Friday, 2017-03-03

« Thursday, 2017-03-02 Index Saturday, 2017-03-04 »
*** ngupta has quit IRC00:13
*** ngupta has joined #openstack-keystone00:13
*** jdennis1 has joined #openstack-keystone00:15
*** jdennis has quit IRC00:17
*** ngupta has quit IRC00:17
*** thorst has joined #openstack-keystone00:20
*** thorst has quit IRC00:25
*** adrian_otto has quit IRC00:27
*** _cjones_ has quit IRC00:29
*** _cjones_ has joined #openstack-keystone00:30
*** mkoderer__ has quit IRC00:31
*** edmondsw has quit IRC00:34
*** _cjones_ has quit IRC00:34
*** edmondsw has joined #openstack-keystone00:35
*** markvoelker has quit IRC00:35
*** ngupta has joined #openstack-keystone00:35
*** markvoelker has joined #openstack-keystone00:35
*** edmondsw has quit IRC00:36
*** DFFlanders has quit IRC00:40
*** markvoelker has quit IRC00:40
*** edmondsw has joined #openstack-keystone00:41
*** jamielennox|away is now known as jamielennox00:43
*** edmondsw has quit IRC00:46
*** bkudryavtsev has quit IRC00:46
*** tovin07 has joined #openstack-keystone00:50
openstackgerritMerged openstack/oslo.policy master: [Fix gate]Update test requirement  https://review.openstack.org/44031400:57
*** ngupta has quit IRC01:06
*** ngupta has joined #openstack-keystone01:06
*** edmondsw has joined #openstack-keystone01:08
*** ngupta has quit IRC01:11
*** edmondsw has quit IRC01:12
*** agrebennikov_ has quit IRC01:18
*** thorst has joined #openstack-keystone01:21
*** liujiong has joined #openstack-keystone01:23
*** edmondsw has joined #openstack-keystone01:25
*** thorst has quit IRC01:25
*** dave-mccowan has joined #openstack-keystone01:27
*** jamielennox is now known as jamielennox|away01:29
*** markvoelker has joined #openstack-keystone01:36
*** jamielennox|away is now known as jamielennox01:36
*** thorst has joined #openstack-keystone01:37
*** markvoelker has quit IRC01:40
*** thorst has quit IRC01:41
*** markvoelker has joined #openstack-keystone01:43
*** dave-mccowan has quit IRC01:46
*** thorst has joined #openstack-keystone01:58
*** zsli has joined #openstack-keystone01:58
*** thorst has quit IRC01:59
openstackgerritShan Guo proposed openstack/keystone master: Revise conf param in releasenotes  https://review.openstack.org/44089401:59
adriantrodrigods: https://blueprints.launchpad.net/keystone/+spec/name-field-consistency02:23
*** thorst has joined #openstack-keystone02:23
*** dave-mccowan has joined #openstack-keystone02:24
*** thorst has quit IRC02:24
*** catintheroof has joined #openstack-keystone02:30
*** ravelar1 has joined #openstack-keystone02:41
*** ravelar1 has quit IRC02:46
*** thorst has joined #openstack-keystone02:48
*** thorst has quit IRC02:48
*** aasthad has quit IRC03:02
*** lucasxu has joined #openstack-keystone03:03
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy master: Updated from global requirements  https://review.openstack.org/44013903:07
*** lucasxu has quit IRC03:10
*** bkudryavtsev has joined #openstack-keystone03:11
*** zhurong has joined #openstack-keystone03:21
*** ravelar1 has joined #openstack-keystone03:23
*** zhurong has quit IRC03:24
*** ravelar1 has quit IRC03:27
*** dikonoor has joined #openstack-keystone03:28
*** thorst has joined #openstack-keystone03:54
*** ngupta has joined #openstack-keystone03:58
*** thorst has quit IRC03:59
*** nicolasbock has quit IRC03:59
*** lucasxu has joined #openstack-keystone03:59
*** zsli has quit IRC04:02
*** adrian_otto has joined #openstack-keystone04:06
*** aasthad has joined #openstack-keystone04:09
*** prashkre has joined #openstack-keystone04:13
*** links has joined #openstack-keystone04:26
*** dave-mcc_ has joined #openstack-keystone04:29
*** dave-mccowan has quit IRC04:29
*** dave-mcc_ has quit IRC04:34
*** ngupta has quit IRC04:37
*** lucasxu has quit IRC04:52
*** adrian_otto has quit IRC04:53
*** adrian_otto has joined #openstack-keystone04:53
*** prashkre has quit IRC04:54
*** thorst has joined #openstack-keystone04:55
*** thorst has quit IRC05:00
*** catintheroof has quit IRC05:00
*** ravelar has quit IRC05:00
*** zsli has joined #openstack-keystone05:00
*** markvoelker has quit IRC05:07
*** rderose has quit IRC05:07
*** prashkre has joined #openstack-keystone05:20
*** h5t4 has joined #openstack-keystone05:24
*** adrian_otto has