| eandersson_ | Having some weird behavior with keystoneauth1 and nova/compute. It's stuck at POST: https://keystone:35357/v3/auth/tokens for about 30 seconds | 00:11 |
|---|---|---|
| eandersson_ | only when creating the os image (downloading & creating) | 00:11 |
| *** thorst has joined #openstack-keystone | 00:12 | |
| *** thorst has quit IRC | 00:13 | |
| dstanek | eandersson_: do you see any keystone logging? | 00:19 |
| *** oomichi has quit IRC | 00:19 | |
| eandersson_ | nothing out of the ordinary - I don't have debug logs enabled unfortunately | 00:19 |
| eandersson_ | I don't think this is a keystone issue though | 00:20 |
| eandersson_ | requests are all successful | 00:20 |
| eandersson_ | I added some logging here (before/after) the self.session.request() | 00:21 |
| eandersson_ | https://github.com/openstack/keystoneauth/blob/stable/mitaka/keystoneauth1/session.py#L503 | 00:21 |
| dstanek | eandersson_: how do you know that it's that post that is slow? | 00:21 |
| eandersson_ | http://paste.openstack.org/show/aKgvCZKBbhsdLv5oIMSc/ | 00:21 |
| eandersson_ | That is the result | 00:21 |
| eandersson_ | No other keystone calls are slow, and this happens while the image is downloaded from Glance, so I rather believe that it's some sort of threading issue. | 00:23 |
| *** oomichi has joined #openstack-keystone | 00:23 | |
| dstanek | eandersson_: it could be.. does the client use thread? i haven't looked into it that deeply | 00:25 |
| eandersson_ | Yea - it's a threaded call | 00:25 |
| eandersson_ | It's trying to create ports while creating/downloading the image. | 00:25 |
| dstanek | eandersson_: you could look at the apache logs for keystone to see if that POST succeeds before the client logs it | 00:25 |
| eandersson_ | Good idea | 00:26 |
| *** lucasxu has joined #openstack-keystone | 00:26 | |
| openstackgerrit | Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441 | 00:32 |
| *** adrian_otto has quit IRC | 00:33 | |
| dstanek | ok, back to messing with the tests again | 00:34 |
| *** catintheroof has joined #openstack-keystone | 00:35 | |
| *** thorst has joined #openstack-keystone | 00:43 | |
| *** nkinder has joined #openstack-keystone | 00:45 | |
| *** gyee has quit IRC | 00:47 | |
| eandersson_ | dstanek: looks like keystone answers as expected, but for some reason keystoneauth/requests keeps blocking for 30s | 00:52 |
| eandersson_ | and when neutron finally can make it's call it's hitting the timeout that is currently set to 30s | 00:52 |
| *** tovin07 has joined #openstack-keystone | 00:52 | |
| *** jamielennox is now known as jamielennox|away | 00:54 | |
| eandersson_ | It's such an odd issue... and for some reason the puppet module sets the requests timeout to 30s for neutron (but now where else?!) | 00:54 |
| eandersson_ | https://github.com/openstack/puppet-nova/blob/master/manifests/network/neutron.pp#L21 | 00:54 |
| dstanek | eandersson_: are you able to come up with a minimal command line example that i could debug? | 00:56 |
| eandersson_ | Unfortunately not | 00:57 |
| dstanek | it is only through puppet? | 00:58 |
| eandersson_ | Nah - so this is happening when I am creating a VM with an image that is large (e.g. Windows image). | 00:58 |
| dstanek | puppet and i are no longer on speaking terms | 00:58 |
| eandersson_ | hah | 00:58 |
| *** jamielennox|away is now known as jamielennox | 00:59 | |
| dstanek | eandersson_: i'll play around in a little bit and see it i can replicate | 00:59 |
