Monday, 2017-03-20

jamielennox	notmorgan: if you're here i completely disagree on the api-keys	00:04
jamielennox	i have no problem calling them app-specific-passwords, i don't care about calling them secure bloby things	00:05
jamielennox	but i think sending the key to the service's api directly is a bad idea, and basically circumvents the token flow we've tried to make services do properly for the last few years	00:06
*** dave-mccowan has joined #openstack-keystone		00:14
*** catintheroof has joined #openstack-keystone		00:20
*** catintheroof has quit IRC		00:26
*** jamielennox is now known as jamielennox\|away		00:38
*** liujiong has joined #openstack-keystone		01:26
*** aojea has joined #openstack-keystone		01:40
*** aojea has quit IRC		01:45
*** markvoelker has joined #openstack-keystone		01:45
*** markvoelker has quit IRC		01:49
*** wangqun has joined #openstack-keystone		01:51
*** guoshan has joined #openstack-keystone		02:12
*** dave-mccowan has quit IRC		03:20
*** jamielennox\|away is now known as jamielennox		03:22
*** zhurong has joined #openstack-keystone		03:25
openstackgerrit	Merged openstack/oslo.policy master: Comment out the rule from generated sample-policy file https://review.openstack.org/447041	03:41
*** aojea has joined #openstack-keystone		03:42
*** aojea has quit IRC		03:46
*** guoshan has quit IRC		04:00
*** Dinesh_Bhor has joined #openstack-keystone		04:08
*** zhurong has quit IRC		04:16
*** links has joined #openstack-keystone		04:20
*** zhurong has joined #openstack-keystone		04:59
*** zhurong has quit IRC		05:14
*** aojea has joined #openstack-keystone		05:42
*** aojea has quit IRC		05:47
*** adriant has quit IRC		05:53
*** jaosorior has joined #openstack-keystone		06:04
openstackgerrit	Dinesh Bhor proposed openstack/python-keystoneclient master: Fix failing PY2 and PY3 gate jobs https://review.openstack.org/447377	06:17
*** aojea has joined #openstack-keystone		06:25
*** guoshan_ has joined #openstack-keystone		06:25
*** guoshan has joined #openstack-keystone		06:29
*** guoshan_ has quit IRC		06:29
*** guoshan has quit IRC		06:45
*** guoshan has joined #openstack-keystone		06:45
*** jaosorior has quit IRC		06:53
*** jaosorior has joined #openstack-keystone		06:55
*** jaosorior has quit IRC		07:14
*** jaosorior has joined #openstack-keystone		07:15
*** jaosorior has quit IRC		07:16
*** jaosorior has joined #openstack-keystone		07:19
openstackgerrit	Maciej Jozefczyk proposed openstack/keystonemiddleware master: Cross-region requests are not blocked by keystonemiddleware https://review.openstack.org/447396	07:24
*** voelzmo has joined #openstack-keystone		07:41
*** zhugaoxiao has quit IRC		07:57
*** zhugaoxiao has joined #openstack-keystone		07:58
*** tesseract has joined #openstack-keystone		07:58
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** pcaruana has joined #openstack-keystone		08:14
*** rdo has quit IRC		08:24
*** rdo has joined #openstack-keystone		08:26
openstackgerrit	Maciej Jozefczyk proposed openstack/keystonemiddleware master: Cross-region requests are not blocked by keystonemiddleware https://review.openstack.org/447396	08:34
openstackgerrit	Maciej Jozefczyk proposed openstack/keystonemiddleware master: Cross-region requests are not blocked by keystonemiddleware https://review.openstack.org/447396	08:53
*** openstackgerrit has quit IRC		09:02
*** wangqun has quit IRC		10:06
*** liujiong has quit IRC		10:09
*** nicolasbock has joined #openstack-keystone		10:12
*** openstackgerrit has joined #openstack-keystone		10:12
openstackgerrit	Stephen Finucane proposed openstack/oslo.policy master: Use Sphinx 1.5 warning-is-error https://review.openstack.org/446608	10:12
*** knangia has quit IRC		10:21
*** guoshan has quit IRC		10:27
*** dikonoor has joined #openstack-keystone		10:37
*** rmascena has joined #openstack-keystone		10:50
*** arturb has joined #openstack-keystone		10:50
*** dikonoor has quit IRC		10:51
*** ayoung has joined #openstack-keystone		11:05
*** zhurong has joined #openstack-keystone		11:17
*** pnavarro has joined #openstack-keystone		11:18
*** dikonoor has joined #openstack-keystone		11:24
*** zhurong has quit IRC		11:37
*** aojea has quit IRC		11:45
*** aojea has joined #openstack-keystone		11:46
*** dikonoor has quit IRC		11:48
*** aojea has quit IRC		11:50
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Speed up check_user_in_group for LDAP users https://review.openstack.org/447459	11:53
*** dikonoor has joined #openstack-keystone		11:58
*** ravelar has joined #openstack-keystone		12:00
*** dave-mccowan has joined #openstack-keystone		12:07
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add group_members_are_ids to whitelisted options https://review.openstack.org/442048	12:09
*** edmondsw has joined #openstack-keystone		12:14
*** spilla has joined #openstack-keystone		12:25
*** aojea has joined #openstack-keystone		12:43
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	12:45