quit IRC05:33
*** liujiong has quit IRC05:35
*** liujiong has joined #openstack-keystone05:36
*** ravelar has joined #openstack-keystone05:36
*** ravelar has quit IRC05:36
*** adrian_otto has joined #openstack-keystone05:40
*** h5t4 has quit IRC05:56
*** thorst has joined #openstack-keystone05:56
*** zhurong has joined #openstack-keystone05:58
*** thorst has quit IRC06:01
*** zsli has quit IRC06:01
*** zsli has joined #openstack-keystone06:01
*** markvoelker has joined #openstack-keystone06:07
*** markvoelker has quit IRC06:12
openstackgerritMerged openstack/oslo.policy master: Updated from global requirements  https://review.openstack.org/44013906:15
*** tovin07 has quit IRC06:23
*** tovin07 has joined #openstack-keystone06:24
openstackgerritAdrian Turjak proposed openstack/keystone master: Make name fields a consistent size of 255  https://review.openstack.org/44094106:24
*** tovin07 has quit IRC06:27
*** tovin07 has joined #openstack-keystone06:28
*** edmondsw_ has joined #openstack-keystone06:33
openstackgerritAdrian Turjak proposed openstack/keystone master: Make name fields a consistent size of 255  https://review.openstack.org/44094106:34
*** edmondsw has quit IRC06:35
*** adriant has quit IRC06:42
*** richm has quit IRC06:43
*** jaosorior has joined #openstack-keystone06:44
*** h5t4 has joined #openstack-keystone06:54
*** thorst has joined #openstack-keystone06:57
*** thorst has quit IRC07:01
*** edmondsw_ has quit IRC07:03
*** edmondsw has joined #openstack-keystone07:05
*** tesseract has joined #openstack-keystone07:12
*** adrian_otto has quit IRC07:12
*** david-lyle has quit IRC07:16
*** jrist has quit IRC07:16
*** david-lyle has joined #openstack-keystone07:16
*** jrist has joined #openstack-keystone07:17
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/43942007:25
*** zhurong has quit IRC07:26
*** tesseract-RH has joined #openstack-keystone07:29
*** tesseract has quit IRC07:30
*** pcaruana has joined #openstack-keystone07:41
*** rcernin has joined #openstack-keystone07:44
*** namnh has joined #openstack-keystone07:54
*** thorst has joined #openstack-keystone07:58
*** thorst has quit IRC08:02
*** zhurong has joined #openstack-keystone08:04
*** markvoelker has joined #openstack-keystone08:08
*** zsli_ has joined #openstack-keystone08:09
*** zsli has quit IRC08:10
*** markvoelker has quit IRC08:14
*** zsli__ has joined #openstack-keystone08:18
*** zsli_ has quit IRC08:20
*** edmondsw has quit IRC08:22
*** zsli__ is now known as Shunli08:23
*** Shunli is now known as ShunliZhou08:23
*** zsli_ has joined #openstack-keystone08:37
*** ShunliZhou has quit IRC08:40
*** thorst has joined #openstack-keystone08:58
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** thorst has quit IRC09:09
*** david-lyle has quit IRC09:13
*** david-lyle has joined #openstack-keystone09:13
*** jrist has quit IRC09:14
*** jrist has joined #openstack-keystone09:14
*** david-lyle_ has joined #openstack-keystone09:30
*** david-lyle has quit IRC09:31
*** zhurong has quit IRC09:34
*** zsli_ has quit IRC09:47
*** h5t4 has quit IRC09:57
*** zhurong has joined #openstack-keystone09:58
*** thorst has joined #openstack-keystone10:06
*** thorst has quit IRC10:10
*** markvoelker has joined #openstack-keystone10:10
*** tovin07 has quit IRC10:12
*** markvoelker has quit IRC10:15
*** liujiong has quit IRC10:18
*** edmondsw has joined #openstack-keystone10:22
*** zhurong has quit IRC10:25
*** edmondsw has quit IRC10:27
*** prashkre_ has joined #openstack-keystone10:38
*** prashkre has quit IRC10:38
*** h5t4_ has joined #openstack-keystone10:48
*** jaosorior is now known as jaosorior_lunch11:01
*** nicolasbock has joined #openstack-keystone11:06
*** aasthad has quit IRC11:12
*** richm has joined #openstack-keystone11:14
*** namnh has quit IRC11:40
*** jaosorior_lunch is now known as jaosorior11:41
*** zhurong has joined #openstack-keystone12:04
*** dikonoor has quit IRC12:04
*** thorst has joined #openstack-keystone12:07
*** ayoung has joined #openstack-keystone12:08
*** markvoelker has joined #openstack-keystone12:11
*** thorst has quit IRC12:11
*** markvoelker has quit IRC12:16
*** ArchiFleKs has joined #openstack-keystone12:16
*** zhurong has quit IRC12:33
*** zhurong has joined #openstack-keystone12:39
*** prashkre_ has quit IRC12:42
*** prashkre_ has joined #openstack-keystone12:42
*** thorst has joined #openstack-keystone12:44
*** dikonoor has joined #openstack-keystone12:47
*** dikonoo has joined #openstack-keystone12:55
*** dikonoor has quit IRC12:56
*** prashkre_ has quit IRC12:57
*** dave-mccowan has joined #openstack-keystone12:57
openstackgerritSean Dague proposed openstack/keystone-specs master: WIP: early rough draft of unified limits  https://review.openstack.org/44081513:01