| eandersson_ | Thanks - sorry know it's an odd one | 00:59 |
| eandersson_ | Probably not related to Keystone, or at the very least it seems more likely to be a threading issue. | 01:00 |
| dstanek | eandersson_: yeah, but it's got me interested :-) | 01:00 |
| eandersson_ | https://github.com/openstack/nova/blob/stable/mitaka/nova/network/neutronv2/api.py#L256 | 01:01 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move user policies to DocumentedRuleDefault https://review.openstack.org/449240 | 01:01 |
| eandersson_ | That is the api call that tries to make the two calls I posted earlier. | 01:02 |
| *** thorst has quit IRC | 01:02 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move identity provider to DocumentedRuleDefault https://review.openstack.org/449275 | 01:02 |
| eandersson_ | Which originates from this call https://github.com/openstack/nova/blob/stable/mitaka/nova/compute/manager.py#L1545 | 01:03 |
| *** namnh has joined #openstack-keystone | 01:03 | |
| *** liujiong has joined #openstack-keystone | 01:08 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move endpoint group to DocumentedRuleDefault https://review.openstack.org/449273 | 01:09 |
| *** thorst has joined #openstack-keystone | 01:11 | |
| *** thorst has quit IRC | 01:11 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move implied role policies to DocumentedRuleDefault https://review.openstack.org/449246 | 01:12 |
| *** markvoelker has quit IRC | 01:13 | |
| *** markvoelker has joined #openstack-keystone | 01:14 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move auth to DocumentedRuleDefault https://review.openstack.org/449336 | 01:14 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move policy association to DocumentedRuleDefault https://review.openstack.org/449344 | 01:19 |
| *** knangia has quit IRC | 01:21 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move group policies to DocumentedRuleDefault https://review.openstack.org/449237 | 01:23 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move region policies to DocumentedRuleDefault https://review.openstack.org/449213 | 01:24 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move trust to DocumentedRuleDefault https://review.openstack.org/449278 | 01:24 |
| *** timburke has quit IRC | 01:25 | |
| *** AndyWojo has quit IRC | 01:25 | |
| *** hugokuo has quit IRC | 01:25 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move role policies to DocumentedRuleDefault https://review.openstack.org/449251 | 01:25 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move token revocation to DocumentedRuleDefault https://review.openstack.org/449255 | 01:27 |
| *** AndyWojo has joined #openstack-keystone | 01:27 | |
| *** timburke has joined #openstack-keystone | 01:28 | |
| *** knangia has joined #openstack-keystone | 01:28 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move credential policies to DocumentedRuleDefault https://review.openstack.org/449233 | 01:28 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move ec2 credential policies to DocumentedRuleDefault https://review.openstack.org/449235 | 01:28 |
| *** hugokuo has joined #openstack-keystone | 01:28 | |
| *** tovin07 has quit IRC | 01:28 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move mapping to DocumentedRuleDefault https://review.openstack.org/449341 | 01:29 |