*** yuvalb has quit IRC		12:53
*** yuvalb has joined #openstack-keystone		12:54
*** catintheroof has joined #openstack-keystone		12:57
*** markvoelker has joined #openstack-keystone		13:01
*** lamt has joined #openstack-keystone		13:04
*** lamt has quit IRC		13:08
*** links has quit IRC		13:11
*** lamt has joined #openstack-keystone		13:12
*** lamt has quit IRC		13:16
*** lamt has joined #openstack-keystone		13:20
*** lamt has quit IRC		13:25
openstackgerrit	Richard Avelar proposed openstack/keystone master: Don't persist revocation events when deleting a role https://review.openstack.org/444424	13:27
*** erhudy has joined #openstack-keystone		13:34
lbragstad	dstanek jdennis any updates on this one here? https://review.openstack.org/#/c/422234/	13:38
*** guoshan has joined #openstack-keystone		13:39
jdennis	lbragstad: there doesn't appear to have been any activity since my last comment.	13:42
lbragstad	jdennis yeah - i was just catching up on the comments	13:43
*** clenimar has quit IRC		13:43
lbragstad	jdennis you didn't have an alternative patch somewhere did you? just curious because I found the snippets in the review helpful	13:43
jdennis	lbragstad: If I recall correctly Lance I just threw those snippets together in a little temp script	13:47
lbragstad	jdennis aha - cool, just double checking	13:47
*** lamt has joined #openstack-keystone		13:55
*** lamt has quit IRC		13:58
dstanek	lbragstad: no, waiting to see what we need to do there	13:58
*** guoshan has quit IRC		13:58
gagehugo	o/	13:59
*** prashkre has joined #openstack-keystone		14:00
lbragstad	dstanek gotcha - are we waiting on someone from webob?	14:00
*** lamt has joined #openstack-keystone		14:01
prashkre	lbragstad: Hi Lance. I have an issue with translation of messages. so while investigating found that https://github.com/openstack/keystone/blob/9a93c864a9201cffbd84b995ac7367e9aff5e147/keystone/common/wsgi.py#L790	14:02
prashkre	lbragstad: is calling on oslo_i18n module to translate messages, but oslo_i18n expecting message of type oslo_i18n._message.Message type to translate.	14:04
prashkre	so it simply bypassing translations.	14:04
lbragstad	prashkre o/	14:05
dikonoor	lbragstad: Hi..Do we know if keystone translations are working? From the code, it looks like it's getting skipped at the point prashkre has pointed out	14:05
lbragstad	dikonoor prashkre checking the code	14:05
*** knangia has joined #openstack-keystone		14:05
*** lamt has quit IRC		14:05
dstanek	lbragstad: i'll dig up my notes and update that review	14:06
*** guoshan has joined #openstack-keystone		14:06
lbragstad	dstanek i was reading through a few of the comments jdennis made	14:06
lbragstad	dstanek i thought about pushing a subsequent patch that addressed them - but I haven't made it that far yet ;)	14:07
lbragstad	dikonoor prashkre so this is the implementation of translate you're referencing - https://github.com/openstack/oslo.i18n/blob/master/oslo_i18n/_translate.py#L24-L49 ?	14:07
dikonoor	yeah]	14:07
prashkre	lbragstad: yes.	14:07
dstanek	prashkre: dikonoor: how is it being skipped?	14:08
dikonoor	and this is the check that fails >> https://github.com/openstack/oslo.i18n/blob/master/oslo_i18n/_translate.py#L45	14:08
prashkre	lbragstad: error messages we are passing are of unicode type and it is expecting oslo_i18n._message.Message type for translation.	14:09
dstanek	prashkre: you're saying that error.arg[0] isn't a message?	14:09
lbragstad	prashkre so https://github.com/openstack/oslo.i18n/blob/master/oslo_i18n/_translate.py#L45-L48 is never hit?	14:09
*** lamt has joined #openstack-keystone		14:09
lbragstad	if it isn't a message, it should be getting handled by the first if statement?	14:10
dikonoor	L45 is hit, L48 is not	14:10
lbragstad	_message.Message *	14:10
lbragstad	dikonoor what is the type of `error_message` here - https://github.com/openstack/keystone/blob/9a93c864a9201cffbd84b995ac7367e9aff5e147/keystone/common/wsgi.py#L789 ?	14:10
dstanek	lbragstad: i would expect that to be a message object based on how we create exceptions	14:11
dikonoor	it's of type unicode ..I think that's what L44 does >> # If the object to translate is not already translatable,	14:12
dikonoor	# let's first get its unicode representation	14:12
dikonoor	message = six.text_type(obj)	14:12
prashkre	lbragstad: it is unicode type	14:12
*** lamt has quit IRC		14:12
dstanek	dikonoor: is this in production or test?	14:12
lbragstad	i don't know if it's just me or not, but those two if/statements are confusing to understand right next to each other like that	14:12
dikonoor	test is where we found	14:12
lbragstad	because the first one get a unicode representation of the message if it's not already translated	14:13
dstanek	dikonoor: i don't think we translate in debug mode	14:13
lbragstad	gets*	14:13
dikonoor	dstanek: Could you elaborate whats the debug mode that you are referring to..?	14:14
dstanek	dikonoor: we don't translate during development - iirc	14:15