*** dikonoo has quit IRC13:03
*** links has quit IRC13:05
*** Mr_Smurf_ has left #openstack-keystone13:05
*** dikonoo has joined #openstack-keystone13:11
*** chlong__ has quit IRC13:14
*** markvoelker has joined #openstack-keystone13:23
*** catintheroof has joined #openstack-keystone13:31
*** catintheroof has quit IRC13:39
*** zhurong has quit IRC13:48
*** spilla has joined #openstack-keystone14:00
*** dikonoo has quit IRC14:03
lbragstado/14:11
*** zhurong has joined #openstack-keystone14:14
lbragstadhere's a stable backport review if anyone is interested - https://review.openstack.org/#/c/440918/114:19
*** ngupta has joined #openstack-keystone14:20
*** ngupta has quit IRC14:20
*** ngupta has joined #openstack-keystone14:21
*** chlong__ has joined #openstack-keystone14:22
openstackgerritBéla Vancsics proposed openstack/keystone master: Remove unused variable  https://review.openstack.org/43952514:23
*** edmondsw has joined #openstack-keystone14:24
*** Dinesh_Bhor has quit IRC14:24
*** pcaruana has quit IRC14:24
*** edmondsw has quit IRC14:28
*** zhurong has quit IRC14:33
*** arturb has quit IRC14:36
openstackgerritBéla Vancsics proposed openstack/keystone master: Remove unused variable  https://review.openstack.org/43952514:46
*** rderose has joined #openstack-keystone14:51
*** masber has quit IRC14:58
*** masber has joined #openstack-keystone14:59
lbragstadcmurphy rodrigods o/15:02
rodrigodslbragstad, o/15:02
lbragstadrodrigods cmurphy i did some digging on your comments here - https://review.openstack.org/#/c/438896/2/keystone/tests/unit/common/test_database_conflicts.py,unified15:02
lbragstadI think I figured out why we litter our unit tests with try/excepts for that specific module15:03
rodrigodslbragstad, hmm15:03
rodrigodswhy? (i guess to look the exception messages?)15:03
lbragstadrodrigods we want to be able to save the exception so that we can verify it contains a specific message, right?15:03
lbragstadthat makes sense15:04
lbragstadand the original implementation of self.assertRaises should support that https://docs.python.org/2/library/unittest.html#unittest.TestCase.assertRaises15:04
lbragstadbecause you should be able to use it like a context manager15:04
lbragstads/like/as/15:04
lbragstadwhich would be perfect for us because we'd be able to do this15:05
rodrigodsright15:05
lbragstadhttp://cdn.pasteraw.com/h38srugqxbw69dw7flw63pqfwxjl3g615:05
lbragstadbut ^ that doesn't work because we use testtools, and testtools reimplemented the assertRaises implementation but didn't add the context manager support15:05
lbragstadhttps://github.com/testing-cabal/testtools/blob/master/testtools/testcase.py#L464-L48715:05
rodrigods:(15:06
lbragstadwhich leads to this failure - http://cdn.pasteraw.com/97zgb4zpyeqo436hj0de7fd6lx25zyb15:06
lbragstad#themoreyouknow15:06
rodrigodsnice lbragstad15:06
*** edmondsw has joined #openstack-keystone15:06
rodrigodsthanks for digging this up15:06
*** jaosorior has quit IRC15:06
lbragstadrodrigods yeah - i was like "how is this *not* possible?!"15:06
rodrigodseverything makes sense now15:07
lbragstadi also find it odd to have try/excepts in the tests15:07
cmurphyo/15:07
cmurphythat is amazing15:08
lbragstadcmurphy o/15:08
lbragstadcmurphy rodrigods and i were just discussing https://review.openstack.org/#/c/438896/2/keystone/tests/unit/common/test_database_conflicts.py,unified15:08
lbragstadcmurphy weird, right?15:08
cmurphyvery15:08
lbragstadcmurphy i was going to do a follow on patch to yours that cleaned a bunch of that up, but I guess I'll just settle for a FIXME explaining the reasoning behind it instead :)15:09
cmurphyhaha15:09
