Tuesday, 2017-03-07

*** _cjones_ has quit IRC		00:21
*** _cjones_ has joined #openstack-keystone		00:21
*** aasthad has quit IRC		00:22
*** _cjones_ has quit IRC		00:26
*** liujiong has joined #openstack-keystone		00:27
*** zsli has joined #openstack-keystone		00:42
*** zsli has quit IRC		00:42
*** Shunli has joined #openstack-keystone		00:42
*** agrebennikov has quit IRC		00:53
*** zsli_ has joined #openstack-keystone		01:01
*** namnh has joined #openstack-keystone		01:03
*** Shunli has quit IRC		01:04
*** zhurong has joined #openstack-keystone		01:05
*** thorst has joined #openstack-keystone		01:17
openstackgerrit	Merged openstack/keystone master: API-ref return code fix https://review.openstack.org/442034	01:17
*** guoshan has joined #openstack-keystone		01:17
*** thorst has quit IRC		01:18
*** thorst has joined #openstack-keystone		01:27
*** lucasxu has joined #openstack-keystone		01:28
*** edmondsw has joined #openstack-keystone		02:00
*** edmondsw has quit IRC		02:00
*** edmondsw has joined #openstack-keystone		02:00
*** zsli__ has joined #openstack-keystone		02:01
*** zsli_ has quit IRC		02:03
*** erlon has quit IRC		02:15
*** markvoelker has quit IRC		02:16
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Make name fields a consistent size of 255 https://review.openstack.org/440941	02:21
*** MasterOfBugs has quit IRC		02:21
*** pramodrj07 has quit IRC		02:22
*** ngupta has joined #openstack-keystone		02:26
*** thorst has quit IRC		02:33
*** thorst has joined #openstack-keystone		02:33
*** thorst has quit IRC		02:38
*** guoshan has quit IRC		02:42
*** ayoung has left #openstack-keystone		02:46
*** oomichi has quit IRC		02:50
*** oomichi has joined #openstack-keystone		02:50
*** edmondsw has quit IRC		02:55
*** edmondsw has joined #openstack-keystone		02:56
*** edmondsw has quit IRC		03:01
*** lucasxu has quit IRC		03:15
*** guoshan has joined #openstack-keystone		03:15
*** lucasxu has joined #openstack-keystone		03:24
*** lucasxu has quit IRC		03:24
*** rderose has quit IRC		03:32
*** thorst has joined #openstack-keystone		03:34
*** links has joined #openstack-keystone		03:35
*** thorst has quit IRC		03:38
*** browne has quit IRC		03:40
*** thorst has joined #openstack-keystone		03:56
*** thorst has quit IRC		03:56
*** guoshan has quit IRC		04:02
*** markvoelker has joined #openstack-keystone		04:16
*** markvoelker has quit IRC		04:21
*** ngupta has quit IRC		04:36
*** ngupta has joined #openstack-keystone		04:37
*** nicolasbock has quit IRC		04:38
*** ngupta has quit IRC		04:41
*** thorst has joined #openstack-keystone		04:57
*** thorst has quit IRC		05:02
*** guoshan has joined #openstack-keystone		05:03
*** guoshan has quit IRC		05:08
openstackgerrit	Merged openstack/keystone master: Revise conf param in releasenotes https://review.openstack.org/440894	05:20
*** nizam037 has joined #openstack-keystone		05:37
*** rcernin has joined #openstack-keystone		05:39
*** Jack_I has joined #openstack-keystone		05:44
*** markvoelker has joined #openstack-keystone		05:46
*** adriant has quit IRC		05:50
*** markvoelker has quit IRC		05:50
*** zsli__ has quit IRC		05:58
*** thorst has joined #openstack-keystone		05:58
*** zsli__ has joined #openstack-keystone		05:59
*** thorst has quit IRC		06:03
*** guoshan has joined #openstack-keystone		06:03
*** guoshan has quit IRC		06:08
*** tovin07 is now known as tovin07_at_work		06:08
*** guoshan has joined #openstack-keystone		06:10
*** rcernin has quit IRC		06:13
*** gyee has quit IRC		06:26
*** markvoelker has joined #openstack-keystone		06:36
*** richm has quit IRC		06:42
*** namnh has quit IRC		06:48
*** markvoelker has quit IRC		06:49
*** lamt has joined #openstack-keystone		06:51
*** h5t4 has joined #openstack-keystone		06:52
*** jaosorior has joined #openstack-keystone		06:54
*** jaosorior has quit IRC		06:54
*** zsli__ has quit IRC		06:56
*** zsli__ has joined #openstack-keystone		06:57
*** thorst has joined #openstack-keystone		06:59
*** bigjools_ is now known as bigjools		07:02
*** bigjools has joined #openstack-keystone		07:03
*** thorst has quit IRC		07:04
*** lamt has quit IRC		07:06
*** zsli__ has quit IRC		07:08
*** jrist has quit IRC		07:10
*** jrist has joined #openstack-keystone		07:12
*** namnh has joined #openstack-keystone		07:35
*** jaosorior has joined #openstack-keystone		07:40
*** tesseract has joined #openstack-keystone		07:47
*** pcaruana has joined #openstack-keystone		07:50
*** rcernin has joined #openstack-keystone		07:55
*** arturb_ has joined #openstack-keystone		07:56
*** arturb has quit IRC		07:57
*** thorst has joined #openstack-keystone		08:00
*** thorst has quit IRC		08:04
*** zzzeek has quit IRC		09:00
*** thorst has joined #openstack-keystone		09:01
*** zzzeek has joined #openstack-keystone		09:01
*** thorst has quit IRC		09:05
*** liujiong_lj has joined #openstack-keystone		09:10
*** liujiong has quit IRC		09:11
*** pnavarro has joined #openstack-keystone		09:17
*** mvk has quit IRC		09:21
*** liujiong_lj is now