18 |
dolphm | Lactem: keystone-all would be in .tox/py27/bin | 17:18 |
Lactem | I'm in /opt/stack/keystone | 17:18 |
Lactem | . | 17:18 |
Lactem | (py27)stack@Ubuntu64:~/keystone$ pwd | 17:18 |
dolphm | but .tox/py27/bin should already be in your path | 17:18 |
*** ankita_wagh has joined #openstack-keystone | 17:19 | |
Lactem | (py27)stack@Ubuntu64:~/keystone$ pwd | 17:19 |
*** ankita_wagh has quit IRC | 17:19 | |
Lactem | shows: /opt/stack/keystone | 17:19 |
*** ankita_wagh has joined #openstack-keystone | 17:19 | |
*** spandhe has joined #openstack-keystone | 17:19 | |
dolphm | Lactem: what does `which keystone-all` show? | 17:20 |
Lactem | shows: /opt/stack/keystone/.tox/py27/bin/keystone-all | 17:20 |
Lactem | Looks good, right? | 17:20 |
dolphm | Lactem: so keystone-all is already available, and you don't have to use tools/with_venv.sh because you're already in a venv containing keystone | 17:20 |
dolphm | Lactem: yep! just run `keystone-all` now, and you should see it startup | 17:21 |
Lactem | http://pastebin.com/RmTuFyyx | 17:21 |
Lactem | That's my traceback. | 17:21 |
Lactem | (from keystone-all) | 17:21 |
dolphm | keystone==2014.2.4.dev5 ?! | 17:22 |
*** ankita_wagh has quit IRC | 17:22 | |
dolphm | dstanek: any ideas? ^ | 17:22 |
*** ankita_wagh has joined #openstack-keystone | 17:22 | |
Lactem | I may have screwed up the setup and missed a step or something? | 17:22 |
*** jsavak has quit IRC | 17:23 | |
*** jsavak has joined #openstack-keystone | 17:23 | |
dolphm | Lactem: tox should take care of all the setup for you | 17:23 |
dolphm | Lactem: tox -e py27 ran successfully, right? | 17:24 |
dolphm | Lactem: tests passed at the end, etc | 17:24 |
Lactem | I think it was failing before or something. I used sudo tox -e py27. Is that bad? | 17:24 |
Lactem | It worked, though: py27: commands succeeded | 17:24 |
Lactem | congratulations :) | 17:24 |
dolphm | Lactem: oh, don't use sudo | 17:25 |
Lactem | Should I redo it without sudo? I don't see how that would change anything since it was successful. | 17:25 |
dolphm | Lactem: to recover, i'd do sudo rm -rf /opt/stack/keystone/.tox/ | 17:25 |
dolphm | Lactem: and then just `tox -e py27` | 17:25 |
Lactem | Thanks. This will take a while. I'll tell you what happens. | 17:26 |
dolphm | Lactem: but i have no idea what the consequences of running tox as a superuser would be -- does your regular user even have permission to utilize the resulting environment correctly? i'd guess not | 17:26 |
Lactem | Yeah it failed. | 17:27 |
dolphm | Lactem: tox -e py27 did? | 17:27 |
Lactem | Yep. No perms. That's why I did sudo before probably. | 17:27 |
Lactem | ${PYTHON:-python} -m subunit.run discover -t ./ ./keystone/tests --list | 17:27 |
Lactem | (13, 'Permission denied') | 17:27 |
dolphm | Lactem: there's no other error feedback? | 17:27 |
dolphm | Lactem: (lesson: be super skeptical before you prefix anything with sudo in the future!) | 17:28 |
Lactem | http://pastebin.com/03kZPaBd | 17:28 |
Lactem | Okay. | 17:28 |
*** diegows has joined #openstack-keystone | 17:29 | |
dolphm | Lactem: i'm trying to think through what would have been created without useable permissions that's not in .tox/ .... | 17:29 |
Lactem | Those were my errors. | 17:29 |
Lactem | Okay. | 17:29 |
dolphm | Lactem: considering we live in a VM-happy world, how long would it take you to blow away your devstack VM and create a new one? :) | 17:30 |
dolphm | Lactem: why problem solve when you can start from a known good state? :P | 17:31 |
*** HT_sergio has quit IRC | 17:31 | |
dolphm | Lactem: what does `ls -la $HOME/.pip_download_cache` look like? | 17:32 |
Lactem | ls: cannot access /opt/stack/.pip_download_cache: No such file or directory | 17:32 |
Lactem | I could restart. It would probably take about an hour. | 17:33 |
dolphm | or maybe ls -la $PIP_DOWNLOAD_CACHE | 17:33 |
Lactem | http://pastebin.com/ULvaB8eF | 17:33 |
dolphm | Lactem: ooh, there we go (that's your keystone dir, btw) | 17:34 |
dolphm | Lactem: delete everything there owned by root | 17:34 |