dikonoor	dstanek : I have keystone running inside httpd ..I see there are .mo files with translated messages generated..So I'd have expected trnalsation to work	14:16
*** lamt has joined #openstack-keystone		14:17
dikonoor	dstanek: Does the translation work for you?	14:19
dstanek	i'm also not sure if we translate messages over the API or just for logging	14:20
dstanek	dikonoor: looking how	14:20
dikonoor	ok	14:20
*** lamt has quit IRC		14:21
*** lamt has joined #openstack-keystone		14:23
*** lamt has quit IRC		14:24
*** agrebennikov has joined #openstack-keystone		14:25
dstanek	lbragstad: dikonoor: prashkre: i'm going to guess that they are not working for exceptions	14:32
dikonoor	dstanek: DO you think so because of the unicode type problem that prashkre was talking about?	14:32
dstanek	dikonoor: that's what is happening, but the question is why.... i think is is because https://github.com/openstack/keystone/blob/9a93c864a9201cffbd84b995ac7367e9aff5e147/keystone/server/wsgi.py#L25 needs to come before keystone.exception is imported	14:33
dstanek	lbragstad: i'm not sure why the default is not set to lazy. you'd think that everyone has similar import time issues	14:35
lbragstad	dstanek right - interesting	14:40
dstanek	dikonoor: prashkre: trying moving that above the keystone imports and see if it works	14:41
prashkre	dstanek: sure will try and let you know.	14:42
*** dikonoor has quit IRC		14:45
prashkre	dstanek: yes. it worked.	14:45
prashkre	dstanek: able to see translated messages.	14:46
*** lamt has joined #openstack-keystone		14:46
dstanek	prashkre: nice	14:46
lbragstad	prashkre dstanek sounds like we need to open a bug then?	14:46
ravelar	lbragstad we still use project_id and domain_id revocation for revoke_by_audit_chain_id right? https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L266	14:46
lbragstad	ravelar well - it doesn't look like it's used much - http://cdn.pasteraw.com/cx16u0vsn3kzak54qhvkklfpgg90141	14:48
lbragstad	ravelar revoke_chain defaults to False and is only set to True in tests	14:48
lbragstad	ravelar so it could be a behavior that we test for but don't actually expose	14:49
ravelar	lbragstad http://paste.openstack.org/show/603435/?	14:49
prashkre	dstanek: lbragstad: I will open a bug on translate messages issue.	14:49
ravelar	http://paste.openstack.org/show/603435/	14:49
ravelar	?	14:49
ravelar	sorry I put them together lol	14:49
lbragstad	prashkre awesome - thanks	14:49
dstanek	prashkre: thanks!	14:49
ravelar	lbragstad I see	14:50
lbragstad	ravelar another thing that we can do is run coverage on it and see if that's even tested	14:50
lbragstad	it looks like it is, but I don't think we can actually hit that branch of code through an API (i.e. a user can't dictate that behavior)	14:50
lbragstad	at least from what i can tell	14:50
lbragstad	which might be a good thing if we decide we want to prune it	14:51
ravelar	lbragstad, so when do we ever even revoke an audit_chian	14:51
ravelar	chain*	14:51
ravelar	other than the tests	14:51
*** lamt has quit IRC		14:54
lbragstad	ravelar that's a good question, we also have https://github.com/openstack/keystone/blob/9a93c864a9201cffbd84b995ac7367e9aff5e147/keystone/conf/token.py#L114-L124	14:55
lbragstad	ravelar which has some logic that is intertwined with the revocation API	14:55
*** lamt has joined #openstack-keystone		14:56
*** aselius has joined #openstack-keystone		14:57
*** lamt has quit IRC		14:57
*** jlopezgu has joined #openstack-keystone		15:00
*** pnavarro has quit IRC		15:01
*** chris_hultin\|AWA is now known as chris_hultin		15:02
*** lamt has joined #openstack-keystone		15:05
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove extra duplicate 'be' in description https://review.openstack.org/447536	15:05
*** rderose has joined #openstack-keystone		15:06
*** lamt has quit IRC		15:06
*** phalmos has joined #openstack-keystone		15:10
lbragstad	ravelar here is a list of all revoke_api usage I can see (excluding tests) http://cdn.pasteraw.com/lzkbprwec17bc5t15ldtc6vt4mxghax	15:15
*** pnavarro has joined #openstack-keystone		15:16
*** jamielennox has quit IRC		15:17
ravelar	lbragstad yeah, I figured the most that is happening has to be in providers so I am looking at the functions that use them and tracing up to the parent ones	15:17
lbragstad	ravelar these might not be needed anymore https://github.com/openstack/keystone/blob/9a93c864a9201cffbd84b995ac7367e9aff5e147/keystone/assignment/core.py#L221-L222 and https://github.com/openstack/keystone/blob/9a93c864a9201cffbd84b995ac7367e9aff5e147/keystone/assignment/core.py#L281	15:17
ravelar	lbragstad ahh another one, nice catch ha	15:18
lbragstad	ravelar i removed them, running tests now	15:20
*** richm has joined #openstack-keystone		15:22
*** lamt has joined #openstack-keystone		15:22
*** lamt has quit IRC		15:23
*** guoshan has quit IRC		15:24
openstackgerrit	Richard Avelar proposed openstack/keystone master: Don't persist rev event when deleting access token https://review.openstack.org/447549	15:26