known as liujiong		09:22
*** sigmavirus has quit IRC		09:23
*** belmoreira has joined #openstack-keystone		09:24
*** woodburn has quit IRC		09:25
*** woodburn has joined #openstack-keystone		09:25
*** sigmavirus has joined #openstack-keystone		09:30
*** sigmavirus is now known as Guest81350		09:30
*** d0ugal has quit IRC		09:32
*** d0ugal has joined #openstack-keystone		09:35
*** jaosorior is now known as jaosorior_brb		09:43
*** tovin07_at_work has quit IRC		09:46
*** d0ugal has quit IRC		09:48
*** d0ugal has joined #openstack-keystone		09:50
*** mvk has joined #openstack-keystone		09:52
*** thorst has joined #openstack-keystone		10:02
*** guoshan has quit IRC		10:05
*** links has quit IRC		10:05
*** thorst has quit IRC		10:06
*** markvoelker has joined #openstack-keystone		10:10
*** namnh_ has joined #openstack-keystone		10:10
*** namnh has quit IRC		10:13
*** namnh_ has quit IRC		10:16
*** links has joined #openstack-keystone		10:19
*** liujiong has quit IRC		10:20
*** mvk has quit IRC		10:28
*** openstackgerrit has quit IRC		10:33
*** links has quit IRC		10:39
*** mvk has joined #openstack-keystone		10:41
*** Guest6667 is now known as Guest6666		10:43
*** links has joined #openstack-keystone		10:55
*** thorst has joined #openstack-keystone		11:02
*** thorst has quit IRC		11:07
*** richm has joined #openstack-keystone		11:12
*** jaosorior_brb is now known as jaosorior		11:16
*** edmondsw has joined #openstack-keystone		11:19
*** nicolasbock has joined #openstack-keystone		11:21
*** edmondsw has quit IRC		11:23
*** markvoelker has quit IRC		11:50
*** thorst has joined #openstack-keystone		12:03
*** thorst has quit IRC		12:08
*** pnavarro has quit IRC		12:14
*** dgonzalez has quit IRC		12:22
*** markvoelker has joined #openstack-keystone		12:23
*** catintheroof has joined #openstack-keystone		12:24
*** thorst has joined #openstack-keystone		12:34
*** ngupta has joined #openstack-keystone		12:41
*** ngupta has quit IRC		12:41
*** ngupta has joined #openstack-keystone		12:42
*** erlon has joined #openstack-keystone		12:43
*** zhurong has quit IRC		12:45
*** dave-mccowan has joined #openstack-keystone		12:56
*** edmondsw has joined #openstack-keystone		13:00
*** chlong has joined #openstack-keystone		13:00
*** edmondsw has quit IRC		13:06
*** openstackgerrit has joined #openstack-keystone		13:07
openstackgerrit	Sean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios https://review.openstack.org/441203	13:07
*** edmondsw has joined #openstack-keystone		13:08
*** edmondsw has quit IRC		13:12
*** edmondsw has joined #openstack-keystone		13:14
*** edmondsw has quit IRC		13:14
*** edmondsw has joined #openstack-keystone		13:15
openstackgerrit	Sean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios https://review.openstack.org/441203	13:15
*** akrzos is now known as guest2		13:25
*** guest2 is now known as akrzos		13:25
edmondsw	jamielennox I could be wrong but I think the new API guidelines are suggesting some improper service catalog usage	13:34
edmondsw	you might want to take a look at the comment I dropped in https://review.openstack.org/#/c/421846/6	13:34
edmondsw	lbragstad ^	13:34
*** zhurong has joined #openstack-keystone		13:36
edmondsw	lbragstad I know you missed the first couple days at the PTG when the API WG was meeting, but they have a decidedly different stance on microversions than keystone is taking, so you might want to read over the rst with that in mind	13:38
*** spilla has joined #openstack-keystone		13:39
*** links has quit IRC		13:51
*** raildo has joined #openstack-keystone		13:52
*** pnavarro has joined #openstack-keystone		13:53
*** ngupta has quit IRC		14:02
*** ngupta has joined #openstack-keystone		14:03
*** ngupta has quit IRC		14:07
*** Guest81350 is now known as sigmavirus		14:08
*** sigmavirus has quit IRC		14:09
*** sigmavirus has joined #openstack-keystone		14:09
openstackgerrit	Sean Dague proposed openstack/keystone-specs master: WIP: block diag quota scenarios https://review.openstack.org/441203	14:09
*** venki has joined #openstack-keystone		14:09
venki	i'm getting "An error occurred authenticating. Please try again later."	14:10
venki	while logging in..	14:11
venki	i'm using http://paste.openstack.org/show/601761/ local.conf	14:12
venki	unable to login in dashboard	14:13
venki	these are my credentials	14:14
venki	http://paste.openstack.org/show/601770/	14:14
*** lamt has joined #openstack-keystone		14:14
venki	Also when i check the screen(key) service log, it shows this http://paste.openstack.org/show/601771/	14:15
openstackgerrit	Dolph Mathews proposed openstack/keystone master: Revert "Handle disk write failure when doing Fernet key rotation" https://review.openstack.org/442513	14:16
*** zhurong has quit IRC		14:16
lbragstad	edmondsw jamielennox --	14:17
lbragstad	edmondsw dave-mccowan s/--/__	14:18
edmondsw	lbragstad ?	14:18
openstackgerrit	Ian Cordasco proposed openstack/keystoneauth master: Allow new cassettes to be recorded via fixture https://review.openstack.org/442516	14:19