| *** tovin07 has joined #openstack-keystone | 01:29 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move protocol to DocumentedRuleDefault https://review.openstack.org/449345 | 01:30 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move service provider to DocumentedRuleDefault https://review.openstack.org/449347 | 01:32 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move consumer to DocumentedRuleDefault https://review.openstack.org/449269 | 01:32 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move project endpoint to DocumentedRuleDefault https://review.openstack.org/449276 | 01:33 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move role assignment to DocumentedRuleDefault https://review.openstack.org/449253 | 01:33 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move grant policies to DocumentedRuleDefault https://review.openstack.org/449244 | 01:33 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move service policies to DocumentedRuleDefault https://review.openstack.org/449214 | 01:33 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move domain policies to DocumentedRuleDefault https://review.openstack.org/449234 | 01:34 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move project policies to DocumentedRuleDefault https://review.openstack.org/449238 | 01:34 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move endpoint policies to DocumentedRuleDefault https://review.openstack.org/449212 | 01:35 |
| *** catintheroof has quit IRC | 01:41 | |
| *** markvoelker has quit IRC | 01:42 | |
| *** markvoelker has joined #openstack-keystone | 01:44 | |
| *** zhurong has joined #openstack-keystone | 01:53 | |
| *** nkinder has quit IRC | 01:53 | |
| *** agrebennikov has joined #openstack-keystone | 01:56 | |
| *** nicolasbock has quit IRC | 02:00 | |
| openstackgerrit | zhichao zhu proposed openstack/keystone master: Fix some reST field lists in docstrings https://review.openstack.org/449892 | 02:03 |
| *** agrebennikov has quit IRC | 02:06 | |
| *** agrebennikov has joined #openstack-keystone | 02:07 | |
| *** thorst has joined #openstack-keystone | 02:12 | |
| *** Shunli has joined #openstack-keystone | 02:14 | |
| *** thorst has quit IRC | 02:17 | |
| *** ravelar has quit IRC | 02:18 | |
| *** oomichi has quit IRC | 02:28 | |
| *** oomichi has joined #openstack-keystone | 02:32 | |
| *** agrebennikov has quit IRC | 02:36 | |
| *** oomichi has quit IRC | 02:39 | |
| *** oomichi has joined #openstack-keystone | 02:42 | |
| *** markvoelker has quit IRC | 02:54 | |
| *** markvoelker has joined #openstack-keystone | 02:54 | |
| openstackgerrit | zhichao zhu proposed openstack/keystone master: Fix some reST field lists in docstrings https://review.openstack.org/449892 | 03:05 |
| *** thorst has joined #openstack-keystone | 03:13 | |
| *** aojea has joined #openstack-keystone | 03:13 | |
| *** aojea has quit IRC | 03:18 | |
| *** rderose has quit IRC | 03:27 | |
| *** thorst has quit IRC | 03:33 | |
| *** lxnch has joined #openstack-keystone | 03:33 | |
| *** links has joined #openstack-keystone | 03:36 | |
| *** lxnch has quit IRC | 03:39 | |
| *** lxnch has joined #openstack-keystone | 03:39 | |
| *** prashkre has joined #openstack-keystone | 03:42 | |
| *** tovin07 has quit IRC | 03:53 | |
| *** zhurong has quit IRC | 03:57 | |
| *** jamielennox is now known as jamielennox|away | 04:09 | |
| *** prashkre has quit IRC | 04:19 | |
| *** prashkre has joined #openstack-keystone | 04:19 | |
| *** markvoelker has quit IRC | 04:21 | |
| *** markvoelker has joined #openstack-keystone | 04:23 | |
| *** prashkre has quit IRC | 04:29 | |
| *** thorst has joined #openstack-keystone | 04:30 | |