lbragstad	dstanek about the py35 things we were talking about over the weekend, is that something we should just open a bug for?	15:29
lbragstad	dstanek if it only needs a couple testing bits, a spec might be a little heavy handed	15:29
openstackgerrit	Anthony Washington proposed openstack/oslo.policy master: oslopolicy-sample-generator description support https://review.openstack.org/443330	15:30
*** phalmos has quit IRC		15:30
notmorgan	lbragstad: audit_chain revokes were explicitly for the case of needing to kill all tokens that were subject to rescopes. It wasn't widely used except, perhaps, in a password change case?	15:32
notmorgan	or initially	15:32
lbragstad	cc ravelar ^	15:32
*** chlong has joined #openstack-keystone		15:33
lbragstad	notmorgan and that revokes based on the token's audit_id attribute, correct?	15:33
lbragstad	at least that's how i think it worked the last i checked	15:33
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes https://review.openstack.org/438701	15:34
notmorgan	it is intended to	15:34
notmorgan	so audit id is (audit_id, chain_audit_id)	15:35
*** lamt has joined #openstack-keystone		15:35
ravelar	notmorgan lbragstad ahh thanks! I was looking for what the history behind it was since now it looks like it isn't really used anywhere	15:35
notmorgan	if you revoke the chain, we look at the chain id, and if it doesn't exist we look at audit_id	15:35
notmorgan	the reason for audit_id to include a chain is so you can see the rescopes	15:35
notmorgan	and track a token to a specific auth	15:35
notmorgan	it doesn't show the direct parent, just the original auth's token_id	15:36
notmorgan	s/token_id/audit_id/	15:36
notmorgan	the idea is we should be able to revoke any/all tokens for a given auth	15:36
notmorgan	we shouldn't remove that functionality unless we're really dropping all revoke(s).	15:36
lbragstad	notmorgan i don't think we're going to do that	15:43
lbragstad	notmorgan i think we should start by pruning the unused revocation events from the implementation the best we can	15:43
lbragstad	http://cdn.pasteraw.com/mea0t4buhgnkwnggok2k81md5g7jsmj for example	15:43
lbragstad	^ passes tests for me locally	15:43
lbragstad	cc ravelar	15:43
ravelar	lbragstad nice	15:44
ravelar	lbragstad that is on top of https://review.openstack.org/#/c/444424/ right?	15:44
*** lamt has quit IRC		15:44
lbragstad	ravelar no - i just did that one off of master	15:45
*** jaosorior has quit IRC		15:45
ravelar	lbragstad ahh right, I saw assignment and role and thought we were talking about that patch	15:46
ravelar	cool, looks like your patch from awhile back does alot of this already now	15:47
lbragstad	ravelar nope - just started looking at places in keystone where we use the revocation API	15:47
*** lamt has joined #openstack-keystone		15:47
openstackgerrit	Gage Hugo proposed openstack/keystone-specs master: Add Project tags https://review.openstack.org/431785	15:49
*** lamt has quit IRC		15:50
*** links has joined #openstack-keystone		15:51
ravelar	lbragstad the best part is most of the revocation unit tests already cover the change by testing that the API returns the expected information or by checking the token no longer contains revoked info	15:51
*** lamt has joined #openstack-keystone		15:52
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove unnecessary revocation events https://review.openstack.org/447562	15:54
lbragstad	ravelar ^	15:54
lbragstad	ravelar feel free to steal that	15:54
*** links has quit IRC		15:55
*** links has joined #openstack-keystone		15:56
*** voelzmo has quit IRC		15:56
Tahvok	Can you run the bootstrap commands multiple times? Is it idempotent?	15:57
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove revocation API dependency from resource API https://review.openstack.org/447564	15:57
lbragstad	Tahvok yes - it should be	15:57
lbragstad	Tahvok we had a bug opened that we fixed in ocata and backported to both newton and mitaka https://bugs.launchpad.net/keystone/+bug/1647800	15:59
openstack	Launchpad bug 1647800 in OpenStack Identity (keystone) newton "keystone-manage bootstrap isn't completely idempotent" [High,Fix released] - Assigned to Lance Bragstad (lbragstad)	15:59
*** jaosorior has joined #openstack-keystone		15:59
Tahvok	Wait.. It was available in Mitaka as well?	16:00
Tahvok	Funny as it was not mentioned in ubuntu install guide	16:00
Tahvok	Doesn't matter as we're moving to Ocata now..	16:01
*** Aqsa has joined #openstack-keystone		16:02
lbragstad	Tahvok was bootstrap not idempotent for you?	16:02
lbragstad	Tahvok or did you notice an unexpected behavior?	16:03
*** voelzmo has joined #openstack-keystone		16:03
Tahvok	lbragstad: I didn't try. I just askend..	16:05
Tahvok	asked*	16:05
*** links has quit IRC		16:05
ravelar	lbragstad will do!	16:06
lbragstad	Tahvok sounds good	16:06
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove revocation API dependency from identity API https://review.openstack.org/447573	16:07
lbragstad	ravelar steal ^ that one, too	16:07