samueldmq | CaptainMorgan: what if we defined a small timeout for policies, and cache would be checked on keystone against a hash | 17:34 |
dolphm | Lactem: `rm -rf keystone.egg-info .testrepository .venv` | 17:34 |
Lactem | I know how to delete. :P | 17:34 |
samueldmq | CaptainMorgan: I mean, each policy has its hash, and when the small timeout expires, we check policy validity against keystone using that hash | 17:35 |
dolphm | Lactem: i'm not saying you don't :) | 17:35 |
*** tqtran has joined #openstack-keystone | 17:35 | |
dolphm | Lactem: it was likely hte .testrepository that your normal user couldn't touch | 17:35 |
Lactem | Alright done. | 17:35 |
samueldmq | CaptainMorgan: I think that's the same issue as tokens, where we want to stop revoking and set timeouts that make more sense | 17:35 |
dolphm | Lactem: so, try `tox -e py27` once more | 17:36 |
*** diazjf has quit IRC | 17:36 | |
CaptainMorgan | samueldmq: you will end up with some requests failing or succeeding incorrectly and you don't have control of the windows like you do with a cms deploy | 17:36 |
Lactem | http://pastebin.com/UxxYzJCG | 17:36 |
Lactem | I think this is because I deleted those directories and it needs those. | 17:37 |
CaptainMorgan | You can't hope for the best here, this is one we need to actually solve correctly, short timeouts are not viable on their own. | 17:37 |
samueldmq | CaptainMorgan: do you have any direction on a good approach to solve this ? | 17:37 |
samueldmq | CaptainMorgan: so my mind could start thinking on that direction | 17:38 |
CaptainMorgan | Not this week I don't | 17:38 |
CaptainMorgan | :P | 17:38 |
samueldmq | CaptainMorgan: tell your mind to find something next week, so I can put in the spec | 17:38 |
CaptainMorgan | There are a lot of pitfalls around this. | 17:38 |
*** e0ne has joined #openstack-keystone | 17:38 | |
CaptainMorgan | I can throw ideas out but it doesn't mean they are good. | 17:38 |
samueldmq | CaptainMorgan: go ahead :) | 17:39 |
samueldmq | CaptainMorgan: you have been touched this issue more times than me, I am sure | 17:39 |
dolphm | Lactem: try `tox -r -e py27` | 17:39 |
dolphm | Lactem: which will rebuild .tox/py27/ | 17:39 |
samueldmq | CaptainMorgan: (I've never had this in practice) | 17:39 |
CaptainMorgan | This is something we likely need to defer until the mid cycle for, unfortunately. Without a whiteboard and more than irc (mumble won't help here either) I can design a solution. | 17:40 |
samueldmq | CaptainMorgan: ok so sounds like I plan | 17:40 |
CaptainMorgan | I've dealt with this before. It just plain is hard to do. | 17:40 |
samueldmq | CaptainMorgan: we implement the simple solution (where incoherency is accepted by timeout slice of time) | 17:40 |
samueldmq | CaptainMorgan: and we define something better in the midcycle | 17:41 |
CaptainMorgan | Let me be clear, we can't ask anyone to deploy it with out solve this. | 17:41 |
CaptainMorgan | It is better to tell them to use cms and not centralize it because they have control of the windows of potential outages. | 17:42 |
samueldmq | CaptainMorgan: k so I will make sure we have the first implementation before midcycle (I've a demo already) | 17:42 |
samueldmq | CaptainMorgan: so we have the rest of the cycle to improve it, so more chacnes to get it done | 17:42 |
* CaptainMorgan would rather see focus on the other changes needed tbh | 17:42 | |
Lactem | dolphm: I'm going to take a break while this runs and be back in maybe 10 minutes. | 17:42 |
samueldmq | CaptainMorgan: dealing with microversions in oslo.policy ? | 17:42 |
CaptainMorgan | That is a huge one | 17:43 |
samueldmq | CaptainMorgan: sure, but we need to define the scope (already did with ayoung) I am just putting more details | 17:43 |
samueldmq | CaptainMorgan: before asking you to take a look | 17:43 |
CaptainMorgan | And the way that gets dealt with could change how we do centralization. | 17:43 |
samueldmq | CaptainMorgan: ok I need to investigate that, and see how we'll be addressing it | 17:43 |