lbragstad	edmondsw s/--/++ ;)	14:19
dolphm	i'm curious if anyone can correct me if i'm wrong on proposing the revert for "Handle disk write failure when doing Fernet key rotation" https://review.openstack.org/442513 (lbragstad?)	14:22
openstackgerrit	Dolph Mathews proposed openstack/keystone master: Revert "Handle disk write failure when doing Fernet key rotation" https://review.openstack.org/442513	14:23
*** jaosorior has quit IRC		14:24
lbragstad	dolphm checking	14:27
*** lamt has quit IRC		14:32
*** rderose has joined #openstack-keystone		14:36
*** agrebennikov has joined #openstack-keystone		14:47
*** ngupta has joined #openstack-keystone		14:50
*** jaosorior has joined #openstack-keystone		14:51
*** nicolasbock has quit IRC		15:03
*** lamt has joined #openstack-keystone		15:03
*** pnavarro has quit IRC		15:06
*** pcaruana has quit IRC		15:09
*** lucasxu has joined #openstack-keystone		15:11
openstackgerrit	Dolph Mathews proposed openstack/keystone master: Test for fernet rotation recovery after disk full https://review.openstack.org/442554	15:18
*** pcaruana has joined #openstack-keystone		15:23
*** ravelar has joined #openstack-keystone		15:23
*** dgonzalez has joined #openstack-keystone		15:24
*** phalmos has joined #openstack-keystone		15:29
dstanek	dolphm: lol	15:30
dstanek	"if my server is on fire keystone should still validate tokens"	15:31
lbragstad	dstanek all the uptime	15:31
dolphm	dstanek: new project tag, zero-downtime-during-apocalypse	15:32
dolphm	as usual, testing will be the hard part	15:33
dstanek	we will service all requests until the hard driver melts away	15:35
dstanek	that would be a cool tag though...you should propose it	15:36
dstanek	dolphm: in all seriousness. can't rotate just delete the broken stage key it if fails to write content to it?	15:37
dstanek	i'm not sure what that "fix" does after a quick skim	15:37
knikolla	o/	15:39
*** phalmos has quit IRC		15:41
dolphm	dstanek: probably, but it could be loaded in the mean time	15:42
dolphm	dstanek: i'm tempted to try to simplify the patch	15:42
lbragstad	dolphm you had some comments on https://review.openstack.org/#/c/439400/	15:42
lbragstad	dolphm it looks like you made those comments before you abandon the revert, do they still apply?	15:43
*** phalmos has joined #openstack-keystone		15:43
dolphm	lbragstad: i'll amend which are applicable	15:44
lbragstad	dolphm ok - cool	15:44
lbragstad	dolphm just checking	15:44
dolphm	lbragstad: looks like just one comment was wrong	15:45
*** aasthad has joined #openstack-keystone		15:45
*** adrian_otto has joined #openstack-keystone		15:46
*** lamt has quit IRC		15:50
openstackgerrit	Gage Hugo proposed openstack/keystone-specs master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439914	15:52
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Add Policy Documentation https://review.openstack.org/435078	15:54
lbragstad	antwash ^	15:57
*** jdennis has joined #openstack-keystone		15:58
*** jdennis1 has quit IRC		15:58
*** lamt has joined #openstack-keystone		16:00
antwash	lbragstad : http://paste.openstack.org/show/601797/	16:03
lbragstad	antwash ah - yes	16:04
lbragstad	antwash i completely forgot about the multiple URLs	16:04
lbragstad	antwash let me spin another update	16:04
antwash	lbragstad : cool, other than that LGTM :)	16:05
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Add Policy Documentation https://review.openstack.org/435078	16:06
lbragstad	antwash better ^	16:06
antwash	lbragstad: ++	16:06
antwash	thanks lance	16:07
*** dave-mccowan has quit IRC		16:10
*** dave-mccowan has joined #openstack-keystone		16:11
*** chris_hultin\|AWA is now known as chris_hultin		16:17
*** belmoreira has quit IRC		16:22
*** adu has joined #openstack-keystone		16:24
*** pcaruana has quit IRC		16:26
*** chris_hultin is now known as chris_hultin\|AWA		16:26
sigmavirus	Hey all, I'm trying to use ksa's betamax fixture in a newish project and ran into some bugs that are fixed in https://review.openstack.org/#/c/442516/ and https://review.openstack.org/#/c/442536/ ... could some keystone folk review and if possible release those fixes?	16:29
*** rcernin has quit IRC		16:30
*** markvoelker has quit IRC		16:37
*** lucasxu has quit IRC		16:38
*** tesseract has quit IRC		16:38
openstackgerrit	Anthony Washington proposed openstack/keystone master: Policy in code (part 4) https://review.openstack.org/435755	16:39
*** lucasxu has joined #openstack-keystone		16:40
*** h5t4 has quit IRC		16:40
*** adu has left #openstack-keystone		16:47
*** nicolasbock has joined #openstack-keystone		16:52
*** chris_hultin\|AWA is now known as chris_hultin		16:57
*** ngupta has quit IRC		17:06
*** ngupta has joined #openstack-keystone		17:07
*** knangia has joined #openstack-keystone		17:09
*** ngupta has quit IRC		17:10
*** ngupta has joined #openstack-keystone		17:10
*** markvoelker has joined #openstack-keystone		17:12
*** agrebennikov has quit IRC		17:14
openstackgerrit	Anthony Washington proposed openstack/keystone master: Policy in code (part 4) https://review.openstack.org/435755	17:15