lbragstad	:)	16:07
*** phalmos has joined #openstack-keystone		16:09
lbragstad	ravelar here is my updated list of places that use the revoke_api - http://cdn.pasteraw.com/3azvey1zwdo5qyxwojeki9mip9hxfth	16:10
*** lamt has quit IRC		16:13
*** lamt has joined #openstack-keystone		16:14
*** tesseract has quit IRC		16:15
*** Aqsa has quit IRC		16:16
*** jamielennox has joined #openstack-keystone		16:19
*** lamt has quit IRC		16:19
*** jamielennox is now known as jamielennox\|away		16:21
openstackgerrit	Richard Avelar proposed openstack/keystone master: Don't persist rev event when deleting access token https://review.openstack.org/447549	16:23
*** pcaruana has quit IRC		16:27
*** lamt has joined #openstack-keystone		16:29
*** ravelar has quit IRC		16:34
*** lamt has quit IRC		16:40
*** lamt has joined #openstack-keystone		16:41
*** lamt has quit IRC		16:43
prashkre	lbragstad: dstanek: created bug https://bugs.launchpad.net/keystone/+bug/1674415 for translation of messages.	16:46
openstack	Launchpad bug 1674415 in OpenStack Identity (keystone) "keystone exception messages are not translating when locale is set" [Undecided,New]	16:46
*** voelzmo has quit IRC		16:47
*** voelzmo has joined #openstack-keystone		16:47
*** lamt has joined #openstack-keystone		16:48
*** MasterOfBugs has joined #openstack-keystone		16:49
*** ravelar has joined #openstack-keystone		16:49
Tahvok	According to the Ocata doc: https://docs.openstack.org/ocata/install-guide-ubuntu/keystone-verify.html	16:49
*** lamt has quit IRC		16:49
*** jaosorior has quit IRC		16:50
Tahvok	It says to remove the admin_token_auth from the keystone-paste.ini file. However, as I'm using the bootstrap mechanism, I don't need it in the first place (am I right?). So why it's in the config in the first place?	16:50
notmorgan	Tahvok: to prevent breaking people	16:52
Tahvok	You mean people who upgrade to Ocata? But they would use their old config anyway.	16:52
notmorgan	Tahvok: it comes down to folks who do upgrades, we need to telegraph the removals waaaay in advance, especially what is a "default" configuration that many folks do minor changes to (such as a the paste-ini)	16:52
*** jaosorior has joined #openstack-keystone		16:52
notmorgan	we're removing the actual class that the paste-ini would load. some people deploy paste-ini with config management (i.e. ansible)	16:53
notmorgan	so we throw a warning to ensure they know to remove it from the paste-ini.	16:53
notmorgan	you don't need it if you use bootstrap	16:53
notmorgan	but if we were to just drop the class, and the same paste-ini is used, keystone breaks and can't load at all	16:53
Tahvok	I'm not asking to remove the class	16:54
Tahvok	I'm asking to remove the configuration	16:54
notmorgan	right, but we're telling people we are removing the class	16:54
notmorgan	you are 100% a-ok removing it in the config	16:54
Tahvok	And it's completely fine if it won't be in the config, for people who upgrade - as they will use their workig configuration anyway..	16:55
notmorgan	it is in the config because people break when we change things there, unless we do it sloooooowly	16:55
Tahvok	Currently, as I see it, it only confuses new users. This config that comes from the Ocata package doesn't help anyone - not new users, as they need to remove it, not upgrading users, as they don't use it at all.	16:56
notmorgan	we don't do packaging	16:56
notmorgan	ftr	16:56
Tahvok	notmorgan: it's part of Ocata's branch: https://github.com/openstack/keystone/blob/stable/ocata/etc/keystone-paste.ini	16:57
notmorgan	right	16:58
notmorgan	we could not change octata's paste-ini realistically	16:58
notmorgan	the mechanism ubuntu is saying to use for setup is an old old old one	16:58
notmorgan	in pike we have removed it	16:58
notmorgan	it's one of those lag behind the times.	16:58
Tahvok	not for Ocata	16:58
notmorgan	ok, lets back up	16:59
Tahvok	Ubuntu is using bootstrap in ocata: https://docs.openstack.org/ocata/install-guide-ubuntu/keystone-install.html	16:59
notmorgan	1) it's out of pike	16:59
notmorgan	2) we can't change ocata	16:59
Tahvok	I see it's been removed for future release, so maybe less important now..	16:59
notmorgan	3) people didn't actually remove and still rely on the non-bootstrap form for setup so we're taking more aggressive action, it just takes time to do	16:59
notmorgan	yeah	17:00
notmorgan	it was something we couldn't "fix" for ocata, i see what you're asking now	17:00
Tahvok	I just bringed my thought that it was confusing new users..	17:00
notmorgan	but past ocata we can :)	17:00
notmorgan	and we have	17:00
notmorgan	in Pike it isn't in paste-ini by default, and i think it is Q where we remove it completely	17:00
Tahvok	Yes, and thanks for that!	17:00
notmorgan	and no longer even keep the class	17:00
*** voelzmo has quit IRC		17:01
notmorgan	the functionality is still there, which we will remove, but we can't until some deployment tools are fixed (triple-o being the big one)	17:01
