Friday, 2016-05-27

« Thursday, 2016-05-26 Index Monday, 2016-05-30 »
*** sdake_ has joined #openstack-keystone00:00
jlkokay, I'm getting an unuthorized00:01
jamielennoxbut looking through i'm not exactly sure of where and why it's set00:02
david-lylejlk you likely don't have a role on the domain, or one that doesn't allow you to list domains or get a domain00:02
jlkI do00:02
jlkbut tracing will show what's up00:02
*** sdake has quit IRC00:02
jlk2016-05-27 00:04:21.680 30991 DEBUG keystone.token.providers.common [req-c6b99462-aaac-4031-86aa-b7dd601cd892 5dae4b7c2b76439d8419bc0956fbcb00 - - default -] User 5dae4b7c2b76439d8419bc0956fbcb00 has no access to domain default _populate_roles /opt/openstack/current/keystone/local/lib/python2.7/site-packages/keystone/token/providers/common.py:45400:05
jlkwell that's weird.00:05
jlkwell then.00:09
david-lyleexpired token?00:11
david-lylewrong file :(00:11
jlk"_get_roles_for_user" is coming up empty I think00:11
jlkin keystone00:12
jlkand raising that error00:12
david-lyleyou need a project role and a domain role00:12
jlkinteresting...00:12
*** ddieterly is now known as ddieterly[away]00:12
david-lyleit's a pain, but how it is00:12
jamielennoxproject role and a domain role?00:13
david-lyleyup00:13
david-lyleor just a domain role00:13
*** dims has quit IRC00:13
david-lyleto do identity operations such as listing domains00:14
jlkyeah maybe we can switch to just applying roles at domain00:14
jamielennoxthat's related to how django_o_a sets fetches tokens or a keystone thing?00:14
david-lylekeystone00:14
david-lyleadmin on default domain == keystone v2 admin00:14
jlkbingo.00:15
david-lylejlk: I have to run, if you run into more issues, feel free to PM me or leave a ping in one of the rooms. I'm unfortunately responsible for a lot of that in horizon.00:17
jlkwell that lets me see the Domain stab now00:17
jlkdavid-lyle: just real quick, what's the purpose of the "domains" drop down box on the top nav bar?00:17
david-lylethat's mostly just informative00:18
david-lylethe project and region switcher live in there00:18
jlkam I supposed to be able to select a different domain from there?00:18
david-lylebut you can't switch domains without logging out00:18
jlkor is that all through the "set domain context" in the Domains panel?00:18
david-lyleset domain context is a filter00:18
*** itlinux has joined #openstack-keystone00:18
jlkah00:18
david-lyleso you can set the domain context to a particular domain then see only users, groups, project in that domain00:18
jlkI see00:19
david-lyleit makes it less confusing to edit things00:19
david-lylethen you can clear it back on the domains view00:19
jlkso we add our "admin" user with keystone-manage bootstrap, which lets me set a user, password, project name, and role name00:19
jlkbut it doesn't seem to set the domain role, guess I have to do that separately00:19
*** browne has quit IRC00:19
david-lylenot sure about the keystone-manage part00:20
david-lyleI do it manually usually, but I'm sure there's a better way00:20
jlkWe can add automation for it, just getting a handle on it00:20
*** ddieterly[away] is now known as ddieterly00:21
david-lyleping me if you run into other stuff, got to run00:21
jlkthanks!00:22
jamielennoxnotmorgan, stevemar: have you seen this: https://review.openstack.org/#/c/289405/8/specs/newton/approved/discoverable-policy-cli.rst ?00:23
patchbotjamielennox: patch 289405 - nova-specs - Adds Nova discoverable policy CLI spec00:23
jamielennoxand anyone particularly interested in policy ^00:24
jlkthat's just fronting through the oslo.policy tools I thought00:27
jlkbut doing it through the API, which is nice, since consumers don't have access to policy files00:28
jamielennoxyep, i'm just not sure about nova deciding to go ahead and expose it like that because i haven't heard anyone talk about it from an oslo.policy/cross-project perspective00:28
jamielennoxdiscovering what you can do with a token has been a long running problem00:28
jamielennoxand not nova specific00:28
jlkyeah, I was in two sessions at summit about this00:29
jlkthe nova one, and the cross project one00:29
jlkmaybe this is another case of "one project shows the way, other projects follow"00:29
*** markvoelker has joined #openstack-keystone00:29
jlkjust the first part of registering all the policy calls, that's pretty important across all projects.00:29
jamielennoxit was hoped it would be one of the wins of centralized policy but that doesn't seem to be on the table any more00:30
jlkthe idea of registering policy up with keystone somewhere in the catalog?00:30
jamielennoxthe oslo.policy syntax sucks, annoying that is what's going to be displayed00:31
jamielennoxyea, that keystone would manage policy and then push it to other services00:31
*** lhcheng has quit IRC00:32
jlkis that the on-disk policy that sucks, or otherwise? Because there is also work going to allow policy in YAML with comments and such00:33
*** markvoelker has quit IRC00:36
*** ddieterly is now known as ddieterly[away]00:40
*** browne has joined #openstack-keystone00:46
*** browne has quit IRC00:46
jamielennoxmostly i don't like the naming, without reading code there's no way to know that get_user_list is GET /v3/users00:50
jamielennoxi mean it's hopefully a little intuitive00:50
jamielennoxyaml would be better but not solve that problem00:51
jamielennoxi was kind of hoping jsonhome might have been a saviour here, but it seems like that's being abandoned00:52
*** ddieterly[away] is now known as ddieterly00:54
*** lhcheng has joined #openstack-keystone00:56
*** ChanServ sets mode: +v lhcheng00:56
*** dims has joined #openstack-keystone00:56
*** itlinux has quit IRC00:57
*** ddieterly is now known as ddieterly[away]00:57
*** lhcheng_ has joined #openstack-keystone00:57
*** diazjf has joined #openstack-keystone00:58
*** itlinux has joined #openstack-keystone00:58
*** rderose has joined #openstack-keystone00:58
*** lhcheng has quit IRC01:00
*** ddieterly[away] is now known as ddieterly01:00
*** diazjf1 has joined #openstack-keystone01:02
*** gyee has quit IRC01:03
*** itlinux has quit IRC01:03
*** diazjf has quit IRC01:04
openstackgerritColleen Murphy proposed openstack/keystoneauth: Make the kerberos plugin loadable  https://review.openstack.org/32181401:04