*** lucasxu has quit IRC		17:16
*** phalmos has quit IRC		17:16
*** phalmos has joined #openstack-keystone		17:25
*** henrynash has joined #openstack-keystone		17:25
*** Jack_V has joined #openstack-keystone		17:25
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes https://review.openstack.org/438701	17:26
*** agrebennikov has joined #openstack-keystone		17:27
*** Jack_V has quit IRC		17:28
notmorgan	sigmavirus: +2/+A on both	17:29
*** Jack_I has quit IRC		17:29
notmorgan	sigmavirus: now... you'll need to bug lbragstad to do a release.	17:29
*** Jack_I has joined #openstack-keystone		17:29
sigmavirus	notmorgan: y'all don't have a release CPL?	17:29
sigmavirus	=P	17:29
notmorgan	no idea who it is if we do	17:29
sigmavirus	Also, thank you notmorgan	17:29
* notmorgan stays out of release stuff.		17:29
*** MasterOfBugs has joined #openstack-keystone		17:30
*** pramodrj07 has joined #openstack-keystone		17:30
*** jaosorior has quit IRC		17:30
lbragstad	sigmavirus nice - i'll review thsoe	17:30
*** lucasxu has joined #openstack-keystone		17:31
notmorgan	lbragstad: thye were super straightforward and mordred already +2'd them. so +2/+A now :)	17:31
sigmavirus	It's nice that working on betamax is so easy =P	17:31
lbragstad	sigmavirus notmorgan yeah - we haven't released ksa in about 3 weeks, so doing a release for pike wouldn't be a bad idea	17:32
notmorgan	sigmavirus: lol. more that KSA as long as you're not doing insane things in the requests parts is only a minor headache vs a major headache (not the requests part, the ksa on top of requests part)	17:33
notmorgan	and betamax plugs in nicely	17:33
sigmavirus	notmorgan: we're not	17:33
sigmavirus	We just have a custom auth plugin because the project doesn't want to tie itself to keystone because it's supposed to be sort of under the cloud	17:34
sigmavirus	although interested parties what a keystone UI plugin so it needs keystone integration	17:34
notmorgan	sigmavirus: oh neat. so KSA is providing something useful outside of keystone?	17:34
sigmavirus	makes my life easier for just using ksa's Betamax fixture	17:34
sigmavirus	notmorgan: yes	17:34
notmorgan	i.. wow	17:34
notmorgan	that makes me happy	17:34
sigmavirus	the auth plugin for it is nice and simple	17:34
sigmavirus	Made my life easier in being able to implement the auth nonsense so we can always use ksa and have keystonemiddleware on the server was super easy to	17:35
sigmavirus	*too	17:35
notmorgan	i've long considered yanking parts of that out of KSA and seeing if we could release something more in line with requests as a generic thing	17:35
sigmavirus	notmorgan: I think it works well at the moment as is	17:35
notmorgan	not just for openstack that is.	17:35
sigmavirus	then again, I followed ksa development for a whlie when it started so I suspect it making sense to me is only due to that	17:35
notmorgan	eh, KSA would be a lot better if two things happened	17:36
* sigmavirus nods		17:36
sigmavirus	pydocstyle is starting to adopt Flake8 3.x's noqa syntax and now I'm pondering pulling that out into a tiny library	17:36
notmorgan	1) we didn't raise on non-200s	17:36
notmorgan	and 2) if we could have wedged more into the adapter (some limitations there) instead of needing to wrap all of requests into the session	17:36
*** henrynash has quit IRC		17:37
sigmavirus	oh, don't get me wrong, I'm not a fan of the "Adapter" in ksa	17:37
sigmavirus	but that's just me	17:37
notmorgan	i wish all of ksa was just a requests adapter	17:37
notmorgan	so "use requests, and mount adapter"	17:37
sigmavirus	Not sure that'd work as well	17:38
notmorgan	it wouldn't	17:38
sigmavirus	Requests does a lot at the session level	17:38
sigmavirus	and a lot of other stuff at the transport level	17:38
notmorgan	that is why we couldn't do it	17:38
sigmavirus	yeah	17:38
*** prashkre has joined #openstack-keystone		17:38
sigmavirus	https://github.com/openstack/python-cratonclient/blob/master/cratonclient/auth.py#L169 is what we're using ksa with (when not using keystone)	17:38
notmorgan	it still doesn't make me wish that was the interface we could have used.	17:38
notmorgan	yeah the more i think about it the more keystoneauth's interface lets us just in-line auth with simple plugins.	17:39
notmorgan	it does make some openstack-y assumptions, but not a ton.	17:39
notmorgan	glad it's helping you out :)	17:40
*** erhudy has joined #openstack-keystone		17:42
sigmavirus	Was told "Hop on this project and make it use keystone for auth when configured... oh and make the client sensible please"	17:42
notmorgan	heh	17:45
notmorgan	lbragstad: the schedule for this weeks meeting looks a lot like last weeks?	17:48
notmorgan	oh nope	17:48
lbragstad	notmorgan yeah - there were some carry over topics	17:48
notmorgan	was a stale etherpad	17:48
notmorgan	it was identical... then i saw my browser say "disconnected"	17:48