notmorgan	we've specifically been asked to maintain the admin-token-thing until they are fixed (it's actuvely being worked on)	17:01
Tahvok	I just ansible modules will keep up with the changes.. Currently you can't really authenticate normally with them to keystone api v3	17:01
Tahvok	I just hope*	17:02
notmorgan	you can't? aren't ansible modules based on shade?	17:02
notmorgan	if so, shade absolutely can auth and work with v3.	17:02
notmorgan	mordred: ^ cc	17:02
Tahvok	notmorgan: they are. But apparently there are bugs in shade	17:02
* notmorgan blinks.		17:02
notmorgan	i've used shade with v3, fwiw	17:03
Tahvok	I know that. I'm speaking of the old mechanism, with admin token	17:03
notmorgan	oh yeah, admin token can't work with v3	17:03
Tahvok	It can.. You just need to work around it	17:03
notmorgan	it basically wasn't useful for anything except setting up a user	17:03
Tahvok	You need to specify env variable to use v3: OS_IDENTITY_API_VERSION: "3"	17:04
notmorgan	"can" and "work correctly and in a usable way" are two different things ;)	17:04
notmorgan	admin-token barely worked with v2 :P	17:04
Tahvok	Well, it was usable..	17:04
Tahvok	I'm just glad that admin token is finally gone..	17:04
notmorgan	well, it isn't "gone gone" but it is definitely not the way we test/run/do much of anything	17:04
notmorgan	and the default behavior is it is disabled/	17:05
Tahvok	And hooorrayy to that	17:05
Tahvok	Bootstrap is working really great for me	17:06
notmorgan	good to hear!	17:06
notmorgan	:)	17:06
Tahvok	lbragstad: and it appears to be actually idempotent	17:06
notmorgan	yeah we had some bugs on bootstrap for that	17:06
notmorgan	but it was a goal to make it idempotent	17:06
lbragstad	Tahvok awesome!	17:08
Tahvok	lbragstad: https://lh3.googleusercontent.com/-COhJs-KaiUE/WNAB0fbNJSI/AAAAAAAABWs/md2HXNIR1coOeoUAnKNFUvA3CrB0BqIQQCL0B/h182/2017-03-20.png	17:09
openstackgerrit	Anthony Washington proposed openstack/keystone master: Minor cleanup for 435609 https://review.openstack.org/447606	17:11
openstackgerrit	Anthony Washington proposed openstack/keystone master: Minor clean up for 435751 https://review.openstack.org/447607	17:12
*** rmascena_ has joined #openstack-keystone		17:16
*** rmascena has quit IRC		17:17
*** agrebennikov has quit IRC		17:23
*** rmascena_ is now known as rmascena		17:25
*** agrebennikov has joined #openstack-keystone		17:31
*** jaosorior has quit IRC		17:35
*** chlong has quit IRC		17:42
*** masber has quit IRC		17:43
*** masber has joined #openstack-keystone		17:46
*** ravelar has quit IRC		17:50
*** ravelar has joined #openstack-keystone		18:01
*** masber has quit IRC		18:05
*** chris_hultin is now known as chris_hultin\|AWA		18:07
*** catintheroof has quit IRC		18:08
*** catintheroof has joined #openstack-keystone		18:08
openstackgerrit	Richard Avelar proposed openstack/keystone master: Policy in code https://review.openstack.org/435609	18:12
*** prashkre has quit IRC		18:14
*** adrian_otto has joined #openstack-keystone		18:17
*** browne has joined #openstack-keystone		18:21
knikolla	o/	18:22
*** jamielennox\|away is now known as jamielennox		18:24
lbragstad	gagehugo couple last questions/comments about my tags discussion with edleafe https://review.openstack.org/#/c/431785/12/specs/keystone/pike/project-tags.rst	18:36
lbragstad	cc notmorgan rodrigods ^	18:37
rodrigods	lbragstad, cool, will take a look later today	18:41
*** gus has quit IRC		18:41
*** gus has joined #openstack-keystone		18:45
gagehugo	lbragstad: got a meeting in a few but I'll take a look	18:49
*** david-lyle_ has joined #openstack-keystone		18:52
*** david-lyle has quit IRC		18:52
*** david-lyle_ is now known as david-lyle		18:53
*** lamt has joined #openstack-keystone		18:55
*** masber has joined #openstack-keystone		18:58
*** lamt has quit IRC		18:59
*** lamt has joined #openstack-keystone		19:03
*** Aqsa has joined #openstack-keystone		19:03
*** lamt has quit IRC		19:11
notmorgan	lbragstad: i just replied to one of your comments/question	19:12
notmorgan	s	19:12
lbragstad	notmorgan cool - thanks	19:13
*** chris_hultin\|AWA is now known as chris_hultin		19:17
*** masber has quit IRC		19:17
*** gyee has joined #openstack-keystone		19:20
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes https://review.openstack.org/438701	19:21
*** aojea has quit IRC		19:22
*** aojea has joined #openstack-keystone		19:22
*** lamt has joined #openstack-keystone		19:24
*** aojea has quit IRC		19:27
*** lamt has quit IRC		19:33
*** adrian_otto has quit IRC		19:34
openstackgerrit	Rob Crittenden proposed openstack/keystone master: Include the requested URL in authentication errors https://review.openstack.org/446720	19:43
*** masber has joined #openstack-keystone		19:50
*** voelzmo has joined #openstack-keystone		19:51
*** voelzmo has quit IRC		19:56
*** lamt has joined #openstack-keystone		20:00
*** lamt has quit IRC		20:04
*** masber has quit IRC		20:13
gagehugo	lbragstad: interesting, thanks for clarifying with edleafe	20:14