CaptainMorgan | Because if we centralize policy and then to deal with microversions we have to redesign the centralization... A lot of throw away work. | 17:44 |
CaptainMorgan | Cache coherency of the policy within an endpoint is the last piece otherwise you're really at risk of redesigning the caching. | 17:45 |
*** amakarov is now known as amakarov_away | 17:45 | |
CaptainMorgan | The saying: I have one problem, and I use caching to solve it. Now I have two problems. | 17:45 |
CaptainMorgan | It isn't far off. | 17:45 |
CaptainMorgan | Caching is always hard to do correctly. | 17:46 |
samueldmq | CaptainMorgan: the biggest benefit of centralizing is the APIs we provide to define better policies, which should be orthogonal to dealing with microversions | 17:46 |
samueldmq | CaptainMorgan: not sure, I need to visit that subject deeply | 17:46 |
CaptainMorgan | samueldmq: just expect you're going to have to throw away the centralization and redesign it if you treat it as orthogonal. | 17:47 |
CaptainMorgan | If it wasn't a distributed system, it would be a lot easier. | 17:47 |
samueldmq | CaptainMorgan: maybe, as I said, I am not sure, need to understand deeply how we're going to deal with microversions | 17:47 |
ayoung | CaptainMorgan, Are you suggesting we never cache data from Keystone? | 17:48 |
CaptainMorgan | ayoung: I'm saying address the issues around dealing with the policy variances at the endpoint, then design caching around that. | 17:48 |
CaptainMorgan | ayoung: don't design centralization and caching then try and wedge in the other work, because there is a significant risk you'll need to redesign the caching | 17:48 |
ayoung | CaptainMorgan, so you think we should drop centralizing the policy? You seem to have been implying that lately without outright saying it | 17:49 |
CaptainMorgan | No. Just focus on making sure all the other bits are in order before centralizing | 17:50 |
samueldmq | CaptainMorgan: ok, we're finishing the first bit you asked : roadmap + scope for L | 17:51 |
samueldmq | CaptainMorgan: I will study that microversion stuff and then have somehting in the roadmap, with priority | 17:52 |
CaptainMorgan | E.g. How are microversions in the ApIS handled, the base line policy work (if any is needed), then how you source policy and ensure all processes (potentially across physically different services) pick up the policy at once. | 17:52 |
samueldmq | ayoung: makes sense? ^ | 17:52 |
CaptainMorgan | Just ensuring you aren't designing a system that no one can use because cms deployment give control over when potential outages/inconsistent policy responses happen. | 17:52 |
CaptainMorgan | Or wasting a lot of effort on designing a caching system for this that doesn't work for the use-case. | 17:53 |
*** marzif has joined #openstack-keystone | 17:53 | |
samueldmq | ayoung: I want to update the diagrams, but https://wiki.openstack.org/wiki/File:Dynamic-policies-install.png | 17:54 |
CaptainMorgan | If you want to invert this, order go for it, but I'm betting there will be a lot of redesign along the way - and a lot of throw away code. | 17:54 |
samueldmq | ayoung: says me 'You cannot overwrite this file.' | 17:54 |
* CaptainMorgan is really pointing out the traps here having been down this road 4 or 5 times in previous projects / companies. | 17:56 | |
*** jasondotstar has quit IRC | 17:56 | |
samueldmq | CaptainMorgan: k I will study this next week, and see how it fits better in our planned roadmap/scope | 17:56 |
samueldmq | :) | 17:56 |
CaptainMorgan | Ayoung: Notice I'm not -1 or -2 any of this. | 17:56 |
bknudson | dolphm: the driver_namespace matches the string in setup.cfg http://git.openstack.org/cgit/openstack/keystone/tree/setup.cfg#n110 | 17:56 |
CaptainMorgan | ayoung: I'm really just trying to save you headaches down the line / total rewrites :( | 17:57 |
bknudson | if you have your own driver you'll have to call it something different than the existing ones | 17:57 |