notmorgan	sooo yeah	17:48
*** david-lyle_ has joined #openstack-keystone		17:52
*** david-lyle has quit IRC		17:54
*** david-lyle_ is now known as david-lyle		17:55
*** links has joined #openstack-keystone		18:01
*** david-lyle has quit IRC		18:04
*** david-lyle has joined #openstack-keystone		18:05
*** _cjones_ has joined #openstack-keystone		18:06
*** _cjones_ has quit IRC		18:15
*** _cjones_ has joined #openstack-keystone		18:20
*** david-lyle has quit IRC		18:23
*** david-lyle has joined #openstack-keystone		18:25
*** phalmos has quit IRC		18:27
*** raildo has quit IRC		18:29
*** david-lyle has quit IRC		18:29
*** raildo has joined #openstack-keystone		18:35
*** david-lyle has joined #openstack-keystone		18:36
*** mvk has quit IRC		18:36
*** phalmos has joined #openstack-keystone		18:44
*** h5t4 has joined #openstack-keystone		18:45
*** arunkant has quit IRC		18:45
openstackgerrit	Merged openstack/keystoneauth master: Allow new cassettes to be recorded via fixture https://review.openstack.org/442516	18:49
*** ngupta has quit IRC		18:53
*** ngupta has joined #openstack-keystone		18:53
*** ngupta has quit IRC		18:55
*** ngupta has joined #openstack-keystone		18:55
*** ayoung has joined #openstack-keystone		19:00
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Remove policy default spec https://review.openstack.org/442686	19:01
lbragstad	cc ayoung ^	19:03
notmorgan	lbragstad: +2/+A already	19:03
notmorgan	because meeting convo	19:03
lbragstad	notmorgan awesome - thanks	19:03
lbragstad	wfm	19:04
ayoung	+2A	19:04
*** david-lyle has quit IRC		19:04
lbragstad	gagehugo knikolla i've updated https://etherpad.openstack.org/p/keystone-weekly-meeting with next week's agenda I have you two up first	19:06
*** david-lyle has joined #openstack-keystone		19:06
lbragstad	gagehugo knikolla if you don't have anything by next week, that's totally fine.. I just want to make sure you have dedicated time to ask for help or reviews if you need them	19:06
gagehugo	lbragstad: sounds good, thanks	19:07
lbragstad	gagehugo no problem - let me know if there's anything else you need	19:07
*** mvk has joined #openstack-keystone		19:07
gagehugo	will do	19:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add in-code comment to clarify pattern in tests https://review.openstack.org/441187	19:10
openstackgerrit	Merged openstack/keystone-specs master: Remove policy default spec https://review.openstack.org/442686	19:44
sigmavirus	lbragstad: you haven't started the release process for ksa, right?	19:55
lbragstad	sigmavirus https://review.openstack.org/#/c/442536/ hasn't merged yet - so i haven't proposed a new release yet	19:55
lbragstad	sigmavirus you need something else included?	19:56
sigmavirus	i think I have another bug	19:56
sigmavirus	=/	19:56
sigmavirus	I need to figure that out first =)	19:56
lbragstad	\o/	19:56
lbragstad	sigmavirus ok	19:56
*** lucasxu has quit IRC		19:57
knikolla	lbragstad: ack	20:02
*** lucasxu has joined #openstack-keystone		20:04
*** links has quit IRC		20:09
lbragstad	if anyone is looking for some quick reviews - these should be trivial	20:12
lbragstad	https://review.openstack.org/#/c/439194/	20:12
lbragstad	https://review.openstack.org/#/c/439208/	20:12
lbragstad	https://review.openstack.org/#/c/439205/	20:12
lbragstad	https://review.openstack.org/#/c/435078/	20:13
*** simondodsley has joined #openstack-keystone		20:13
*** ayoung has quit IRC		20:16
*** agrebennikov has quit IRC		20:17
*** agrebennikov has joined #openstack-keystone		20:18
lbragstad	this looks ready to go - https://review.openstack.org/#/c/435609	20:25
*** _cjones_ has quit IRC		20:27
*** phalmos has quit IRC		20:37
*** pnavarro has joined #openstack-keystone		20:38
openstackgerrit	Merged openstack/keystone-specs master: Remove the fernet key store spec from backlog https://review.openstack.org/439194	20:38
openstackgerrit	Merged openstack/keystone-specs master: Remove centralized policies fetch cache spec https://review.openstack.org/439208	20:39
openstackgerrit	Merged openstack/keystone-specs master: Clarify bits of the alembic backlogged spec https://review.openstack.org/439205	20:39
spilla	lbragstad: think this is good to close? talked to stevemar a while back but we didn't reach a conclusion https://bugs.launchpad.net/keystone/+bug/1645910	20:40
openstack	Launchpad bug 1645910 in OpenStack Identity (keystone) "Trust creation for SSO users fails in assert_user_enabled" [Medium,In progress] - Assigned to Samuel Pilla (samuel.pilla)	20:40
lbragstad	spilla checking	20:41
*** h5t4 has quit IRC		20:41
lbragstad	spilla ah - yeah.. that would make sense with all federated users now having a domain_id	20:42
lbragstad	spilla I can update	20:42
spilla	lbragstad okay, thanks! :)	20:42
*** raildo has quit IRC		20:45
*** prashkre has quit IRC		20:55
*** jaugustine has joined #openstack-keystone		20:58
*** Jack_I has quit IRC		21:02
lbragstad	ravelar so what was the deal with https://review.openstack.org/#/c/427018/5 ?	21:03