*** dave-mcc_ has joined #openstack-keystone		20:15
gagehugo	lbragstad: so is the consensus that we should focus on limiting via # per request rather than # per project? (as like you said, maintaining a large list almost limits itself)	20:15
*** rakhmerov has quit IRC		20:15
*** rakhmerov__ has joined #openstack-keystone		20:15
*** kencjohnston_ has joined #openstack-keystone		20:15
*** knangia_ has joined #openstack-keystone		20:15
gagehugo	you can change the entire list by the # limit, but add more if you wish?	20:16
lbragstad	gagehugo i tend to lean that way - because it's less validation for us to do and it provides a faster implementing without having to calculate existing tags	20:16
lbragstad	but i am still waiting to hear what others say about that specific approach	20:16
*** waj334_ has joined #openstack-keystone		20:16
lbragstad	gagehugo if you do PUT /v3/projects/{project_id}/tags and supply a list ['foo', 'bar', 'baz'] those will be the tags for that project	20:17
*** adrian_otto has joined #openstack-keystone		20:17
gagehugo	lbragstad: if we follow the WG spec, yes	20:17
gagehugo	also I am fine with that implementation, it would be nice to avoid having to validate every single call multiple times	20:17
gagehugo	for tags	20:18
lbragstad	gagehugo if you make a subsequent call with PUT /v3/projects/{project_id}/tags ['foo', 'bar', 'baz', 'qux'] then entire list is rewritten	20:18
gagehugo	yea	20:18
lbragstad	but I can also do PUT /v3/projects/{project_id}/tags/foo, PUT /v3/projects/{project_id}/tags/bar, PUT /v3/projects/{project_id}/tags/baz, PUT /v3/projects/{project_id}/tags/qux	20:18
*** Aurelgad1o has joined #openstack-keystone		20:19
gagehugo	yea	20:20
*** aloga_ has joined #openstack-keystone		20:21
*** DuncanT_ has joined #openstack-keystone		20:22
*** jmccrory_ has joined #openstack-keystone		20:22
lbragstad	so - the possibility for things to get out of hand is there	20:22
*** John341_ has joined #openstack-keystone		20:22
lbragstad	if a user exceeds the total number of tags we allow to be modified in a single PUT request	20:22
*** Tahvok_ has joined #openstack-keystone		20:23
*** aojea has joined #openstack-keystone		20:23
*** bauruine_ has joined #openstack-keystone		20:24
*** lunarlamp has joined #openstack-keystone		20:24
gagehugo	for that case, looking at nova they return a 403 for instance tags, but neutron returns a 400 for network tags	20:24
*** markd_ has joined #openstack-keystone		20:26
gagehugo	if it exceeds the total number allowed in a single request when doing a PUT request	20:27
*** aojea has quit IRC		20:28
*** knangia has quit IRC		20:29
*** dave-mccowan has quit IRC		20:29
*** mvk has quit IRC		20:29
*** bauruine has quit IRC		20:29
*** DuncanT has quit IRC		20:29
*** Aurelgadjo has quit IRC		20:29
*** waj334 has quit IRC		20:29
*** aloga has quit IRC		20:29
*** mdavidson has quit IRC		20:29
*** jmccrory has quit IRC		20:29
*** John341 has quit IRC		20:29
*** kencjohnston has quit IRC		20:29
*** mariusv has quit IRC		20:29
*** Tahvok has quit IRC		20:29
*** Tahvok_ is now known as Tahvok		20:29
*** jmccrory_ is now known as jmccrory		20:29
*** lunarlamp is now known as mariusv		20:29
*** knangia_ is now known as knangia		20:29
*** waj334_ is now known as waj334		20:29
*** mvk has joined #openstack-keystone		20:29
lbragstad	gagehugo the guidelines say that we should return a 400 Bad Request if the number of tags in the request exceeds the limit, right?	20:30
gagehugo	lbragstad yeah	20:31
gagehugo	which seems right imo	20:31
*** DuncanT_ is now known as DuncanT		20:32
*** dave-mcc_ is now known as dave-mccowan		20:33
lbragstad	jamielennox does this make sense? https://bugs.launchpad.net/keystonemiddleware/+bug/1672696	20:37
openstack	Launchpad bug 1672696 in keystonemiddleware "Cross-region requests are not blocked by keystonemiddleware" [Undecided,New] - Assigned to Maciej Jozefczyk (maciej.jozefczyk)	20:37
*** ravelar has quit IRC		20:40
jamielennox	lbragstad: umm, IMO not really	20:41
*** pnavarro has quit IRC		20:42
lbragstad	jamielennox you can setup services to be per region,	20:42
jamielennox	there's no way for keystonemiddleware to know what region it's in, and what region it was contacted in	20:42
jamielennox	it's just receiving requests	20:42
lbragstad	jamielennox yeah - we also don't scope tokens to regions in anyway	20:42
jamielennox	there's things like keystone is looked up in catalog, and we should probably have a region config for that	20:43
jamielennox	but no-one's ever cared	20:43
jamielennox	but there's no real way to say that this token should only be available in this region	20:43
*** adriant has joined #openstack-keystone		20:44
knikolla	does any service so far make use of x-service-token to restrict api calls?	20:46
notmorgan	lbragstad: I am.against leveraging the catalog to block access	20:47
jamielennox	knikolla: not really as yet, there is some needed work on oslo.policy and such to make some rules that can make this possibl e	20:48