| *** dikonoor has joined #openstack-keystone | 04:30 | |
| *** jamielennox|away is now known as jamielennox | 04:30 | |
| *** thorst has quit IRC | 04:34 | |
| *** MarkMielke has quit IRC | 04:35 | |
| *** lucasxu has quit IRC | 04:35 | |
| *** nkinder has joined #openstack-keystone | 04:35 | |
| *** lucasxu has joined #openstack-keystone | 04:41 | |
| *** dikonoor has quit IRC | 04:42 | |
| *** dikonoor has joined #openstack-keystone | 04:43 | |
| *** lucasxu has quit IRC | 04:51 | |
| *** zhurong has joined #openstack-keystone | 04:56 | |
| *** dikonoor has quit IRC | 04:57 | |
| *** markvoelker has quit IRC | 05:04 | |
| *** dikonoor has joined #openstack-keystone | 05:08 | |
| *** lucasxu has joined #openstack-keystone | 05:12 | |
| *** lamt has joined #openstack-keystone | 05:19 | |
| *** aojea has joined #openstack-keystone | 05:26 | |
| *** aojea has quit IRC | 05:27 | |
| *** aojea has joined #openstack-keystone | 05:28 | |
| *** aojea has quit IRC | 05:32 | |
| *** dikonoo has joined #openstack-keystone | 05:36 | |
| *** dikonoor has quit IRC | 05:37 | |
| *** rcernin has joined #openstack-keystone | 05:38 | |
| *** bjornar_ has joined #openstack-keystone | 05:39 | |
| *** lucasxu has quit IRC | 05:42 | |
| *** richm has quit IRC | 05:43 | |
| *** aojea has joined #openstack-keystone | 05:52 | |
| *** bjornar_ has quit IRC | 05:53 | |
| *** lamt has quit IRC | 06:01 | |
| *** aojea has quit IRC | 06:03 | |
| *** lamt has joined #openstack-keystone | 06:05 | |
| *** prashkre has joined #openstack-keystone | 06:07 | |
| *** kfox1111 has quit IRC | 06:12 | |
| *** lamt has quit IRC | 06:19 | |
| *** thorst has joined #openstack-keystone | 06:31 | |
| *** thorst has quit IRC | 06:35 | |
| openstackgerrit | wangxiyuan proposed openstack/python-keystoneclient master: Init include_catalog for V3 client https://review.openstack.org/448437 | 06:36 |
| *** jamielennox is now known as jamielennox|away | 06:36 | |
| *** lamt has joined #openstack-keystone | 06:42 | |
| *** lamt has quit IRC | 06:46 | |
| *** oomichi has quit IRC | 06:48 | |
| *** Aqsa has joined #openstack-keystone | 06:48 | |
| *** lamt has joined #openstack-keystone | 06:51 | |
| *** oomichi has joined #openstack-keystone | 06:52 | |
| *** tovin07 has joined #openstack-keystone | 06:52 | |
| *** mtreinish has quit IRC | 06:57 | |
| *** mtreinish has joined #openstack-keystone | 06:58 | |
| *** bjornar_ has joined #openstack-keystone | 07:05 | |
| *** lamt has quit IRC | 07:10 | |
| *** pcaruana has joined #openstack-keystone | 07:13 | |
| *** aojea has joined #openstack-keystone | 07:17 | |
| *** tesseract has joined #openstack-keystone | 07:18 | |
| *** jamielennox|away is now known as jamielennox | 07:21 | |
| *** dikonoo has quit IRC | 07:21 | |
| *** jaosorior has joined #openstack-keystone | 07:29 | |
| *** rcernin has quit IRC | 07:29 | |
| *** rcernin has joined #openstack-keystone | 07:47 | |
| *** prashkre has quit IRC | 07:48 | |
| *** aojea_ has joined #openstack-keystone | 07:55 | |
| *** aojea has quit IRC | 07:58 | |
| *** zzzeek has quit IRC | 08:00 | |
| *** zzzeek has joined #openstack-keystone | 08:00 | |
| *** dikonoo has joined #openstack-keystone | 08:03 | |
| *** rcernin has quit IRC | 08:06 | |
| *** rcernin has joined #openstack-keystone | 08:07 | |
| *** rcernin has quit IRC | 08:10 | |
| *** rcernin has joined #openstack-keystone | 08:10 | |
| *** Shunli has quit IRC | 08:17 | |
| *** mvk has quit IRC | 08:17 | |
| *** prashkre has joined #openstack-keystone | 08:19 | |