*** spzala has quit IRC01:09
*** spzala has joined #openstack-keystone01:10
*** spzala has quit IRC01:14
*** diazjf1 has quit IRC01:34
*** EinstCrazy has joined #openstack-keystone01:41
*** sdake has joined #openstack-keystone01:45
*** sdake_ has quit IRC01:48
*** amrith is now known as _amrith_01:51
*** _amrith_ is now known as amrith01:52
*** spzala has joined #openstack-keystone01:57
*** itlinux has joined #openstack-keystone01:59
*** amrith is now known as _amrith_02:04
*** itlinux has quit IRC02:04
*** _amrith_ is now known as amrith02:06
*** amrith is now known as _amrith_02:08
*** nkinder has quit IRC02:08
*** _amrith_ is now known as amrith02:09
*** ddieterly is now known as ddieterly[away]02:10
*** amrith is now known as _amrith_02:11
*** _amrith_ is now known as amrith02:11
jlkjamielennox: ah. I think part of of the work on Nova's side was to be way more descriptive about what the policy does. and even link to where the policy is used in the code itself.02:12
*** spzala has quit IRC02:12
*** sdake_ has joined #openstack-keystone02:26
*** amrith is now known as _amrith_02:27
*** sdake has quit IRC02:28
*** _amrith_ is now known as amrith02:29
*** buhman has quit IRC02:31
*** rderose has quit IRC02:32
*** josdotso has quit IRC02:36
*** openstackgerrit has quit IRC02:36
*** hockeynut has quit IRC02:36
*** hockeynut has joined #openstack-keystone02:37
*** openstackgerrit has joined #openstack-keystone02:42
*** agrebennikov has quit IRC02:42
*** spzala has joined #openstack-keystone02:43
*** spzala has quit IRC02:50
*** openstackgerrit has quit IRC02:56
*** woodster_ has quit IRC02:58
-openstackstatus- NOTICE: Gerrit is going offline briefly to check possible filesystem corruption03:01
*** ChanServ changes topic to "Gerrit is going offline briefly to check possible filesystem corruption"03:01
*** jamielennox is now known as jamielennox|away03:01
*** hockeynut has quit IRC03:04
*** TxGVNN has joined #openstack-keystone03:06
*** sdake has joined #openstack-keystone03:07
*** hockeynut has joined #openstack-keystone03:08
*** ddieterly[away] has quit IRC03:10
*** sdake_ has quit IRC03:11
*** richm has quit IRC03:12
*** code-R has joined #openstack-keystone03:16
*** code-R_ has joined #openstack-keystone03:17
*** openstackgerrit has joined #openstack-keystone03:18
*** sheel has joined #openstack-keystone03:19
*** ChanServ changes topic to "Newton Deadlines: http://releases.openstack.org/newton/schedule.html | Keystone Midcycle RSVP: http://goo.gl/forms/NfFMpJe6MSCXSNhr2 (Hosted By Cicso, July 20-22, 170 W Tasman Dr, San Jose, CA 95134) | Keystone Midcycle wiki https://wiki.openstack.org/wiki/Sprints/KeystoneNewtonSprint"03:20
-openstackstatus- NOTICE: after a quick check, gerrit and its filesystem have been brought back online and should be working again03:20
*** code-R has quit IRC03:21
openstackgerritwerner mendizabal proposed openstack/keystone: Support encryption of credentials in Keystone  https://review.openstack.org/31716903:21
*** iurygregory has quit IRC03:22
*** dave-mccowan has quit IRC03:22
*** mvk_ has joined #openstack-keystone03:32
*** mkrcmari__ has quit IRC03:36
*** code-R_ has quit IRC03:44
*** links has joined #openstack-keystone03:46
openstackgerritColleen Murphy proposed openstack/keystoneauth: Make the kerberos plugin loadable  https://review.openstack.org/32181403:48
*** code-R has joined #openstack-keystone03:48
*** buhman has joined #openstack-keystone03:52
*** lhcheng has joined #openstack-keystone03:58
*** ChanServ sets mode: +v lhcheng03:58
*** lhcheng_ has quit IRC03:58
*** rbridgeman has joined #openstack-keystone04:00
*** fawadkhaliq has joined #openstack-keystone04:04
*** diazjf has joined #openstack-keystone04:05
*** diazjf has quit IRC04:05
*** fawadkhaliq has quit IRC04:07
*** sdake_ has joined #openstack-keystone04:25
*** code-R has quit IRC04:26
*** edtubill has joined #openstack-keystone04:26
*** edtubill has quit IRC04:27
*** sdake has quit IRC04:27
*** sdake has joined #openstack-keystone04:31
*** markvoelker has joined #openstack-keystone04:32
*** sdake_ has quit IRC04:33
*** markvoelker has quit IRC04:37
*** adu has joined #openstack-keystone04:37
*** itlinux has joined #openstack-keystone04:45
*** roxanaghe has joined #openstack-keystone04:48
*** itlinux has quit IRC04:48
*** jaosorior has joined #openstack-keystone04:50
*** code-R has joined #openstack-keystone04:55
*** flwang1 has quit IRC04:56
*** roxanaghe has quit IRC05:14
*** code-R has quit IRC05:16
*** adu has quit IRC05:20
*** cheran has quit IRC05:24
*** itlinux has joined #openstack-keystone05:29
*** lhcheng has quit IRC05:31
*** lhcheng has joined #openstack-keystone05:34
*** ChanServ sets mode: +v lhcheng05:34
*** lhcheng has quit IRC05:38
*** rbridgeman has quit IRC05:41
*** sdake_ has joined #openstack-keystone05:53
*** sdake_ has quit IRC05:53
*** sdake_ has joined #openstack-keystone05:53
*** sdake has quit IRC05:56
*** sdake_ has quit IRC05:59
*** rk4n has joined #openstack-keystone06:00
*** rcernin has joined #openstack-keystone06:05
*** rcernin has quit IRC06:15
*** rcernin has joined #openstack-keystone06:20
*** dancn has quit IRC06:21
*** markvoelker has joined #openstack-keystone06:33
*** markvoelker has quit IRC06:38
*** daemontool has joined #openstack-keystone06:44
*** code-R has joined #openstack-keystone06:49
*** itlinux has quit IRC06:51
*** dancn has joined #openstack-keystone06:54
*** code-R_ has joined #openstack-keystone06:54
*** code-R has quit IRC06:57
openstackgerritKanika Singh proposed openstack/keystone: Add a condition for 'region' parameter  https://review.openstack.org/30448907:02
*** rha has quit IRC07:04
*** TxGVNN has quit IRC07:05
*** belmoreira has joined #openstack-keystone07:06
*** TxGVNN has joined #openstack-keystone07:08
*** frickler has quit IRC07:10
-openstackstatus- NOTICE: zuul required a restart due to network outages. If your change is not listed on http://status.openstack.org/zuul/ and is missing results, please issue a 'recheck'.07:13
*** code-R_ has quit IRC07:19
*** frickler has joined #openstack-keystone07:31
*** daemontool has quit IRC07:32
*** pnavarro has joined #openstack-keystone07:34
*** tesseract has joined #openstack-keystone07:36
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** belmoreira has quit IRC08:02
*** afazekas|sick is now known as afazekas08:03
*** TxGVNN has quit IRC08:12
*** fhubik has joined #openstack-keystone08:24
openstackgerritKanika Singh proposed openstack/keystone: Add a condition for 'region' parameter  https://review.openstack.org/30448908:28
*** dmk0202 has joined #openstack-keystone08:46
*** amrith is now known as _amrith_08:47
openstackgerrithenry-nash proposed openstack/keystone-specs: Document supported query option for list projects  https://review.openstack.org/32201008:52
*** jaosorior is now known as jaosorior_lunch08:59
*** flwang1 has joined #openstack-keystone09:01
*** rha has joined #openstack-keystone09:01
*** belmoreira has joined #openstack-keystone09:03
*** belmoreira has quit IRC09:05
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: Let Oidc* auth plugins accept scope parameters as kwargs  https://review.openstack.org/32202709:17