*** ravelar has joined #openstack-keystone15:14
*** lucasxu has joined #openstack-keystone15:17
openstackgerritLance Bragstad proposed openstack/keystone master: Add in-code comment to clarify pattern in tests  https://review.openstack.org/44118715:30
lbragstadcc cmurphy rodrigods dstanek ^15:30
dstaneklbragstad: does a pasteraw live forever?15:34
dolphmdstanek: yes15:44
dolphmdstanek: until someone yells at me about cloud files usage, in which case, there are a lot of spam entries i can programmatically remove15:44
dstanekdolphm: nice15:46
dstaneki didn't know that it was a dolphm thing :-)15:46
*** chris_hultin|AWA is now known as chris_hultin15:53
notmorgandstanek: ++ same15:54
knikollao/15:55
openstackgerritKristi Nikolla proposed openstack/keystone master: Move driver loading inside of dict  https://review.openstack.org/44084515:59
*** agrebennikov_ has joined #openstack-keystone15:59
openstackgerritKristi Nikolla proposed openstack/keystone master: Remove password_expires_ignore_user_ids  https://review.openstack.org/43820816:01
*** lucasxu has quit IRC16:01
*** adrian_otto has joined #openstack-keystone16:01
*** rcernin has quit IRC16:02
openstackgerritKristi Nikolla proposed openstack/keystone master: Remove password_expires_ignore_user_ids  https://review.openstack.org/43820816:02
*** Aurelgadjo has joined #openstack-keystone16:05
*** arunkant has joined #openstack-keystone16:07
*** lucasxu has joined #openstack-keystone16:11
*** tesseract-RH has quit IRC16:14
openstackgerritSean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios  https://review.openstack.org/44120316:16
openstackgerritMerged openstack/keystone master: Stop reading local config dirs for domain-specific file config driver  https://review.openstack.org/43688216:19
*** h5t4_ has quit IRC16:20
openstackgerritAnthony Washington proposed openstack/oslo.policy master: Add additional param to policy.RuleDefault  https://review.openstack.org/43907016:22
ayoungknikolla, so, something important that needs to be done is to fix the creationg of admin-users in Tempest tests.  Right now, they are created in all different projects, but they need to be created in the admin project.16:24
ayoungthat is why these patchs fail: https://review.openstack.org/#/c/384148/  and https://review.openstack.org/#/c/257636/16:25
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order  https://review.openstack.org/43744116:25
ayoungGet a Tempest run that can pass those and we'll be able to close out those reveiws, too16:26
knikollaayoung: i see. alright, i'll look into it.16:27
ayoungknikolla, that would be awesome....16:27
*** ngupta has quit IRC16:32
*** ngupta has joined #openstack-keystone16:36
*** aasthad has joined #openstack-keystone16:37
*** adrian_otto has quit IRC16:39
*** edmondsw has quit IRC16:39
*** adrian_otto has joined #openstack-keystone16:43
knikollaayoung: so basically the project here should be the admin one16:45
knikollahttps://github.com/openstack/tempest/blob/master/tempest/common/dynamic_creds.py#L17016:45
knikollahmmm… but then also the token used 'during' the test must be scoped to the admin one16:46
openstackgerritRichard Avelar proposed openstack/keystone master: Minor cleanup from patch 429047  https://review.openstack.org/43363616:56
ayoungknikolla, maybe.  The term admin is loaded17:02
ayoungso some cases where you want a project specific admin, or a domain admin, should not be from the admin project, but from the project specified.  However, it might be sufficient to just change that point and get everything to pass.17:02
knikollaayoung: i'll give it a try later today after pizza.17:04
knikollawanna start an etherpad for future reference?17:04
ayoungknikolla, if necessary.  Only if we start getting that many details to track.  Otherwise, add them to the bug report for 96869617:05
knikollasounds good.17:06
notmorganayoung: 968696 -> "Wont fix", "sorry this bug is just not something we consider important naymore..." /s17:12
ayoungnotmorgan, reassigning it to you.17:12
notmorganayoung: i couldn't resist. that bug is sooooooooooo old, man it feels like it's just part of "keystone" these days. ;)17:12
*** _cjones_ has joined #openstack-keystone17:12
notmorganayoung: yeah because reassigning it to me is going to get it done :P17:12
ayoungnotmorgan, doesn't help that I was not really able to work on it for so long17:13