dolphm | bknudson: thanks, i think we got it straighted out! the config lbragstad was running was not as i thought, so i was lead to believe the implementation was behaving oddly | 17:57 |
bknudson | so if I wanted to have my own token provider I'd call it bknudsons_driver or something. | 17:57 |
openstackgerrit | Eric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc https://review.openstack.org/193663 | 17:58 |
Lactem | dolphm: tox works | 17:59 |
*** jdennis has joined #openstack-keystone | 17:59 | |
*** jasondotstar has joined #openstack-keystone | 17:59 | |
*** jasondot_ has joined #openstack-keystone | 17:59 | |
ayoung | CaptainMorgan, doesn't really seem to matter, Sean has checked out of the conversation, and without him, driving microversions, I don't think we are going anywhere. | 18:01 |
dolphm | Lactem: try running keystone again! | 18:03 |
*** ninag has joined #openstack-keystone | 18:04 | |
Lactem | Type keystone-all? | 18:04 |
dolphm | Lactem: if you're in the .tox/py27 venv already, yes | 18:04 |
Lactem | It says (py27) in front of my command thing, so I assume I am. Here goes... | 18:04 |
*** jith_ has quit IRC | 18:05 | |
*** Rockyg has joined #openstack-keystone | 18:05 | |
Lactem | http://pastebin.com/f0vjyzSS | 18:05 |
Lactem | :( | 18:05 |
*** diazjf has joined #openstack-keystone | 18:07 | |
dolphm | Lactem: what is your `git log -n 1` ? | 18:08 |
Lactem | @dolphm | 18:08 |
Lactem | sry | 18:08 |
Lactem | http://pastebin.com/6m810cPB | 18:09 |
Lactem | This should be up-to-date. I just made this VM yesterday afternoon. | 18:09 |
*** arunkant has quit IRC | 18:10 | |
*** jasondotstar has quit IRC | 18:10 | |
Lactem | dolphm: Wouldn't installing "The 'requests!=2.4.0,<=2.2.1,>=2.1.0' distribution" fix it? | 18:14 |
dolphm | Lactem: possibly, but you'll likely just run into another, similar issue. i'm trying to reproduce now. | 18:16 |
dolphm | Lactem: if you created this VM yesterday, why is the latest commit 2 weeks old? | 18:17 |
CaptainMorgan | ayoung: ill see what i can do.about wrangling sean back into the convo | 18:17 |
dolphm | Lactem: oh sorry, that's a merge | 18:17 |
Lactem | I'm using vagrant and devstack by the way. | 18:17 |
dolphm | Lactem: i'm running this now from the same commit SHA as you: `tox -r -e py27 ; n source .tox/py27/bin/activate ; keystone-all` | 18:18 |
*** marzif has quit IRC | 18:18 | |
Lactem | Umm. | 18:18 |
Lactem | I never did the source. | 18:18 |
Lactem | Could that be the problem? | 18:18 |
samueldmq | CaptainMorgan: sure, talking to him is the next step to see things in nova side, once we've agreed internally on that wiki :) | 18:19 |
Lactem | I went straight from tox -r -e py27 to keystone-all. | 18:19 |
samueldmq | CaptainMorgan: and yes, please get him back into the convo | 18:19 |
dolphm | Lactem: this is stable/juno! 2014.2.4 | 18:19 |
dolphm | that explains the weird version string earlier; you're not even close to master | 18:19 |
Lactem | Why would that be? | 18:20 |
Lactem | Do I need to run git clone? | 18:20 |
Lactem | I thought it automatically did that when vagrant first set this all up. | 18:20 |
dolphm | Lactem: did you install devstack yourself? | 18:20 |
Lactem | Yeah. | 18:20 |
Lactem | Well I think so. | 18:20 |
Lactem | I got a virtual box. | 18:20 |
dolphm | Lactem: did you follow these instructions? http://docs.openstack.org/developer/devstack/ | 18:21 |
Lactem | No. | 18:21 |
Lactem | I don't see anything with vagrant in there. I'm using vagrant. | 18:21 |
*** rlt_ has quit IRC | 18:23 | |
bknudson | dstanek: stevedoor: I marked https://bugs.launchpad.net/grenade/+bug/1466485 as incomplete for keystone based on what we've seen. | 18:23 |
openstack | Launchpad bug 1466485 in Keystone "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Incomplete] | 18:23 |
Lactem | I can try following that tutorial now, but I think I would have to re-make my machine. | 18:23 |
Lactem | I'm hoping to avoid doing that again. | 18:23 |
bknudson | cattle not pets! | 18:23 |
dolphm | Lactem: have a link to where you got the vagrant init from? | 18:24 |