jamielennox	which i would love some help with as i don't have much time to be in it atm	20:48
jamielennox	:)	20:48
knikolla	jamielennox: yep, i ran a codesearch and the only thing i found is a nova patch to make nova start using it when nova makes the calls.	20:50
knikolla	that broke some things i'm doing with k2k	20:50
jamielennox	knikolla: they do that for the token expiration stuff, which is good, but we need somethings in for example nova's policy that say this function can only be called with a service token	20:51
jamielennox	knikolla: broke k2k? how?	20:51
knikolla	jamielennox: i maintain a proxy that routes calls between openstack services in separate deployments using k2k for auth.	20:51
lbragstad	notmorgan that makes sense - if they wanted to limit the expose of services in specific regions that would have to be done by associating a region to the service, no?	20:51
notmorgan	not sure how that would work either, but... I mean, sure?	20:52
jamielennox	lbragstad: right, it's not a problem to use a token across regions, it just means you need to have things configured correctly	20:52
knikolla	jamielennox: and i only have mappings for users, as i don't want services to be admins in different clouds. so service token doesn't validate.	20:53
notmorgan	jamielennox: they want the opposite, to filter out things and not have it auth, I think?	20:53
lbragstad	jamielennox notmorgan i think that's how i understood it?	20:53
*** aojea has joined #openstack-keystone		20:54
jamielennox	yea, i'm not sure what taht would mean, we'd need to basically do endpoint filtering to make sure the endpoint that ksm thinks it is is somewhere in the catalog	20:54
jamielennox	and we rejected that concept when gyee wanted it	20:54
jamielennox	knikolla: you're doing k2k for service users?	20:55
jamielennox	service-token is really only something that is going to be relevant to the cloud that it's on	20:55
jamielennox	i don't see (atm) nova talking to a glance in a differnet cloud	20:56
knikolla	jamielennox: no, i don't need to for now. services use the user's token for communication between them.	20:56
knikolla	jamielennox: with a proxy it can. it can even boot from images and attach volumes in ceph from stuff in other clouds.	20:57
knikolla	but if the attaching a volume flow requires a service token, i'll have to figure something out.	20:58
*** david_cu has joined #openstack-keystone		21:00
*** sebie01 has joined #openstack-keystone		21:06
*** chris_hultin is now known as chris_hultin\|AWA		21:11
*** aojea has quit IRC		21:11
*** aojea has joined #openstack-keystone		21:12
*** aojea has quit IRC		21:16
openstackgerrit	Anthony Washington proposed openstack/oslo.policy master: oslopolicy-sample-generator description support https://review.openstack.org/443330	21:17
mordred	Tahvok: if you hit shade bugs that block you from getting things done, please let me know (or feel free to spam the #openstack-shade channel) - there's always a billion things to balance on any given day, but we try to respond to user problems as quickly as we can	21:23
*** aojea has joined #openstack-keystone		21:25
* lbragstad dangles https://review.openstack.org/#/c/443330/ in front of everyone to go review		21:26
* mordred hands lbragstad a pie		21:30
*** spilla has quit IRC		21:31
lbragstad	antwash one final comment on https://review.openstack.org/#/c/443330/ that we can address separately - but if you tack it onto the existing review that'd be fine, too	21:32
antwash	awe yeah, cool -- I add a release note about the DocumentedDefaultRule	21:33
antwash	s/I/I will	21:34
*** sebie01 has quit IRC		21:52
openstackgerrit	Lance Bragstad proposed openstack/keystone master: define Response charset https://review.openstack.org/447712	21:59
*** dave-mccowan has quit IRC		22:12
*** aojea has quit IRC		22:19
*** aojea has joined #openstack-keystone		22:20
*** aojea has quit IRC		22:24
*** edmondsw has quit IRC		22:26
openstackgerrit	Merged openstack/keystone master: Remove extra duplicate 'be' in description https://review.openstack.org/447536	22:26
*** ravelar has joined #openstack-keystone		22:28
*** masber has joined #openstack-keystone		22:45
*** donu7 has joined #openstack-keystone		22:55
donu7	Hello, is this channel appropriate for keystone related troubleshooting ?	22:55
*** phalmos has quit IRC		22:58
*** aselius has quit IRC		23:00
*** rmascena has quit IRC		23:04
*** lespaul has joined #openstack-keystone		23:07
lespaul	Hello. I'm using Keystone with Swift. When reloading the Proxy server, I'm getting a Keystone plugin password not found. Any ideas what could be causing this? http://paste.openstack.org/show/603519/	23:12
*** catintheroof has quit IRC		23:13
*** masber has quit IRC		23:32
*** jamielennox is now known as jamielennox\|away		23:36
*** jamielennox\|away is now known as jamielennox		23:40
*** gyee_ has joined #openstack-keystone		23:41
*** gyee has quit IRC		23:43
*** dave-mccowan has joined #openstack-keystone		23:44

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!