* notmorgan reassigns it to lbragstad17:13
notmorganit's what the PTL is for, right?17:13
notmorganayoung: so... i think i could get us to signed requests... but endpoint filtering is the monkeywrench.17:13
ayoungnotmorgan, how's that?17:13
notmorganayoung: endpoints can change depending on the token.17:14
notmorganso catalog isn't static.17:14
notmorganmakes discovery near impossible.17:14
notmorganif we didn't have endpoint filtering (the thing we implemenrted, not the "hey only show me nova" query string)17:15
notmorganthe catalog could be static. then if you needed discovery, ask for catalog17:15
ayoungif only we had a spec for that17:15
ayoungoh wait...I wrote one years ago17:15
notmorganksm could pass off the signed request to keystone and keystone could do normal validation.17:15
notmorganno not for this bit.17:15
notmorganthis is eliminating the need for tokens for user->nova for example.17:16
openstackgerritKristi Nikolla proposed openstack/keystone master: Move driver loading inside of dict  https://review.openstack.org/44084517:16
notmorganit just eliminates the secret going on the wire.17:16
ayoungsigned requests have nothing to do with the service catalog.  Don't sign the token17:16
notmorganno, sign (HMAC) the actual request to nova17:16
notmorgandon't send a token17:16
ayounguser has a key, signes the request, nova validates , not catalog17:16
notmorgancatalog is just discovery specific17:16
notmorganif you don't know where nova is17:16
notmorganyou have to ask keystone17:17
ayoungyeah, send HMAC in a header, no token17:17
ayoungseparate request for that17:17
notmorganAND that data can change depending on your scope17:17
notmorganthe catalog is not static. it is scope-specific... so... ugh17:17
ayounguser still requests a token, just doesn't send it to nova17:17
notmorganalso services have scope in their urls :(17:17
ayoungor...requests something like a token17:17
ayoungjust requests catalog as a signed request!17:18
notmorganheh17:18
ayoungseriously17:18
notmorganpossible, just still icky and sad.17:18
notmorgani am so sad the catalog isn't static17:18
notmorganit should be17:18
ayounguser requests catalog as a signed request, scoped to project.  Holds on to that data as long as they plan17:18
ayoungShould be a DNS lookup17:18
notmorganthat too17:18
notmorganbut again, static data17:19
notmorgannot "if i look up this thing i get different data back because my scope is different)17:19
notmorgans/\(/"17:19
ayoungwhat's the worst that can happen?  User sends request to a valid Nova server that they should not have sent it to?17:19
notmorganwell the issue is catalogs encode scope data in the catalog itself17:19
ayoungOh.  Yeah.  THat.17:20
*** edmondsw has joined #openstack-keystone17:20
notmorganhttps://nova/{project_id}/....17:20
notmorganand we don't actually generate a catalog w/o a token17:20
ayoungbut if you sent it to the wrong end point, woulnd't nova just summarily reject it?17:20
notmorgannope17:20
notmorganit's security through obscurity17:20
ayoungJoy17:20
ayoungrapture17:21
notmorganso we could work around it by doing a signed request to keystone that says gimme catalog17:21
*** edmondsw has quit IRC17:21
notmorganbut we could totally get there now.17:22
notmorganwe have positioned things in a way that would just-work(tm)17:22
notmorganif we wanted to do it17:22
*** edmondsw has joined #openstack-keystone17:22
notmorganthough KSM would need to store a nonce to avoid replay attacks17:22
ayoungnotmorgan, short time out, I think, instead of nonce17:23
notmorganbut that could just be leaned on in cache + time-window for the request to limit exposure (since HMAC(endpoint, time, nonce, request-data, secret-id), secret-id17:23
ayoungyeah, that17:23
notmorgani'd add a nonce, wether or not we do anything with it just for future proofing and make it so ksm *can* cache it and eliminate replay attacks17:23
ayoungWhat about Horizon?17:24
notmorganinitially, horizon would stay with tokens17:24
*** edmondsw_ has joined #openstack-keystone17:24
notmorganbut i bet with javascript we could create the signed request in the browser and not pass that secret to the server17:24
ayoungOh, I like that17:25
notmorgannow the downside.17:25
notmorganthe BIG downside17:25