dolphm | bknudson: even if he nukes it, he'll be back to square one with a stable/juno devstack box .. | 18:24 |
bknudson | you do need to check out the right branch of devstack | 18:25 |
Lactem | I was given a vagrant.tgz and a box. | 18:25 |
Lactem | It's a private download in Google Drive. | 18:26 |
*** HT_sergio has joined #openstack-keystone | 18:27 | |
Lactem | http://pastebin.com/RU3ie9ve That's what I had. | 18:27 |
dolphm | bknudson: is it possible to switch and restack gracefully? | 18:27 |
Lactem | For me I can use vagrant suspend and then vagrant up again to restart, but that's not technically a restart I guess. I believe there's vagrant restart, but I've never tried it. | 18:28 |
bknudson | dolphm: I don't switch around to really old devstacks ever. I keep a separate vm. | 18:28 |
dolphm | Lactem: i find it odd that they stuck you with juno | 18:28 |
bknudson | it might work | 18:28 |
Lactem | I'm sure I can switch. | 18:28 |
Lactem | Is it the vagrant or the box that I need to change? | 18:29 |
*** kiran-r has quit IRC | 18:29 | |
bknudson | git checkout master in devstack and ./stack | 18:29 |
*** jdennis has quit IRC | 18:29 | |
bknudson | probably want to ./unstack first | 18:29 |
Lactem | Okay so I made a new folder and used git clone (like in that tutorial). There's no ./stack there. | 18:30 |
dolphm | Lactem: the vagrant image must have contained either devstack pre-installed at stable/juno, or came configured to install stable/juno | 18:30 |
bknudson | stack.sh | 18:30 |
bknudson | it's in devstack directory | 18:30 |
Lactem | Wait no there is. | 18:30 |
Lactem | Sorry I misspelled it. | 18:30 |
dolphm | Lactem: you shouldn't need to clone devstack again | 18:30 |
Lactem | I don't ever remember typing git clone <link> for devstack. | 18:31 |
dolphm | that was probably part of the vagrant image | 18:31 |
bknudson | there might be an option to tell it to re-clone all the repos | 18:31 |
bknudson | otherwise you'll have to go through all your repos and check them out to master, too | 18:31 |
dolphm | if you had, then you would have had to go out of your way to use a 7 month old release! | 18:31 |
bknudson | they're in /opt/stack/* | 18:31 |
dolphm | bknudson: well that's no fun | 18:31 |
dolphm | bknudson: surely there's something in an rc file? | 18:32 |
bknudson | I've got a script that updates all the repos ;) | 18:32 |
*** jasondotstar has joined #openstack-keystone | 18:32 | |
Lactem | So I should vagrant up again and run an update script that's in /opt/stack? | 18:32 |
*** jsavak has quit IRC | 18:33 | |
*** jsavak has joined #openstack-keystone | 18:33 | |
bknudson | looks like the option is RECLONE in localrc | 18:33 |
openstackgerrit | Raildo Mascena de Sousa Filho proposed openstack/keystone-specs: Token request after Reseller https://review.openstack.org/192495 | 18:34 |
raildo | CaptainMorgan, dstanek, gyee ^ | 18:36 |
Lactem | What's the name of the update script? There are just all of the project folders in /opt/stack. | 18:36 |
bknudson | actually, looks like you can just delete all the dirs in /opt/stack, then devstack should reclone | 18:38 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Document policy target for operation https://review.openstack.org/168521 | 18:38 |
*** diegows has quit IRC | 18:39 | |
Lactem | So what's the link to clone all of the projects? | 18:39 |
Lactem | Or do I need to clone each one individually? | 18:39 |
bknudson | run ./stack.sh and that will clone | 18:39 |
*** stevedoor has quit IRC | 18:40 | |
Lactem | I don't see any stack.sh anymore, though. | 18:41 |
Lactem | Oh okay the one in /home/stack/devstack. | 18:41 |
Lactem | Okay I'll do it. I'm pretty sure that's what it did automatically to install the outdated stuff last time, though. | 18:42 |
samueldmq | CaptainMorgan: ayoung I just updated the wiki https://wiki.openstack.org/wiki/DynamicPolicies | 18:42 |
samueldmq | CaptainMorgan: ayoung activity diagrams are very detailed now, Roadmap is defined and Liberty scope is set (and agreed with ayoung for now) | 18:43 |