lbragstad	cc dstanek rderose ^	21:03
dstanek	ravelar: so while technically that's correct. the fact responses can differ so wildly may be a sign of a problem	21:03
lbragstad	we're adding attributes to the api in specific cases, but I don't think that qualifies as breaking the api	21:04
ravelar	dstanek differ wildly?	21:04
ravelar	dstanek just need clarification cause its a single attribute so I am confused	21:05
rderose	yeah, it's pretty consistent	21:05
ravelar	its always added	21:05
rderose	there is only a difference between list and get	21:05
dstanek	i mean different between deployments	21:05
ravelar	There are only two possible outcomes. The user either had federated objects, so federated now has a list of those objects	21:06
ravelar	or there weren't any, in which case federated is an empty list	21:06
*** ngupta_ has joined #openstack-keystone		21:06
dstanek	ok, let's come at it from this angle. are we doing to add an ldap list?	21:07
lbragstad	dstanek adding an 'ldap' list to the user entity that contains ldap information?	21:07
rderose	for ldap/local list we are not returning a federated object	21:08
rderose	only for get	21:08
ravelar	yeah I am thinking about it like lbragstad so again confused	21:08
rderose	lbragstad: ?	21:08
dstanek	lbragstad: yes	21:09
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth master: Updated from global requirements https://review.openstack.org/439317	21:09
*** ngupta has quit IRC		21:10
dstanek	it's too late now since it's published. i think we just need to be more careful abeout adding things to the api like that	21:10
*** ngupta_ has quit IRC		21:11
lbragstad	rderose so with ravelar's work, we are adding a 'federated' section to the user reference, dstanek was asking if we were planning on doing the same for 'ldap'	21:11
dstanek	also do we a have the ability to have multiple federated objects?	21:12
rderose	dstanek: yes	21:12
rderose	the federated object is a list	21:12
rderose	lbragstad: yes, so if you are identity backend is ldap, the federated object would be included for a get api call	21:13
dstanek	rderose: with ldap information?	21:13
rderose	dstanek: the user object would be pulled from the ldap driver, so yes	21:14
rderose	dstanek: we just tack on the federated part	21:14
dstanek	what does the ldap object look like?	21:14
rderose	dstanek: which because we don't support account linking, the federated object would be an empty list	21:14
rderose	dstanek: it look the same as it does today, except it would have an extra federated attribute	21:15
lbragstad	we include it but we don't populate it	21:15
rderose	lbragstad: we call the shadow backend, so if there is federated data we'll populate it	21:15
ravelar	we simply don't populate the federated attribute to display back to the user that there isn't any federated objects associated with the user	21:15
rderose	but again, not possible without accounting linking	21:16
dstanek	rderose: no, i mean in the same way that we tack on an extra thing for federated attributes will we do that for ldap attributes?	21:16
rderose	dstanek: no, it's not the same. we essentially call the backend driver in core to get the ldap user and then tack on the federated object	21:17
lbragstad	but we hardcode it so that it's empty	21:17
rderose	lbragstad: no, not hardcoding	21:17
dstanek	that's partly my point. i'm disappointed that it's different	21:17
rderose	dstanek: how is it different	21:18
dstanek	we have embeded a key for a very spedific type of user in the user object	21:19
dstanek	i don't see the advantage of doing that	21:19
rderose	dstanek: no, that's not the case	21:19
rderose	dstanek: unless I'm misunderstanding you	21:20
rderose	lbragstad: https://review.openstack.org/#/c/426449/31/keystone/identity/core.py	21:20
dstanek	rderose: what is the advantage of putting it in the user over using federation specific api?	21:20
rderose	lbragstad: line 995	21:20
rderose	lbragstad: nothing hardcoded	21:21
lbragstad	rderose right - ok	21:21
lbragstad	rderose but that will only be populated for federated cases because it's relying on the shadow user api	21:21
rderose	dstanek: account linking, it's federated attributes can be thought of as user attributes	21:22
rderose	lbragstad: any federated attributes that were created for that user	21:22
rderose	lbragstad: so when you create a user, you can add the federated object	21:23
lbragstad	yep	21:23
rderose	dstanek: and I think the rationale is that a federated user is a user	21:23
dstanek	rderose: i see if differently. if you want to know about federated attributes i'd have a different place for you to go	21:24
rderose	dstanek: yeah, that was ayoung original thought I think, but not what we described in the spec	21:24
*** phalmos has joined #openstack-keystone		21:24
rderose	dstanek: https://github.com/openstack/keystone-specs/blob/master/specs/keystone/pike/support-federated-attr.rst	21:25
dstanek	rderose: i with i had paid more attention to that spec :-( we need to be careful when adding stuff to the existing objects.	21:25