notmorganyou can't cache the validation17:25
ayoungI'm totally OK with that17:25
notmorganthe signed request validation17:25
notmorganthe way we get around nova->glance on your behalf is ksm gets a token from keystone and just sticks it in x-auth-token when talking to nova17:26
notmorganwe've separated concerns between user->service and service->service17:26
notmorganwe can work on making service->service better w/o breaking the user story then.17:26
ayoungonly validate signed requests at the edges, not between Nova and Glance17:26
notmorganbut we can make the user experience better/more secure17:26
ayoungthat is done like a service token17:26
notmorganayoung: ideally i would do that17:26
notmorganbut just as a bootstrap so less code change/churn in projects, pass a token in17:27
*** edmondsw has quit IRC17:27
notmorganmake it a query-param to begin with and not the default behavior17:27
ayoungpseudotoken17:27
notmorganand when (sigh) we microversion beyond it's need it is dropped17:27
notmorganbasically. yes17:27
notmorganwe could also require that token to only work w/ a service token17:28
notmorgan(somehow)17:28
ayoungunified delegation type thing17:28
notmorganbut in short, we split the concerns this way between user interactions and service interactions17:28
notmorganand we eliminate the hell that is bearer tokens on the wire from/through an untrusted netowkr17:29
ayoungbody of a Fernet token, not signed by symkey, just returns "this is what you would get if this were asigned token"  coupled with "token from service user"17:29
ayoungits why I wanted tokens with a single role in them17:29
notmorganyou'd still need a token that glance would get the data for/from.17:29
notmorganbut...17:29
notmorganagain... iterative work17:29
notmorganfix the user->service thing17:29
ayoungpseudotoken17:29
notmorganthen fix service->service17:30
ayoungwouldn't have to go to Keystone to get it issued, Nova could generate and pass along17:30
notmorgansure.17:30
ayoungwouldn't be signed,17:30
notmorganksm would just need to trust nova on the other end17:30
notmorgani wrote that up and people hated it because "OMG NOVA CAN DO ANYTHING THEN"17:30
notmorgan"KEYSTONE MUST VALIDATE"17:30
notmorganheck, i even wrote up a bit of code in lua to make ksm go away in the process.17:31
ayoungwell, we could always force Nova to pass along the original signed request, if were paranoid17:31
notmorganso haproxy could do all the work at the edge17:31
notmorganand nova/cinder/glance/etc could just trust eachother17:31
ayoungand then force a rulethat said "if user asks Nova todo X in project P, Nova can ask glance to do Y in Project P"17:32
notmorgani had it all working too, was a pretty cool setup17:32
ayoungits things like this that make me happy to be focused on Kubevirt these days...17:32
notmorganno one was interested because "keystone mostly just works"17:32
* notmorgan shrugs17:33
*** david_cu has quit IRC17:34
*** pkoraca_ has joined #openstack-keystone17:36
*** darrenc_ has joined #openstack-keystone17:36
*** wolsen_ has joined #openstack-keystone17:37
*** robcresswell_ has joined #openstack-keystone17:37
*** r1chardj0n3s_ has joined #openstack-keystone17:39
*** Aurelgad1o has joined #openstack-keystone17:40
*** Trident has joined #openstack-keystone17:40
*** jhesketh_ has joined #openstack-keystone17:41
*** andreykurilin_ has joined #openstack-keystone17:42
*** spotz_ has joined #openstack-keystone17:42
*** jmccrory_ has joined #openstack-keystone17:42
*** afazekas_ has joined #openstack-keystone17:42
*** wasmum- has joined #openstack-keystone17:42
*** dtroyer_zz has joined #openstack-keystone17:42
*** mgagne_ has joined #openstack-keystone17:42
*** Alex_Oughton has joined #openstack-keystone17:42
*** dutsmoc has joined #openstack-keystone17:43
*** dtroyer has quit IRC17:43
*** chris_hultin has quit IRC17:43
*** dstanek has quit IRC17:43
*** darrenc has quit IRC17:43
*** wolsen has quit IRC17:43
*** comstud has quit IRC17:43
*** jmccrory has quit IRC17:43
*** spotz has quit IRC17:43
*** mgagne has quit IRC17:43
*** pkoraca has quit IRC17:43
*** AlexOughton has quit IRC17:43
*** r1chardj0n3s has quit IRC17:43
*** wasmum has quit IRC17:43
*** hyakuhei has quit IRC17:43
*** afazekas has quit