dolphm | bknudson: where is stackrc / whatever specifies the branches everything should use? | 18:45 |
Lactem | I'll just let this stack.sh run. ttyl | 18:45 |
dolphm | bknudson: or is that just built into devstack's stable/juno branch? | 18:45 |
bknudson | dolphm: if you check out devstack stable/juno it will use stable/juno for the repos | 18:46 |
dolphm | bknudson: cool | 18:48 |
dolphm | Lactem: ^ | 18:48 |
Lactem | Yeah I think it's just going to re-install the same stuff that was already installed. | 18:49 |
Lactem | How do I check out a different version? | 18:49 |
ayoung | samueldmq, I'll look in a bit | 18:49 |
samueldmq | ayoung: sure, great! | 18:50 |
*** diegows has joined #openstack-keystone | 18:51 | |
*** diegows has quit IRC | 18:52 | |
*** jasondotstar has quit IRC | 19:01 | |
charlesw | CaptainMorgan, dstanek and folks: my token expiring before expiration time happens in keystone middleware frequently. I'm using keystone middleware 1.5 on ubuntu trusty. The token is not in revocation list. Any clues? | 19:05 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Sanitize passwords in debug log on user create https://review.openstack.org/193695 | 19:19 |
*** bradjones has quit IRC | 19:20 | |
*** bradjones has joined #openstack-keystone | 19:22 | |
*** bradjones has quit IRC | 19:22 | |
*** bradjones has joined #openstack-keystone | 19:22 | |
*** ninag has quit IRC | 19:25 | |
dolphm | bknudson: thanks ^ | 19:25 |
bknudson | I should be able to create a test. | 19:25 |
bknudson | actually, I'm surprised dolphm doesn't have a test already. | 19:26 |
dolphm | bknudson: ;) | 19:26 |
dolphm | bknudson: speaking of: https://review.openstack.org/#/c/192782/ i didn't +A because i wrote the test coverage | 19:27 |
dolphm | and we're all at rackspace, i suppose | 19:27 |
bknudson | dolphm: I did get to that one when I was reviewing a couple days ago. | 19:27 |
*** csoukup has joined #openstack-keystone | 19:29 | |
bknudson | I meant I didn't get to that one | 19:33 |
bknudson | there were too many other old reviews that had a +2 | 19:33 |
*** rdo has quit IRC | 19:35 | |
bknudson | This test is going to be awesome | 19:36 |
*** ihrachyshka has joined #openstack-keystone | 19:36 | |
bknudson | hint: https://github.com/testing-cabal/fixtures/blob/master/fixtures/_fixtures/logger.py#L65 | 19:37 |
*** rdo has joined #openstack-keystone | 19:37 | |
*** jasondotstar has joined #openstack-keystone | 19:37 | |
*** jasondotstar has quit IRC | 19:38 | |
*** pc_m has quit IRC | 19:38 | |
*** jsavak has quit IRC | 19:39 | |
*** jsavak has joined #openstack-keystone | 19:39 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Sanitize passwords in debug log on user create https://review.openstack.org/193695 | 19:42 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Add test showing password logged https://review.openstack.org/193703 | 19:42 |
*** HT_sergio has quit IRC | 19:44 | |
*** jasondotstar has joined #openstack-keystone | 19:46 | |
*** jasondotstar has quit IRC | 19:47 | |
*** marzif has joined #openstack-keystone | 19:49 | |
*** jsavak has quit IRC | 19:50 | |
*** jasondotstar has joined #openstack-keystone | 19:54 | |
Lactem | dolphm:./stack.sh had some errors at the end, but it appears to have finished. | 19:57 |
*** belmoreira has joined #openstack-keystone | 19:57 | |
david8hu | samueldmq, ayoung, One of my teamates is going to help out on dynamic policy as well. I do not see her on IRC at the moment. We now have one additional help :) | 19:57 |
*** boris-42 has joined #openstack-keystone | 20:04 | |
*** stevemar has joined #openstack-keystone | 20:07 | |
*** ChanServ sets mode: +v stevemar | 20:07 | |
Lactem | dolphm: Okay I'm just doing vagrant destroy and vagrant up again. It's going to take a while. | 20:08 |
*** gabriel-bezerra has quit IRC | 20:11 | |
*** e0ne has quit IRC | 20:11 | |
openstackgerrit | Fernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations https://review.openstack.org/192850 | 20:12 |