dstanek	we need to have good usecases behind api changes	21:26
rderose	dstanek: sure	21:27
rderose	dstanek: and I think we do for this	21:27
dstanek	ugg...i really don't like the unique_id filter since that isn't really a part of the user	21:28
rderose	dstanek: already merged	21:28
rderose	it's part of the federated object for that user	21:28
dstanek	we don't IMO. there is nothing in that spec that couldn't be solved in federation specific apis	21:28
rderose	dstanek: that was alternative in the spec	21:29
dstanek	this is where i think terminology matters. it is not a part of the user at all it is part of a specify profile.	21:29
rderose	dstanek: to me it's more intuitive as part of the user api	21:29
dstanek	there is a user which has user things. then there is a federated user that has federation things. along with a remote user that has remote user things.	21:30
dstanek	rderose: but it isn't actually a part of the user. if i don't use federation what is my unique_id?	21:30
rderose	dstanek: no users are returned	21:31
dstanek	rderose: no, if i don't use federation what is my unique id?	21:31
rderose	dstanek: if you don't use federation then you won't create any users with a federated object	21:31
rderose	and the federated object would be an empty list	21:32
dstanek	the answer i was looking for is that i don't have a unique id	21:32
dstanek	which is correct right?	21:32
rderose	indicating that the user doesn't any federated attributes	21:32
*** ayoung has joined #openstack-keystone		21:32
dstanek	that asymmetry is what i don't like	21:33
*** ayoung has quit IRC		21:34
openstackgerrit	Merged openstack/keystoneauth master: Allow users to specify a serializer easily https://review.openstack.org/442536	21:36
*** ayoung has joined #openstack-keystone		21:37
rderose	dstanek: I sort of see your point, but again, to me the user api is a natural place for this. whether creating a local user or a federated user, I should be able to use the user api.	21:37
rderose	dstanek: and the spec was approved	21:38
dstanek	yes, unfortunately that's true	21:39
rderose	:)	21:39
dstanek	that's what i said earlier. we can't do much about it now, but we should learn from it and make sure we're more deliberate next time	21:39
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth master: Updated from global requirements https://review.openstack.org/439317	21:39
dstanek	the warning though is that people may call us on it and ask us why	21:40
rderose	dstanek: I don't know much more deliberate I could have been in that spec	21:40
rderose	its'	21:40
rderose	*it clearly shows as being part of the user object	21:40
dstanek	that's not what i mean. every api change should go through some extra scrutiny.	21:41
*** frontrunner has joined #openstack-keystone		21:41
rderose	dstanek: ok	21:41
dstanek	i mean 'we should be more deliberate in our api design' - otherwise we will end up needing microversions	21:41
rderose	dstanek: agree	21:42
rderose	lbragstad: this is how you would do account linking with an ldap user:	21:42
rderose	PUT /v3/users/{id}	21:42
rderose	{	21:42
rderose	"federated": {	21:42
rderose	"idp_id": "1789d1",	21:42
rderose	"protocols": [	21:42
rderose	{	21:42
rderose	"protocol_id": "saml2",	21:42
rderose	"unique_id": "jdoe"	21:42
rderose	}	21:42
rderose	]	21:42
rderose	}	21:42
rderose	}	21:42
dstanek	rderose: this is what paste is for :-)	21:42
rderose	:) sorry	21:43
dstanek	put or patch?	21:43
rderose	dstanek: ah, patch	21:43
dstanek	or you could have POSTed/PUTed (depending on desired semantics) to OS-FEDERATION/user/{id}	21:45
*** MasterOfBugs has quit IRC		21:47
*** pramodrj07 has quit IRC		21:47
*** MasterOfBugs has joined #openstack-keystone		21:47
*** pramodrj07 has joined #openstack-keystone		21:47
*** gyee has joined #openstack-keystone		21:47
lbragstad	rderose would the protocol id be saml2 for account linking ldap users?	21:52
*** dave-mcc_ has joined #openstack-keystone		21:53
dstanek	lbragstad: i don't think you can link ldap users	21:54
*** dave-mccowan has quit IRC		21:54
rderose	lbragstad: could be	21:54
dstanek	when i asked about that earlier the answer hinted that we could link a federated project to an ldap user	21:55
rderose	dstanek: you can add a federated object to a user	21:56
rderose	dstanek: that is what I was indicating in the snippet above	21:58
rderose	lbragstad: the client defines the protocol when creating the idp, so it doesn't have to be saml2	22:02
*** lucasxu has quit IRC		22:02
*** lucasxu has joined #openstack-keystone		22:03
rderose	lbragstad: and we validate that the idp and protocol exist for write API calls	22:03
*** dave-mcc_ has quit IRC		22:03
dstanek	rderose: i think lbragstad is asking how you add an ldap profile	22:06
dstanek	i have a sql user and i want to have them login through ldap and have them tied together	22:07
rderose	lbragstad dstanek: ah, right. we don't have a way to do that.	22:07
rderose	lbragstad dstanek: and I'm sure there would be a big demand for something like that	22:08