IRC17:43
*** dims has quit IRC17:43
*** g2 has quit IRC17:43
*** andreykurilin has quit IRC17:43
*** Tridde has quit IRC17:43
*** robcresswell has quit IRC17:43
*** jhesketh has quit IRC17:43
*** mdavidson has quit IRC17:43
*** Aurelgadjo has quit IRC17:43
*** chris__hultin has joined #openstack-keystone17:43
*** hyakuhei has joined #openstack-keystone17:43
*** hyakuhei has quit IRC17:43
*** hyakuhei has joined #openstack-keystone17:43
*** hyakuhei has quit IRC17:43
*** hyakuhei has joined #openstack-keystone17:43
*** chris__hultin is now known as chris_hultin17:43
*** mdavidson has joined #openstack-keystone17:43
*** pkoraca_ is now known as pkoraca17:43
*** dstanek has joined #openstack-keystone17:43
*** BrAsS_mOnKeY has joined #openstack-keystone17:43
*** jmccrory_ is now known as jmccrory17:44
*** wolsen_ is now known as wolsen17:44
*** dims has joined #openstack-keystone17:44
*** robcresswell_ is now known as robcresswell17:44
*** spotz_ is now known as spotz_zzz17:48
*** dtroyer_zz has left #openstack-keystone17:53
*** dtroyer_zz has joined #openstack-keystone17:53
*** adrian_otto has quit IRC17:55
openstackgerritSean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios  https://review.openstack.org/44120317:57
openstackgerritSean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios  https://review.openstack.org/44120318:00
*** chlong__ has quit IRC18:04
openstackgerritSean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios  https://review.openstack.org/44120318:09
*** rcernin has joined #openstack-keystone18:09
*** gyee has joined #openstack-keystone18:11
*** lucasxu has quit IRC18:19
*** chlong__ has joined #openstack-keystone18:20
*** adrian_otto has joined #openstack-keystone18:24
*** lucasxu has joined #openstack-keystone18:25
*** AJaeger has joined #openstack-keystone18:32
AJaegerjamielennox: looking at tox.ini and your note about warnerrors: You can now use "warning-is-error" in the build_sphinx section. See https://review.openstack.org/441273 for a sample change...18:33
*** h5t4 has joined #openstack-keystone18:37
gagehugoAJaeger: https://review.openstack.org/#/c/439674/18:37
gagehugoAJaeger: has the upper-constraint for sphinx been changed to >= 1.5?18:38
AJaegergagehugo: it has!18:38
AJaegergagehugo: 12 hours ago ;)18:38
gagehugoAJaeger: cool! I'll update the patch set then18:39
AJaegergagehugo: thanks for tackling this18:39
*** spotz_zzz is now known as spotz18:39
gagehugo:)18:40
*** adrian_otto has quit IRC18:44
*** prashkre_ has joined #openstack-keystone18:48
*** spotz is now known as spotz_zzz18:49
*** adrian_otto has joined #openstack-keystone18:49
robcresswellOkay, question: If you're requesting an unscoped token in a single domain model, you still have to supply a domain name as part of the request right? Keystone will error rather than fall back to a default?18:50
robcresswellI'm just poking the auth model with a stick to try and get some proper understanding18:50
knikollarobcresswell: yes. domain is required in v3 even in a single-domain model. you'll get back 400.18:53
knikollarobcresswell: unless you use user_id.18:54
*** adrian_otto has quit IRC18:55
knikollahttp://paste.openstack.org/show/601366/18:56
*** AJaeger has left #openstack-keystone18:58
robcresswellknikolla: Gotcha. Good to know.18:58
robcresswellWhats the reason for not using the default domain if none is supplied? I was just curious, since an outside service has to have knowledge of the Keystone config to log in, right?18:59
robcresswellEither by assuming 'Default' or having a setting like Horizon does.19:00
knikollaI don't know the historical reason for that. I guess the less assumptions about the user and automagic the better. v2 does default to 'Default' domain since it doesn't support domains.19:02
robcresswellknikolla: Well, that comes down to the implicit vs explicit argument which applies to programming everywhere19:03
robcresswellIt's just one of those slightly strange things IMO that the user has to know the name of the domain, even if there is only one19:04
robcresswellBut then, it means less ambiguity for the keystone folk to debug19:04
knikollarobcresswell: true.19:05
openstackgerritSujitha proposed openstack/oslo.policy master: Allow multiline descriptions for RuleDefaults  https://review.openstack.org/44134219:05