*** daemontool has joined #openstack-keystone09:18
*** zzzeek has quit IRC09:20
openstackgerritAlvaro Lopez Garcia proposed openstack/keystoneauth: Let Oidc* auth plugins accept scope parameters as kwargs  https://review.openstack.org/32202709:23
*** belmoreira has joined #openstack-keystone09:25
*** code-R has joined #openstack-keystone09:31
*** code-R has quit IRC09:40
openstackgerritKanika Singh proposed openstack/keystone: Add a condition for 'region' parameter  https://review.openstack.org/30448909:43
*** rk4n has quit IRC09:52
*** permalac has joined #openstack-keystone09:54
*** permalac has quit IRC09:54
*** permalac has joined #openstack-keystone09:54
*** permalac has quit IRC09:55
*** permalac has joined #openstack-keystone09:55
*** rk4n has joined #openstack-keystone10:00
*** EinstCrazy has quit IRC10:07
*** code-R has joined #openstack-keystone10:08
*** aloga has quit IRC10:18
*** aloga has joined #openstack-keystone10:18
*** jaosorior_lunch is now known as jaosorior10:22
*** code-R_ has joined #openstack-keystone10:23
*** code-R has quit IRC10:26
*** markvoelker has joined #openstack-keystone10:34
*** markvoelker has quit IRC10:39
sheelhenrynash: hi10:41
sheelhenrynash:  I was looking into one patch, its failing keystone-coverage-db tests...10:41
sheelhenrynash:  could you give a brief idea about these tests..what they actually tests?10:41
sheelpatch reference : https://review.openstack.org/#/c/304489/410:42
patchbotsheel: patch 304489 - keystone - Add a condition for 'region' parameter10:42
*** openstackgerrit has quit IRC10:47
*** openstackgerrit has joined #openstack-keystone10:48
samueldmqmorning all10:57
samueldmqOS-KDS has been a keystone thing in the past, but has been completely removed10:58
samueldmqis this correct ?10:58
samueldmq"Key Distribution Server (KDS) extension"10:58
yolandasamueldmq, how can i get a new release cut of keystoneauth?11:06
*** _amrith_ is now known as amrith11:13
*** TxGVNN has joined #openstack-keystone11:16
openstackgerritJulien Danjou proposed openstack/keystone: Simplify & fix configuration file copy in setup.cfg  https://review.openstack.org/32208611:19
*** ddieterly has joined #openstack-keystone11:22
*** amakarov has joined #openstack-keystone11:23
*** henrynash has quit IRC11:28
openstackgerritKanika Singh proposed openstack/keystone: Handling of 'region' parameter as None  https://review.openstack.org/30448911:30
samueldmqyolanda: hi11:30
breton_samueldmq: yes, that's correct11:30
samueldmqyolanda: stevemar is the one who does it11:30
samueldmqstevemar: yolanda would like to have a release cut of keystoneauth11:30
samueldmqbreton_: ++ thanks for confirming11:30
yolandathx11:31
*** openstackgerrit has quit IRC11:47
*** openstackgerrit has joined #openstack-keystone11:48
*** ddieterly is now known as ddieterly[away]11:48
*** daemontool has quit IRC11:51
*** daemontool has joined #openstack-keystone11:51
*** TxGVNN has quit IRC11:54
*** jaosorior has quit IRC12:01
*** jaosorior has joined #openstack-keystone12:01
*** yolanda has quit IRC12:04
*** yolanda has joined #openstack-keystone12:06
*** daemontool has quit IRC12:08
*** markvoelker has joined #openstack-keystone12:08
*** amrith is now known as _amrith_12:08
*** daemontool has joined #openstack-keystone12:08
*** ddieterly[away] is now known as ddieterly12:12
*** henrynash has joined #openstack-keystone12:12
*** ChanServ sets mode: +v henrynash12:12
*** daemontool has quit IRC12:18
*** daemontool has joined #openstack-keystone12:18
*** dmellado is now known as dmellado|lunch12:20
*** dmellado|lunch is now known as dmellado12:20
*** itlinux has joined #openstack-keystone12:22
*** mkrcmari__ has joined #openstack-keystone12:23
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v3-ext docs from api-ref repo  https://review.openstack.org/32213112:26
*** mvk_ has quit IRC12:26
*** rk4n has quit IRC12:26
*** rk4n has joined #openstack-keystone12:27
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v3-ext docs from api-ref repo  https://review.openstack.org/32213112:27
*** mkrcmari__ has quit IRC12:30
*** mkrcmari__ has joined #openstack-keystone12:30
*** daemontool has quit IRC12:31
*** daemontool has joined #openstack-keystone12:32
*** rodrigods has quit IRC12:34
*** rodrigods has joined #openstack-keystone12:34
*** mkrcmari__ has quit IRC12:40
*** aurelien__ has joined #openstack-keystone12:41
*** yolanda has quit IRC12:41
*** daemontool has quit IRC12:42
*** daemontool has joined #openstack-keystone12:42
*** doug-fish has joined #openstack-keystone12:43
*** clenimar has joined #openstack-keystone12:44
*** itlinux has quit IRC12:45
*** itlinux has joined #openstack-keystone12:47
*** openstackgerrit has quit IRC12:48
*** openstackgerrit has joined #openstack-keystone12:48
*** yolanda has joined #openstack-keystone12:48
*** edmondsw has joined #openstack-keystone12:49
*** code-R_ has quit IRC12:53
*** code-R has joined #openstack-keystone12:54
*** ddieterly has quit IRC13:04
*** henrynash has quit IRC13:05
*** mkrcmari__ has joined #openstack-keystone13:08
*** henrynash has joined #openstack-keystone13:09
*** ChanServ sets mode: +v henrynash13:09
*** _amrith_ is now known as amrith13:11
*** dave-mccowan has joined #openstack-keystone13:14
openstackgerrithenry-nash proposed openstack/keystone-specs: Document supported query option for list projects  https://review.openstack.org/32201013:15
*** iury_afk is now known as iurygregory13:15
*** henrynash has quit IRC13:15
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2 docs from api-ref repo  https://review.openstack.org/32217313:17
*** henrynash has joined #openstack-keystone13:18
*** ChanServ sets mode: +v henrynash13:18
samueldmqhenrynash: shouldn't this be partial-bug ? ^13:20
samueldmqhenrynash: this doesn't solve the issue with osc13:20
henrynashsamueldmq: yep, you are right…I only discovered the osc missing piece after I wrote the first draft of this!13:21
henrynashI’ll ammend13:21
openstackgerrithenry-nash proposed openstack/keystone-specs: Document supported query option for list projects  https://review.openstack.org/32201013:21
*** ayoung has joined #openstack-keystone13:22
*** ChanServ sets mode: +v ayoung13:22
samueldmqhenrynash: thanks13:22
*** richm has joined #openstack-keystone13:25
*** aurelien__ has quit IRC13:26
*** aurelien__ has joined #openstack-keystone13:27
*** ddieterly has joined #openstack-keystone13:29
*** bknudson has left #openstack-keystone13:33
*** itlinux has quit IRC13:33
*** aurelien__ has quit IRC13:34
*** aurelien__ has joined #openstack-keystone13:34
edmondswbknudson, ayoung looking for a second +2 on this backport to mitaka: https://review.openstack.org/#/c/321812/13:35