stevemar | diazjf, \o/ | 20:13 |
stevemar | diazjf, i'll review it soon! it's open in a chrome tab.... just reviewing other stuff atm :) | 20:14 |
*** dan is now known as Guest87808 | 20:14 | |
*** marzif has quit IRC | 20:14 | |
*** dan_ has joined #openstack-keystone | 20:14 | |
*** belmoreira has quit IRC | 20:14 | |
*** dan_ is now known as Guest96299 | 20:14 | |
*** roxanaghe has joined #openstack-keystone | 20:15 | |
dolphm | Lactem: does intel want you to do any development against master? | 20:17 |
*** gabriel-bezerra has joined #openstack-keystone | 20:19 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Mask passwords in debug log on user password operations https://review.openstack.org/193695 | 20:22 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Add test showing password logged https://review.openstack.org/193703 | 20:22 |
*** HT_sergio has joined #openstack-keystone | 20:24 | |
*** roxanaghe has quit IRC | 20:24 | |
Lactem | dolphm: The goal is to successfully submit some patches. | 20:27 |
Lactem | That's why I'm working on that easy bug. It might not even need a patch. idk | 20:27 |
*** ankita_w_ has joined #openstack-keystone | 20:28 | |
*** marzif has joined #openstack-keystone | 20:30 | |
*** ankita_wagh has quit IRC | 20:32 | |
*** ankita_wagh has joined #openstack-keystone | 20:34 | |
diazjf | stevemar thanks | 20:36 |
diazjf | just running into some issues with validation | 20:36 |
*** ankita_w_ has quit IRC | 20:37 | |
diazjf | posted them on the patch | 20:37 |
stevemar | diazjf, run `tox -e docs` to check for validation before submitting ;) | 20:37 |
diazjf | nice thanks | 20:37 |
diazjf | meant json validation using cli :-/ | 20:37 |
*** jasondotstar has quit IRC | 20:37 | |
*** marzif has quit IRC | 20:38 | |
*** CaptainMorgan is now known as morgan | 20:41 | |
*** ankita_wagh has quit IRC | 20:41 | |
*** ankita_wagh has joined #openstack-keystone | 20:42 | |
morgan | stevemar: thanks for taking with the person this morning about oauth | 20:44 |
stevemar | morgan, np, have to reply still :P | 20:45 |
morgan | Right | 20:45 |
samueldmq | david8hu: that's great, thanks! glad to hear :) | 20:47 |
*** ihrachyshka has quit IRC | 20:47 | |
*** iurygregory has quit IRC | 20:51 | |
*** marzif has joined #openstack-keystone | 20:51 | |
*** raildo has quit IRC | 20:53 | |
dolphm | Lactem: you definitely want to get onto master then | 20:56 |
dolphm | Lactem: we won't accept patches to older branches unless they're backports from master, or there's a *really* good reason they can't go into master first | 20:57 |
*** marzif has quit IRC | 21:00 | |
openstackgerrit | Eric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc https://review.openstack.org/193663 | 21:02 |
Lactem | I don't know why it wouldn't be on master by default. | 21:03 |
openstackgerrit | Fernando Diaz proposed openstack/keystone: Adding Documentation for Mapping Combinations https://review.openstack.org/192850 | 21:05 |
Lactem | dolphm: Any ideas on how I would make it use master branch? It looks like it's getting everything from the most recent git branch. | 21:06 |
*** rushiagr_away is now known as rushiagr | 21:08 | |
openstackgerrit | Eric Brown proposed openstack/keystone: Add missing keystone-manage commands to doc https://review.openstack.org/193663 | 21:10 |
dstanek | Lactem: 'git checkout master' will make your working copy use the master branch - what branch are you on? | 21:10 |
*** radez is now known as radez_g0n3 | 21:14 | |
*** charlesw has quit IRC | 21:15 | |
*** bradjones has quit IRC | 21:20 | |
Lactem | It says I'm already on master. | 21:22 |
Lactem | @ dstanek | 21:22 |
*** bradjones has joined #openstack-keystone | 21:22 | |
*** bradjones has quit IRC | 21:22 | |
*** bradjones has joined #openstack-keystone | 21:22 | |
Lactem | How can I check the version? | 21:22 |
dstanek | that's good then. what made you think that you were not? | 21:23 |
Lactem | Dolph said my version is juno or something like that. It's from 2014. | 21:23 |