openstackgerritDavid Stanek proposed openstack/keystone-specs master: WIP: block diag quota scenarios  https://review.openstack.org/44120319:22
*** ngupta has quit IRC19:23
dstanekrobcresswell: explicit is better than implicit19:30
*** ngupta has joined #openstack-keystone19:31
robcresswelldstanek: Well, thats that debate solved then. I'll alert the internet :)19:31
dstanekrobcresswell: don't worry the important people (Python programmers) already know19:31
robcresswell:(19:32
dstanekit's rule #219:32
robcresswellah yes19:33
dstanekmy favorite command to give out is 'python -m this'19:33
robcresswell:o19:34
robcresswellDidn't know about that19:35
robcresswellI wonder how many apps out there have hardcoded a fallback to "Default" as the domain19:36
robcresswellbleurgh, I just said "apps"19:37
robcresswellprograms*19:37
knikollaayoung: arghhh… the tempest option is for admin_project_name, so i have to mock the list_projects api call in a lot of the tempest unit tests to get the project_id and do the assignment19:38
*** spotz_zzz is now known as spotz19:40
*** spotz is now known as spotz_zzz19:49
openstackgerritGage Hugo proposed openstack/keystoneauth master: Remove pbr warnerrors in favor of sphinx check  https://review.openstack.org/43979719:54
*** chris_hultin is now known as chris_hultin|AWA19:55
*** rdo has quit IRC19:55
*** chlong__ has quit IRC19:55
*** BrAsS_mOnKeY is now known as g220:03
openstackgerritGage Hugo proposed openstack/keystone master: Remove pbr warnerrors in favor of sphinx check  https://review.openstack.org/43967420:07
*** chlong__ has joined #openstack-keystone20:09
openstackgerritGage Hugo proposed openstack/keystone-specs master: Remove pbr warnerrors in favor of sphinx check  https://review.openstack.org/43991420:15
openstackgerritSujitha proposed openstack/oslo.policy master: Allow multiline descriptions for RuleDefaults  https://review.openstack.org/44134220:15
*** ayoung has quit IRC20:16
openstackgerritGage Hugo proposed openstack/keystonemiddleware master: Added "warning-is-error" sphinx check for docs  https://review.openstack.org/43981920:22
*** prashkre_ has quit IRC20:24
*** spotz_zzz is now known as spotz20:37
openstackgerritMerged openstack/pycadf master: Updated from global requirements  https://review.openstack.org/44045120:39
*** rdo has joined #openstack-keystone20:45
*** spotz is now known as spotz_zzz20:47
openstackgerritGage Hugo proposed openstack/python-keystoneclient master: Remove pbr warnerrors in favor of sphinx check  https://review.openstack.org/44146820:49
openstackgerritGage Hugo proposed openstack/keystone master: Change is_admin_project to False by default  https://review.openstack.org/43803520:51
knikollarodrigods: feedback appreciated on this https://review.openstack.org/#/c/44146920:53
*** rdo_ has joined #openstack-keystone20:54
*** rdo has quit IRC20:56
*** chlong__ has quit IRC20:57
*** dave-mccowan has quit IRC20:58
*** chris_hultin|AWA is now known as chris_hultin21:15
openstackgerritMerged openstack/keystone master: Fix duplicate handling for user-specified IDs  https://review.openstack.org/43889621:27
*** jamielennox is now known as jamielennox|away21:29
*** chris_hultin is now known as chris_hultin|AWA21:34
*** thorst has quit IRC21:48
*** thorst has joined #openstack-keystone21:50
*** spilla has quit IRC21:50
*** rcernin has quit IRC21:51
*** thorst has quit IRC21:55
*** lucasxu has quit IRC22:00
*** h5t4 has quit IRC22:10
*** adrian_otto has joined #openstack-keystone22:15
*** h5t4_ has joined #openstack-keystone22:19
*** catintheroof has joined #openstack-keystone22:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements  https://review.openstack.org/43921922:50
openstackgerritMerged openstack/keystone master: Remove password_expires_ignore_user_ids  https://review.openstack.org/43820823:05
*** edmondsw_ has quit IRC23:15
*** edmondsw has joined #openstack-keystone23:16
*** edmondsw has quit IRC23:20
*** david-lyle_ is now known as david-lyle23:29
*** agrebennikov_ has quit IRC23:35
*** david-lyle has quit IRC23:47
*** h5t4_ has quit IRC23:52
« Thursday, 2017-03-02 Index Saturday, 2017-03-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!