patchbotedmondsw: patch 321812 - keystone (stable/mitaka) - Honor ldap_filter on filtered user list13:35
*** bknudson has joined #openstack-keystone13:36
*** ChanServ sets mode: +v bknudson13:36
openstackgerritMikhail Nikolaenko proposed openstack/keystone: Added app for policy enforcement  https://review.openstack.org/31752913:37
*** ayoung has quit IRC13:40
*** henrynash has quit IRC13:41
openstackgerritMerged openstack/keystone-specs: Document supported query option for list projects  https://review.openstack.org/32201013:44
*** aurelien__ has quit IRC13:47
*** zzzeek has joined #openstack-keystone13:48
*** daemontool has quit IRC13:48
*** zzzeek has quit IRC13:49
*** zzzeek has joined #openstack-keystone13:49
*** mfisch has quit IRC13:49
*** daemontool has joined #openstack-keystone13:49
*** rk4n_ has joined #openstack-keystone13:50
*** rk4n has quit IRC13:52
*** jaugustine has joined #openstack-keystone14:02
*** johnthetubaguy_ has joined #openstack-keystone14:02
*** darosale has joined #openstack-keystone14:02
*** daemontool has quit IRC14:03
*** daemontool has joined #openstack-keystone14:04
*** johnthetubaguy has quit IRC14:04
*** johnthetubaguy_ is now known as johnthetubaguy14:05
*** aurelien__ has joined #openstack-keystone14:09
*** tonytan4ever has joined #openstack-keystone14:13
*** ddieterly is now known as ddieterly[away]14:16
*** openstackgerrit has quit IRC14:18
*** openstackgerrit has joined #openstack-keystone14:18
knikollawhen doing federation, why does the 302 redirect after shibboleth point to <hostip>:5000 instead of <hostip>:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/saml2/auth ?14:20
*** rderose has joined #openstack-keystone14:21
*** spzala has joined #openstack-keystone14:23
*** jaugustine has quit IRC14:24
*** raddaoui has joined #openstack-keystone14:25
knikollarodrigods: ^^14:26
*** code-R has quit IRC14:26
*** woodster_ has joined #openstack-keystone14:29
*** wxy has quit IRC14:30
*** aurelien__ has quit IRC14:30
*** jaosorior has quit IRC14:34
*** ddieterly[away] is now known as ddieterly14:34
*** dmk0202 has quit IRC14:35
*** henrynash has joined #openstack-keystone14:37
*** ChanServ sets mode: +v henrynash14:37
samueldmqbknudson: hi, you around ? I'd like to get your view on an issue I am facing while migrating v2 docs from api-ref14:39
bknudsonsamueldmq: I am around.14:39
bknudsonjust get it working and we can clean it up14:39
bknudsoneventually we should have everything in 1 place.14:40
samueldmqbknudson: yes, and the issue is to get it working14:40
samueldmqbknudson: we define API doc as : ".. rest_method::  GET /v2.0/tenants"14:40
*** TxGVNN has joined #openstack-keystone14:40
samueldmqbknudson: and the docs emit a warning (treated as error) if you define the same rest method twice14:40
*** amrith is now known as _amrith_14:41
samueldmqbknudson: and that happens in v2 because we define the (usueal) v2.0 and v2.0 admin14:41
samueldmqand some APIs like /v2.0/tenants are described in both14:41
bknudsonyes, they work differently depending on if you use public or admin14:41
samueldmqbknudson: I was thinking about appending adding path alias to them... does that look correct?14:42
*** nkinder has joined #openstack-keystone14:42
samueldmqs/appending adding/appending14:42
bknudsonI don't know what a path alias is14:42
bknudsonlike identity/ and identity_v2_admin/ ?14:43
samueldmqbknudson: yes14:43
bknudsonI'm fine with that14:43
samueldmqbknudson: cool, that way the tool won't take them as repeated definitions14:43
samueldmqbknudson: I have patches that finish migrating v3 and one that migrate /v214:44
samueldmqbknudson: I am working on the last one to migrate v2-admin and v2-ext14:44
samueldmqthanks14:44
*** _amrith_ is now known as amrith14:44
bknudsonthese will all have to be consolidated14:44
samueldmqbknudson: when specifying "/identity_v2_admin", is the version still needed ?14:49
samueldmqbknudson: like '/identity_v2_admin/v2.0/tenants'14:49
bknudsonsamueldmq: yes, identity_v2_admin/v3 works too14:50
bknudsonbut the only reason there's an identity_v2_admin is because of v214:50
*** phalmos has joined #openstack-keystone14:51
samueldmqbknudson: kk identity_v2_admin/v3 looks weird, looks like identity_admin/[14:51
samueldmqidentity_admin/[v2.0|v3] makes more sense; but anyways14:52
*** belmoreira has quit IRC14:52
*** timcline has joined #openstack-keystone14:52
bknudsonuse whatever you want in the doc14:53
bknudsonjust say it's whatever endpoint is hosting the admin api14:53
*** ayoung has joined #openstack-keystone14:54
*** ChanServ sets mode: +v ayoung14:54
*** fhubik has quit IRC14:59
*** mou has joined #openstack-keystone15:00
*** jistr is now known as jistr|call15:01
*** tesseract has quit IRC15:11
*** arunkant has quit IRC15:14
*** amrith is now known as _amrith_15:17
*** rbridgeman has joined #openstack-keystone15:19
*** EinstCrazy has joined #openstack-keystone15:19
*** _amrith_ is now known as amrith15:19
*** darosale has quit IRC15:20
*** KevinE has joined #openstack-keystone15:20
*** rcernin has quit IRC15:24
*** jistr|call is now known as jistr15:25
*** rk4n has joined #openstack-keystone15:29
*** links has quit IRC15:29
*** rk4n has quit IRC15:29
*** rk4n has joined #openstack-keystone15:30
*** rk4n_ has quit IRC15:30
*** pnavarro has quit IRC15:33
rodrigodsknikolla, because mod_shib points back to keystone15:35
rodrigodsit doesn't know keystone's specific endpoint to treat that idp15:35
knikollarodrigods: understood. wasted some hours debugging tempest before figuring out that they've recently moved to urllib3 for requests. and it automatically followed the redirect to the :5000/15:37
KevinEHow do you tie a bug to a proposed change?15:37
dstanekKevinE: the propsed change you tag the bug in the commit message15:38
KevinEdstanek: how do you change your commit message again? Yes I'm that bad lol15:40
* rodrigods knows this feeling15:40
dstanekKevinE: if you 'git commit --amend' it'll let you edit it15:40
KevinErodrigods: we in this cloud together friend haha15:40
dstanekKevinE: no worries. everybody has to learn sometime. we15:40
dstanekwe're pretty friendly here :-)15:40
KevinEdstanek: thanks!!15:40
rodrigodsKevinE, :)15:41
*** d34dh0r53 is now known as h0m3r15:41
*** roxanaghe has joined #openstack-keystone15:41
dstanekKevinE: here is an example https://review.openstack.org/#/c/214287/15:41
patchbotdstanek: patch 214287 - keystone - Adds warning when no domain configs were uploaded15:41
KevinEahh great. However I tried to edit my commit message and it wasn't my commit message, it was someone else's..15:42