Lactem | Wait which directory do I git checkout master from? | 21:23 |
Lactem | In keystone it says it's up to date with master. | 21:24 |
dstanek | you can run the checkout from anywhere in your local copy of the code | 21:25 |
*** htruta_ has joined #openstack-keystone | 21:25 | |
*** diazjf has quit IRC | 21:27 | |
*** HT_sergio has quit IRC | 21:29 | |
*** tqtran is now known as tqtran_afk | 21:29 | |
*** Rockyg has quit IRC | 21:30 | |
*** gabriel-bezerra has quit IRC | 21:34 | |
*** csoukup has quit IRC | 21:35 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Switch to oslo.service https://review.openstack.org/193732 | 21:37 |
bknudson | +6, -1118 | 21:37 |
bknudson | ^ that's how it should be. | 21:37 |
*** tqtran_afk is now known as tqtran | 21:38 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Switch to oslo.service https://review.openstack.org/193732 | 21:48 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Remove unused requirements https://review.openstack.org/193734 | 21:48 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Switch to oslo.service https://review.openstack.org/193732 | 21:49 |
*** stevemar has quit IRC | 21:52 | |
bknudson | this is weird -- requirements update breaks keystone -- https://review.openstack.org/#/c/190405/7 | 21:56 |
*** HT_sergio has joined #openstack-keystone | 21:58 | |
*** marzif has joined #openstack-keystone | 21:58 | |
*** rushiagr is now known as rushiagr_away | 22:01 | |
*** ankita_wagh has quit IRC | 22:02 | |
*** pballand has quit IRC | 22:06 | |
*** marzif has quit IRC | 22:10 | |
*** henriquetruta has joined #openstack-keystone | 22:11 | |
*** ankita_wagh has joined #openstack-keystone | 22:13 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Updated from global requirements https://review.openstack.org/190405 | 22:13 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Don't try to drop FK constraints for sqlite https://review.openstack.org/193741 | 22:13 |
*** RichardRaseley has quit IRC | 22:14 | |
*** htruta_ has quit IRC | 22:15 | |
*** ankita_wagh has quit IRC | 22:16 | |
*** dimsum__ has quit IRC | 22:19 | |
*** dimsum__ has joined #openstack-keystone | 22:20 | |
openstackgerrit | Brant Knudson proposed openstack/keystone: Don't try to drop FK constraints for sqlite https://review.openstack.org/193741 | 22:23 |
openstackgerrit | Brant Knudson proposed openstack/keystone: Updated from global requirements https://review.openstack.org/190405 | 22:23 |
*** HT_sergio has quit IRC | 22:26 | |
*** Lactem has quit IRC | 22:30 | |
*** bknudson has quit IRC | 22:30 | |
*** jasondot_ has quit IRC | 22:32 | |
*** dimsum__ has quit IRC | 22:32 | |
*** marzif has joined #openstack-keystone | 22:33 | |
*** david8hu has quit IRC | 22:37 | |
*** gyee has quit IRC | 22:39 | |
*** browne has quit IRC | 22:42 | |
*** henrynash has joined #openstack-keystone | 22:51 | |
*** ChanServ sets mode: +v henrynash | 22:51 | |
*** zzzeek has quit IRC | 22:58 | |
*** zzzeek has joined #openstack-keystone | 23:01 | |
*** ankita_wagh has joined #openstack-keystone | 23:03 | |
*** bigjools has quit IRC | 23:05 | |
*** zigo has quit IRC | 23:05 | |
*** marzif has quit IRC | 23:06 | |
*** zigo has joined #openstack-keystone | 23:07 | |
*** bigjools has joined #openstack-keystone | 23:08 | |
*** thedodd has quit IRC | 23:08 | |
*** zzzeek has quit IRC | 23:15 | |
*** henriquetruta has quit IRC | 23:20 | |
*** telemonster has quit IRC | 23:22 | |
*** telemonster has joined #openstack-keystone | 23:22 | |
*** vilobhmm has quit IRC | 23:23 | |
*** arif-ali has quit IRC | 23:26 | |
*** arif-ali has joined #openstack-keystone | 23:29 | |
*** HT_sergio has joined #openstack-keystone | 23:30 | |
*** henriquetruta has joined #openstack-keystone | 23:33 | |
*** henriquetruta has quit IRC | 23:39 | |
*** hogepodge has quit IRC | 23:45 | |
*** hemna_ has joined #openstack-keystone | 23:52 | |
*** browne has joined #openstack-keystone | 23:52 | |
*** hemna has quit IRC | 23:53 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!