dstanek	rderose: that's part of why i think we need a larger 'account linking' method and deprecate the one that went in this cycle	22:08
rderose	maybe	22:09
rderose	but this would allow for a common use case of linking a user to their federated profile	22:09
dstanek	have two different ways to do the same thing?	22:10
rderose	we may never need to support linking sql to ldap	22:10
dstanek	rderose: the fact that it wasn't a part of the design considerations is problematic though	22:11
dstanek	this is why i commented that we special cased federated users	22:11
*** pnavarro has quit IRC		22:11
rderose	dstanek: I wasn't trying to solve account linking. but that being said, the data model can certainly support this type of account linking	22:11
*** spilla has quit IRC		22:11
dstanek	rderose: you were though right at least part of it	22:12
rderose	dstanek: the user response object would just need to change in order to support sql to ldap	22:12
dstanek	rderose: exactly! moar cruft is what i am afriad of	22:12
*** thorst has quit IRC		22:12
rderose	dstanek: with sql to ldap, what is the user name; if enable in sql but disabled in ldap...	22:14
rderose	dstanek: and again, I'm not sure we'd ever need/want to support that	22:15
rderose	dstanek: I think the harder question is what if I have a federated user and a local user and conflicting roles	22:15
rderose	dstanek: that's what I think we will need to solve with account linking	22:16
rderose	dstanek: and which user ID are we going to now use...	22:16
dstanek	rderose: any as long as the original ones are still valid	22:17
rderose	dstanek: true	22:19
dstanek	rderose: was there a requirement from somewhere to allow operators to add federated profiles to existing users?	22:21
*** adriant has joined #openstack-keystone		22:22
rderose	dstanek: it was part of the spec, but it didn't come from an operator	22:23
dstanek	rderose: was anyone asking for it?	22:23
rderose	dstanek: no	22:24
dstanek	that may be the first thing to do for specs. see if we have a business driven usecase. we have a lot of 'it would be cool if's in keystone	22:25
rderose	dstanek: well, this was part of our effort to make federation a first class citizen	22:26
rderose	dstanek: but agree in general	22:27
rderose	there definitely was feedback around how do I make concrete role assignments if my federated user doesn't exist yet, because they haven't authenticated	22:28
rderose	and from a API perspective, I think it would an odd experience to not allow you to create federated objects for existing users	22:30
rderose	*would be an	22:30
*** lucasxu has quit IRC		22:36
dstanek	rderose: we should probably follow up and see if they'll use it and give us feedback	22:37
rderose	dstanek: yeah, we should	22:39
*** lucasxu has joined #openstack-keystone		22:40
*** catintheroof has quit IRC		22:41
*** catintheroof has joined #openstack-keystone		22:42
*** catintheroof has quit IRC		22:47
*** henrynash has joined #openstack-keystone		22:55
*** henrynash has quit IRC		23:01
openstackgerrit	Anthony Washington proposed openstack/keystone master: Policy in code https://review.openstack.org/435609	23:02
*** erlon has quit IRC		23:05
*** phalmos has quit IRC		23:10
*** lucasxu has quit IRC		23:12
*** edmondsw has quit IRC		23:16
*** lamt has quit IRC		23:23
*** rvba has quit IRC		23:24
*** rvba has joined #openstack-keystone		23:25
*** rvba has quit IRC		23:25
*** rvba has joined #openstack-keystone		23:25
notmorgan	rderose: enabled/disabled is simple.	23:30
notmorgan	rderose: Enabled/Disabled in SQL is an override regardless of other settings.	23:30
notmorgan	redrobot: LDAP is used to check enabled/disabled if SQL is enabled (default). - only in the case of multiple account linkings (such as OIDC)	23:30
notmorgan	rderose: ^ not redrobot	23:30
* redrobot pokes head in		23:31
*** jaugustine has quit IRC		23:31
notmorgan	redrobot: sorry ;)	23:31
*** catintheroof has joined #openstack-keystone		23:32
notmorgan	rderose: so basically (SQL if > 1 link) OR (SQL if not LDAP)	23:32
notmorgan	rderose: we could rely on LDAP in the case of LDAP + Federated	23:32
*** rvba has quit IRC		23:32
notmorgan	rderose: so revised --- SQL unless LDAP "Remote" exists. If LDAP "remote" then LDAP. Federated relies on LDAP or SQL for "enabled"	23:33
notmorgan	?	23:33
*** rvba has joined #openstack-keystone		23:39
*** rvba has quit IRC		23:39
*** rvba has joined #openstack-keystone		23:39
*** chris_hultin is now known as chris_hultin\|AWA		23:40
*** ravelar has quit IRC		23:40
*** thorst has joined #openstack-keystone		23:45
adriant	notmorgan, Hey, been meaning to update you on MFA things in keystoneauth. I've been looking at it. I'm hoping to dedicate a few days to it later this month.	23:46
*** adrian_otto has quit IRC		23:52
*** edmondsw has joined #openstack-keystone		23:52
*** thorst has joined #openstack-keystone		23:55
*** edmondsw has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!