dstanekKevinE: checkout the 'Including external references' section here: https://wiki.openstack.org/wiki/GitCommitMessages15:42
dstanekKevinE: git ammending will change on last commit on the branch you are on15:42
*** ddieterly is now known as ddieterly[away]15:43
dstanekKevinE: you could 'git review -d ####' if nothing else to pull down your change15:43
*** sigmavirus24 is now known as m3du5a15:43
*** h0m3r is now known as d34dh0r5315:43
*** m3du5a is now known as sigmavirus2415:44
*** ddieterly[away] is now known as ddieterly15:45
KevinEdstanek: okay I ammended it, now another git review -R?15:46
*** pgbridge has joined #openstack-keystone15:47
dstanekKevinE: just 'git review' would be fine - no reason to avoid the rebase in this case15:47
openstackgerritKevin Esensoy proposed openstack/python-keystoneclient: OS_INTERFACE ignored when determining endpoint_type  https://review.openstack.org/32180915:47
KevinEwhelp hey there gerrit15:48
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Change password requirements  https://review.openstack.org/32015615:48
KevinEkind of annoying that Jenkins has to re-check your stuff for just a commit change15:48
KevinEcommit message change *15:48
*** itlinux has joined #openstack-keystone15:52
*** KevinE has quit IRC15:56
*** KevinE has joined #openstack-keystone15:56
*** dave-mccowan has quit IRC15:57
*** ddieterly is now known as ddieterly[away]15:57
dstanekKevinE: yes. i think it helps when things change under your patch15:58
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-admin docs from api-ref repo  https://review.openstack.org/32224715:58
*** spzala has quit IRC15:58
KevinEdstanek: you're saying you like it?15:59
dstanekKevinE: no, i'm indifferent. i don't think it happens all the time though16:00
KevinEdstanek: For our Liberty installation, this is absolutely mandatory for anything that touches keystone, even though it shouldn't matter to most other people16:00
KevinEdstanek: I had a hell of a time getting to this though because like, no not EVERYONE's keystone is broken right now lol16:01
KevinEHow do you get people to review a change? Is it like a magical "they will come" type thing or?16:02
*** mkrcmari__ has quit IRC16:04
notmorganKevinE: is this also affecting keystoneauth? https://github.com/openstack/keystoneauth/blob/80b58cc2f2aa73e2d3fc88ef2e27fa3db6ed0025/keystoneauth1/access/service_catalog.py most of the code dealiung with sessions and catalog etc is all deprecated in keystoneclient16:04
*** lhcheng has joined #openstack-keystone16:04
*** ChanServ sets mode: +v lhcheng16:04
notmorganKevinE: keep in mind the CLI from keystoneclient is deprecated for a long time, (and removed in 3.0.0) - does this affect modern openstackclients as well?16:05
notmorganKevinE: (which implies keystoneauth being affected).16:06
samueldmqKevinE: dstanek: commit messages may include Depends-On :)16:06
*** code-R has joined #openstack-keystone16:06
notmorganKevinE: also... does that answer your question on people looking at code? ;)16:06
KevinEI don't believe so, but I'm not sure how I could check it anyways. I'm 110% noob assigned a big boy project haha16:06
*** itlinux has quit IRC16:06
notmorganKevinE: no worries then :)16:06
KevinEyes oh magic reviewer man16:06
notmorganKevinE: so what version of keystoneclient are you using and i assume you're doing16:07
notmorgan"keystone XXXX" command ?16:07
KevinEnotmorgan: I'm lost what?16:07
notmorganwhen you see this error16:07
notmorganwhat command are you typing? or where is the error appearing16:07
*** pece has joined #openstack-keystone16:08
KevinEnotmorgan: I do a rally keystone user-create-and-delete just for testing purposes, but it's present for every single keystone task16:08
notmorganok16:08
*** aurelien__ has joined #openstack-keystone16:08
dstanekKevinE: reviewers are like wizards. we show up at just the right time (for us)16:09
notmorganhmmm. wonder what rally is using under the hood there.16:10
notmorgandstanek: i'm going to guess this is something we'll need to look at for keystoneauth as well16:11
notmorgani'm looking at the keystoneauth code.16:12
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v3-ext docs from api-ref repo  https://review.openstack.org/32213116:12
KevinEnotmorgan: you're just suggesting that my code could extend, rather than it being incorrect.. correct?16:12
notmorganKevinE: right. your code likely needs to go in the new common auth library vs just in keystoneclient16:12
notmorganKevinE: we're trying to remove all the session/catalog/discovery code from keystoneclient and keep it isolated in our common auth library (most everything is using now)16:14
notmorganKevinE: it doesn't look like your code is inherantly wrong... Where do you see OS_INTERFACE as a ENV var documented?16:15
bknudsonour libraries shouldn't be magically changing their behavior based on env vars. It should be up to the application to setup the library.16:15
notmorganbknudson: this is something that should be passed in via OSC16:15
notmorganbknudson: honestly16:16
notmorganbknudson: the fact that KSC does magic in both places because of historical mixing of CRUD, CLi, and SESSION is another issue16:16
notmorganbknudson: and/or this should be coming from RALLY.16:16
notmorganbknudson: maybe it belongs is OCC which iirc does things like reading ENVs16:17
notmorgan?16:17
bknudsonyes, rally should be configuring keystoneclient correctly (assuming keystoneclient can be configured for this... if that's the problem then make keystoneclient configurable)16:17
notmorganbknudson: also, i think modern rally doesn't use KSC anymore.16:17
notmorganoh, wow, wait a sec. this is V2-isms.16:18
notmorganbecause it's assuming public vs admin split.16:18
*** ddieterly[away] is now known as ddieterly16:19
KevinEfyi I'm here but I have no clue what y'all are talking about :)16:19
notmorganKevinE: no worries, we're def off in the weeds looking at details around this.16:19
*** code-R_ has joined #openstack-keystone16:19
notmorganKevinE: in summary, you're not wrong, this is an issue. it is a bit more involved than it appears at face value.16:20
*** amrith is now known as _amrith_16:20
KevinEnotmorgan: Awesome, this is the first time in 2 weeks of trying to fix this that someone saw a problem I was trying to fix <316:20
notmorganKevinE: the code may need to go into a different place/project, but being able to do what you're describing in the bug is correct behavior.16:20
KevinEnotmorgan: I'd be happy to test it against our env16:20
notmorganKevinE: and we'll do what we can to help you get it in the right place16:20
KevinEnotmorgan: when it comes to that *16:21
notmorganwhat version of openstack are you running?16:21
notmorganout of curiosity16:21
*** code-R has quit IRC16:22
*** gagehugo has joined #openstack-keystone16:22
KevinEI think we have 1 Icehouse and 1 Liberty? and I think Liberty is the one in question16:23
notmorganok16:23
notmorgancool.16:23
dstanekno/b 2716:24
dstanekgrabbing some lunch and then some keystone reviews! what an exciting day ahead of me16:25
notmorgandstanek: hehe16:25
notmorgandstanek: i am going to grab breakfast and keep working on making nodepool py3 compat! *fun*16:25
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Change password requirements  https://review.openstack.org/32015616:26
zzzeeknotmorgan: do you have any insight on what's going to happen when someone has dogpile.core installed as a namespace package and they now install the bundled version of both ?16:26
notmorganzzzeek: hhm  ok so this is the oslo namespace issue. whichever is installed last wins. - i need to check something16:28
zzzeeknotmorgan: yup, and in oslo we changed all the names to oslo_foo16:28
notmorganzzzeek:  i think the way we need to do this... is16:29
notmorganzzzeek: dogpile.core needs a new release with nothing in the packaged except a requires on dogpile.cache.16:29
zzzeeknotmorgan: if we need to do full blown oslo, then i sort of know what's involved (and it sucks)16:29
zzzeeknotmorgan: hmmmmmm16:29
notmorganzzzeek: if we can cross depend, dogpile.cache depends on new dogpile.core with nothing in it16:29
notmorganelse...16:29
notmorganwe release this new merged lib as "dogpile"16:30
*** atiwari has joined #openstack-keystone16:30
notmorganand make dogpile.cache and dogpile.core "empty" projects that depend on dogpile16:30
zzzeeknotmorgan: oh so "from dogpile import foo, bar"16:30
notmorganin requirements.txt16:30
*** atiwari has quit IRC16:30
notmorgani wouldn't do any importing16:30
notmorgancan python packages cross depend? aka XXX depends on YYY and YYY depends on XXX?16:31
notmorganor does that just explode the dep solver?16:31
zzzeeknotmorgan: i doubt that works16:31
notmorganbecause that would make this easy.16:31
notmorganzzzeek: hm.16:32
zzzeeknotmorgan: assumption #1 im making is, nobody has "dogpile.core" in their deps16:32
notmorgani am ok with that assumption.16:32
notmorganOH! wait i know16:33
*** diazjf has joined #openstack-keystone16:33
notmorganno wait nvm16:33
notmorganok so i think this is what we do:16:33
*** pushkaru has joined #openstack-keystone16:33
notmorgandogpile.core gets to be an empty python package with a requirements.txt that says dogpile.cache>=<new release with merged things>16:33
notmorganand dogpile.cache is the merged thing.16:34
notmorganyou know... i have an idea16:34
*** spzala has joined #openstack-keystone16:34
*** diazjf has quit IRC16:35
zzzeekbut then it installs dogpile.cache, which overwrites dogpile.core, then it puts dogpile.core in there and overwrites it as blank..this highly dependson which install tool is used16:35
zzzeekif you are installing as .eggs or whatnot16:35
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-admin docs from api-ref repo  https://review.openstack.org/32224716:35
notmorganzzzeek: i *think* we can blacklist older dogpile.core in dogpile.cache. even if core depends on cache?16:35
notmorganzzzeek: so.. the easiest solution16:36
notmorganzzzeek: simply release the new dogpile.cache as "dogpile"16:36
notmorganon pypi/egg/whatever16:36
notmorganand make new dogpile.cache and new dogpile.core depend on it.16:36
notmorganwith empty packages and just requirements16:36
notmorganif someone goes out of their way to install old dogpile.cache/core on top of dogpile they're really stretching16:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-admin docs from api-ref repo  https://review.openstack.org/32224716:37
zzzeeknotmorgan: but doesnt that mean just to install dogpile.cache, it ends up installing two packages16:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-admin docs from api-ref repo  https://review.openstack.org/32224716:37
notmorganonly if you use dogpile.cache as the installer (this is for the upgrade case)16:38
zzzeeknotmorgan: we could just do total name change here.  dogpile-cache.  no more dots.  we're done16:38
notmorganzzzeek: true.16:38
notmorganzzzeek: or dogpile_cache :P16:38
notmorganor whatever.16:38
zzzeekwell for pypi package name arent dashes a little more legit than underscores16:38
notmorganright16:38
notmorganpersonally, i think we should just release it as "dogpile"16:38
*** spzala has quit IRC16:39
zzzeeknotmorgan: sure, but there is still the dotted issue16:39
*** EinstCrazy has quit IRC16:39
notmorganhold on looking at something.16:39
notmorganugh. i wish python's dep solver had a clean "conflicts-with" construct16:40
notmorganzzzeek: so, lets say we release this as dogpile 1.016:41
notmorganzzzeek: and we release dogpile.cache 1.0, and dogpile.core 1.0 [argument sake, numbers don't matter]16:41
*** aurelien__ has quit IRC16:41
notmorgandogpile.cache and core are just empty (no code)16:41
notmorgandogpile depends on dogpile.core/cache >=1.016:41
notmorganugh. we break people who do quiet upgrades16:42
notmorgannvm16:42
KevinEnotmorgan: I guess I should put this here: https://review.openstack.org/#/c/320056/ this may be interesting, as this was my other fix I proposed, but was unable to figure out16:42
patchbotKevinE: patch 320056 - rally - Tie endpoint_type to interface16:42
notmorganKevinE: that is possibly it16:42
notmorganzzzeek: ok, we need to use a new namespace. dogpile-cache and dogpile_cache are *probably* the most correct.16:43
KevinEnotmorgan: but we couldn't figure out what was going on, so we debugged here: https://review.openstack.org/#/c/320118/16:43
patchbotKevinE: patch 320118 - rally - [DO NOT MERGE] Disable osresources.py (ABANDONED)16:43
KevinEnotmorgan: for when you get your coffee ;)16:43
notmorganzzzeek: boo.16:43
zzzeeknotmorgan: oslo did all this w/o changing the package names16:43
notmorganzzzeek: we can keep dogpile.cache package name fwiw, that isn't too hard.16:44
zzzeeknotmorgan: they provide an oslo_foo and oslo.foo module inside of foo16:44
zzzeeknotmorgan: right and it just has dogpile_cache, dogpile_core, and dogpile.cache internally, right16:44
notmorganzzzeek: yeah i think we're doing the oslo_thing.16:44
notmorganyep.16:44
notmorganor well we don't even need dogpile_core, it could be dogpile_cache.core16:45
zzzeekdoh16:45
zzzeeknotmorgan: how about this.  assumption #2.  everyone uses pip to install16:45
notmorganbut yeah in either case.16:45
notmorganLOL16:45
zzzeekno more "python setup.py install"16:45
notmorgani am good with that16:45
zzzeekb.c. thats when setuptools gets in there and does crazy egg shit16:46
KevinEI third this movement16:46
zzzeeki mean, obviously that will still work, but just if you have an exsiting install, that'll break16:46
notmorgani assume that people will either use pip *or* distro packages16:46
notmorganand distropackages are going to be magic compared to this16:46
zzzeeknotmorgan: so we just make sure this works w/ pip.   we can even have setup.py require a minimum version of pip16:47
*** can8dnSix has joined #openstack-keystone16:47
notmorganso i think dogpile_cache.cache and dogpile_cache.core works fine, (and dogpile.cache -> dogpile_cache.cache). and then dogpile.core can depend on dogpile_cache and dogpile.core -> dogpile_cache.core16:47
notmorganzzzeek: and pip does all the work for you16:48
notmorganzzzeek: in either case.16:48
notmorganyou get some wonkyness still with the namespace if people do eggs.16:48
zzzeeknotmorgan: i was thinking of just brute forcing this.  just leave it as dogpile.cache16:48
notmorganbut thats going to be mostly edge-case.16:48
notmorganoh16:48
notmorgansure.16:48
zzzeekif you're doing pip16:48
notmorganhmmm16:48
zzzeekdo people run pip in some way that it makes .egg files?16:48
notmorgandon't think so.16:49
notmorganso dogpile.cache wins, owns the namespace16:50
notmorganand leave dogpile.core to ... bitrot?16:50
zzzeeknotmorgan: i just need to see what happens if, someone has dogpile.core installed already, and i say "import dogpile.core"16:51
notmorganor release new dogpile.core that simply says "install dogpile.cache <new version>"16:51
zzzeeknotmorgan: i think pip w/ namespace packages puts them in the same directory doesnt it16:51
notmorganuhm...16:51
notmorganas long as you don't use -e16:51
* notmorgan checks this16:51
*** sdake has joined #openstack-keystone16:52
*** spzala has joined #openstack-keystone16:52
zzzeekbrb16:53
*** rk4n has quit IRC16:55
notmorganzzzeek: ok so if dogpile.cache (new) is installed over dogpile.core16:55
notmorganyou get the new dogpile.cache files.16:55
*** agrebennikov has joined #openstack-keystone16:55
notmorganuninstalling old dogpile.core seems to not break dogpile.cache16:56
notmorgan(interestingly)16:56
notmorganoh nvm it does16:56
*** spzala has quit IRC16:57
notmorganand installing dogpile.core after new dogpile.cache breaks things16:57
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Change password requirements  https://review.openstack.org/32015616:59
*** rk4n has joined #openstack-keystone17:00
*** rk4n_ has joined #openstack-keystone17:01
samueldmqreading the existing api-ref docs, I assume OS-KSCATALOG, OS-KSS3 and OS-KSVALIDATE are things that existed in keystone somewhen17:04
samueldmqbut have been removed sometime (long time?) ago17:04
*** spzala has joined #openstack-keystone17:04
samueldmqnotmorgan: ^ you can confirm that ?17:05
notmorganuhm17:05
notmorganyeah possibly?17:05
notmorganpredates me afaik17:05
*** rk4n has quit IRC17:05
notmorgancactus?17:05
*** gyee has joined #openstack-keystone17:05
*** ChanServ sets mode: +v gyee17:05
samueldmqnotmorgan: nice, I can't find them in the code; that means they have gone17:06
samueldmqnotmorgan: just want to check they've been there somewhen :)17:06
samueldmqnotmorgan: cactus => long time ago17:06
notmorganoh no looks like keystone first released in essex17:07
notmorganapril 201217:07
samueldmqanyway, that can give us an idea of how updated identity api-ref docs are17:07
samueldmq:-)17:07
samueldmqnotmorgan: thanks17:08
notmorganoh no thats just WADL things17:08
notmorgannot headers17:08
notmorganresponse examples17:08
notmorganhttps://github.com/openstack/api-site/tree/master/api-ref/src/wadls/identity-api/src/v2.0/samples17:08
*** code-R_ has quit IRC17:08
*** spzala has quit IRC17:09
*** tonytan4ever has quit IRC17:10
henrynashayoung: hi….you objected to the copying of the sql driver for testing purposes in https://review.openstack.org/#/c/305315/ - this was discussed at the irc meeting on Tuesday, with the general view that this was a necessary evil. Are you OK with it, given that discussion?17:12
patchbothenrynash: patch 305315 - keystone - Create V9 driver for identity backend17:12
ayounghenrynash, not really17:13
ayoungit pretty much sucks17:13
henrynashayoung: so what’s the alternative?17:13
henrynashayoung: (and it only such for the 2 depreacted releases, since we delete the code then)17:13
ayounghenrynash, I won't hold it up...but think long and hard if there is a better approach, I'm sure theres is17:14
ayounghenrynash, gotta meeting now17:14
henrynashayoung: ok, thx17:14
notmorganhenrynash: if we want to drop the whole versioned backends thing i'm fine with it.17:16
henrynashnotmorgan: :-)17:16
*** clenimar has quit IRC17:17
*** rk4n has joined #openstack-keystone17:17
openstackgerritRoxana Gherle proposed openstack/keystone: Return 404 instead of 401 for tokens w/o roles  https://review.openstack.org/32228017:17
notmorganhenrynash: but eh *shrug*17:17
*** gyee has quit IRC17:18
*** ayoung has quit IRC17:20
*** rk4n_ has quit IRC17:20
*** gyee has joined #openstack-keystone17:20
*** ChanServ sets mode: +v gyee17:20
KevinEnotmorgan: Jenkins just gave me a +1 !17:21
notmorganKevinE: ok so you found the other place or that was on the keystoneclient one?17:22
notmorganKevinE: sorry i'm being pulled a little bit all over.:P17:22
*** code-R has joined #openstack-keystone17:22
*** pushkaru has quit IRC17:23
*** henrynash has quit IRC17:23
KevinEnotmorgan: no problem lol. That's just the original python-keystoneclient one. As far as the second 2 that I sent you, I just will not be able to see anything, that's just for your viewing pleasure when you get a chance to look into it17:23
*** code-R has quit IRC17:23
amakarovrderose, hi!17:23
*** code-R has joined #openstack-keystone17:23
notmorganKevinE: ah ok.17:24
rderoseamakarov: hey17:24
KevinEbrb17:24
amakarovrderose, I've thought about account locking - I have to admit that the best way to do that is store unsuccessfull attempts in KVS17:24
amakarovrderose, sql will be a bad choice17:25
rderoseamakarov: why?17:25
amakarovrderose, imagine db load if we will log unsuccessfull attempts17:26
amakarovduring brute force attack17:26
notmorganamakarov: i'm going to -2 anything that tries to re-introduce "KVS" backends.17:26
notmorganamakarov: as an FYI.17:27
rderose:)17:27
amakarovnotmorgan, I know that17:27
notmorgan;)17:27
*** tqtran has joined #openstack-keystone17:27
bknudsoninsert a rate limiter17:27
notmorganbknudson: known pattern.17:27
rderoseamakarov: hmm...17:28
amakarovnotmorgan, so I think I'll have to do a pluggable sql backend17:28
*** ddieterly is now known as ddieterly[away]17:28
amakarovnotmorgan, considering kvs as a customization ;)17:28
rderoseamakarov: pluggable?17:28
notmorganamakarov: don't expect kvs support upstream though - thats all.17:28
amakarovrderose, it's the most obvious way now17:29
notmorganit also depends on how you're tracking failures.17:29
amakarovnotmorgan, I will not introduce kvs in keystone, of course17:29
notmorganfwiw, KVS is going to suffer from a ton of similar problems that SQL will17:29
amakarovnotmorgan, it should be a log-shaped table with inserts17:30
rderoseamakarov: we can manage db load for unsuccessful attempts, just truncate every so often17:30
notmorganamakarov: correct17:30
samueldmqnotmorgan: there is docs too https://github.com/openstack/api-site/tree/master/api-ref/src/wadls/identity-api/src/v2.0/wadl17:30
amakarovrderose, ++ as an option17:30
notmorganamakarov: KVS is a bad pattern where queries of lots of related things need to be grouped together because of housekeeping/locking overhead17:31
amakarovrderose, notmorgan and yet another bit of ... to the fan: account locking opens up MANY opportunities for attacker: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks#Locking_Accounts17:32
notmorganamakarov: this is an argument for API keys and/or signed requests17:32
amakarovnotmorgan, ++17:32
notmorganamakarov: if you're authing with passwords and support locking of accounts you're doing it wrong (for public RESTful API things)17:33
amakarovnotmorgan, totally agree and I will personally recommend requesting customer to disable this :)17:33
amakarovlocking, I mean17:34
bknudsonI think it's funny that account lockout applies to every user except superuser.17:34
notmorganbknudson: hehe17:34
amakarovbknudson, it's even more funny: I wasn't ask about admin exception ;)17:35
*** ayoung has joined #openstack-keystone17:35
*** ChanServ sets mode: +v ayoung17:35
amakarovs/ask/asked/17:35
*** spzala has joined #openstack-keystone17:36
amakarovnotmorgan, so what's you suggestion? store attempts in sql?17:37
notmorganamakarov: not sure. probably, but you can structure it in a more sane way - i also think moving towards an api-key or whatever thing so username/password is ony used for managing api-keys would be needed.17:39
*** rk4n has quit IRC17:39
amakarovnotmorgan, well, I'll start with something and we shall see what will it come to.17:41
*** rk4n has joined #openstack-keystone17:42
*** amakarov is now known as amakarov_away17:45
*** rk4n has quit IRC17:46
*** roxanaghe has quit IRC17:46
*** roxanaghe has joined #openstack-keystone17:48
*** links has joined #openstack-keystone17:49
*** sdake_ has joined #openstack-keystone17:52
*** sdake has quit IRC17:55
*** julim has quit IRC17:56
*** mou has quit IRC18:03
*** TxGVNN has quit IRC18:03
*** sdake_ is now known as sdake18:06
stevemarnotmorgan: clean backport: https://review.openstack.org/#/c/321812/18:07
patchbotstevemar: patch 321812 - keystone (stable/mitaka) - Honor ldap_filter on filtered user list18:07
notmorgannice18:07
rodrigodsstevemar, notmorgan make it voting? https://review.openstack.org/#/c/321890/18:08
patchbotrodrigods: patch 321890 - openstack-infra/project-config - Make keystone functional tests job voting18:08
rodrigodsthink it needs a +1 from stevemar18:09
rodrigodsthanks stevemar18:09
dstanekstevemar, stevemar!18:10
stevemarrodrigods: np ;)18:10
stevemardstanek: :O :O18:10
notmorganrodrigods: yes.18:10
*** links has quit IRC18:10
*** gagehugo has quit IRC18:14
*** spzala has quit IRC18:17
*** spzala has joined #openstack-keystone18:18
*** rderose has quit IRC18:18
*** spzala_ has joined #openstack-keystone18:20
*** spzala has quit IRC18:22
openstackgerritRodrigo Duarte proposed openstack/keystone: Add protocols integration tests  https://review.openstack.org/30750818:23
openstackgerritRodrigo Duarte proposed openstack/keystone: Add mapping rules integration tests  https://review.openstack.org/30544418:23
openstackgerritRodrigo Duarte proposed openstack/keystone: Add service providers integration tests  https://review.openstack.org/30350218:23
*** spzala_ has quit IRC18:25
*** georgem1 has joined #openstack-keystone18:25
*** ddieterly[away] has quit IRC18:28
*** rderose has joined #openstack-keystone18:28
openstackgerritMerged openstack/keystone: Add the validation rules when create token  https://review.openstack.org/31589418:34
*** code-R has quit IRC18:41
*** roxanaghe has quit IRC18:44
*** pradk has joined #openstack-keystone18:46
*** spzala has joined #openstack-keystone18:46
*** spzala has quit IRC18:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2 docs from api-ref repo  https://review.openstack.org/32217318:49
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v3-ext docs from api-ref repo  https://review.openstack.org/32213118:50
*** code-R has joined #openstack-keystone18:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-admin docs from api-ref repo  https://review.openstack.org/32224718:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-ext docs from api-ref repo  https://review.openstack.org/32230118:52
*** ayoung has quit IRC19:03
*** ayoung has joined #openstack-keystone19:03
*** ChanServ sets mode: +v ayoung19:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Migrate identity /v2-ext docs from api-ref repo  https://review.openstack.org/32230119:08
*** sdake_ has joined #openstack-keystone19:09
samueldmqok; we should have enough to migrate the docs from api-ref19:09
*** itlinux has joined #openstack-keystone19:09
samueldmq:)19:09
*** sdake has quit IRC19:10
notmorgansamueldmq: uhm. sure?19:14
notmorgansamueldmq: i dunno what the plan on that is19:14
notmorgantbh19:14
*** ddieterly has joined #openstack-keystone19:17
*** rderose has quit IRC19:17
*** sdake has joined #openstack-keystone19:18
*** daemontool has quit IRC19:18
*** sdake_ has quit IRC19:19
knikollaanybody wants me to review anything while waiting for stack.sh ?19:20
*** itlinux has quit IRC19:22
KevinEhttps://review.openstack.org/#/c/321809/ maybe19:22
patchbotKevinE: patch 321809 - python-keystoneclient - OS_INTERFACE ignored when determining endpoint_type19:22
KevinEThere's a debate whether this should go here or in keystoneauth19:23
*** nkinder has quit IRC19:23
samueldmqnotmorgan: there is an effort to migrate api-ref docs from /api-ref repo to projects repo19:30
samueldmqnotmorgan: I volunteered to do the work for keystone19:30
notmorgansamueldmq: ahh19:30
*** ddieterly has quit IRC19:31
*** openstack has joined #openstack-keystone21:42
*** gordc has quit IRC21:46
*** code-R has joined #openstack-keystone21:47
*** amrith is now known as _amrith_21:53
« Thursday, 2016-05-26 Index Monday, 2016-05-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!