| *** dgonzalez has quit IRC | 08:24 | |
| *** dgonzalez has joined #openstack-keystone | 08:30 | |
| *** thorst has joined #openstack-keystone | 08:33 | |
| *** yuvalb has quit IRC | 08:36 | |
| *** fmarco76 has joined #openstack-keystone | 08:43 | |
| *** fmarco76 has quit IRC | 08:43 | |
| *** rcernin has quit IRC | 08:46 | |
| *** rcernin has joined #openstack-keystone | 08:46 | |
| *** mvk has joined #openstack-keystone | 08:47 | |
| *** rcernin_ has joined #openstack-keystone | 08:48 | |
| *** thorst has quit IRC | 08:52 | |
| *** tovin07 has quit IRC | 08:55 | |
| *** Aurelgad1o is now known as Aurelgadjo | 08:58 | |
| *** Aqsa has quit IRC | 09:11 | |
| *** knangia has quit IRC | 09:21 | |
| *** thorst has joined #openstack-keystone | 09:47 | |
| *** Aqsa has joined #openstack-keystone | 09:54 | |
| *** nicolasbock has joined #openstack-keystone | 10:11 | |
| *** namnh has quit IRC | 10:14 | |
| *** richm has joined #openstack-keystone | 10:14 | |
| *** mvk has quit IRC | 10:16 | |
| *** liujiong has quit IRC | 10:19 | |
| *** thorst has quit IRC | 10:19 | |
| *** zhurong has quit IRC | 10:20 | |
| *** zhurong has joined #openstack-keystone | 10:28 | |
| *** mvk has joined #openstack-keystone | 10:31 | |
| *** dikonoo has quit IRC | 10:49 | |
| *** raildo has joined #openstack-keystone | 10:59 | |
| *** oomichi has quit IRC | 11:09 | |
| *** oomichi has joined #openstack-keystone | 11:13 | |
| *** dikonoo has joined #openstack-keystone | 11:17 | |
| *** thorst has joined #openstack-keystone | 11:20 | |
| *** dikonoo has quit IRC | 11:24 | |
| *** zhurong has quit IRC | 11:25 | |
| *** thorst has quit IRC | 11:25 | |
| *** ma9_ has joined #openstack-keystone | 11:27 | |
| *** ma9_ has quit IRC | 11:29 | |
| *** jdennis1 has quit IRC | 11:31 | |
| *** jdennis has joined #openstack-keystone | 11:31 | |
| *** ma9_ has joined #openstack-keystone | 11:32 | |
| *** openstackgerrit has quit IRC | 11:33 | |
| *** ma9_ has quit IRC | 11:37 | |
| *** erlon has joined #openstack-keystone | 11:38 | |
| *** ma9_ has joined #openstack-keystone | 11:41 | |
| *** thorst has joined #openstack-keystone | 11:45 | |
| *** prashkre has quit IRC | 11:48 | |
| *** agrebennikov has joined #openstack-keystone | 11:57 | |
| *** ma9_ has quit IRC | 12:15 | |
| *** chlong has joined #openstack-keystone | 12:17 | |
| *** dave-mccowan has joined #openstack-keystone | 12:25 | |
| *** pnavarro has joined #openstack-keystone | 12:28 | |
| *** dikonoo has joined #openstack-keystone | 12:32 | |
| *** ma9_ has joined #openstack-keystone | 12:41 | |
| *** edmondsw has joined #openstack-keystone | 12:45 | |
| *** spilla has joined #openstack-keystone | 12:48 | |
| dstanek | ehlo keystone | 12:49 |
| samueldmq | dstanek: o/ | 12:58 |
| *** openstackgerrit has joined #openstack-keystone | 13:04 | |
| openstackgerrit | Rodrigo Duarte proposed openstack/keystone master: Drop federated_user table foreign keys https://review.openstack.org/445505 | 13:04 |
| *** lamt has joined #openstack-keystone | 13:14 | |
| lbragstad | o/ | 13:18 |
| rodrigods | lbragstad, saw we have a huge stack of policy in code reviews | 13:19 |
| rodrigods | i didn't review any of them yet, is there an order or something? | 13:19 |
| *** links has quit IRC | 13:22 | |
| lbragstad | rodrigods nope, they are all dependent on the final policy-in-code patch | 13:26 |
| lbragstad | but once that merges, then they can all be rebased onto master | 13:26 |
| lbragstad | and reviewed in parallel | 13:26 |
| rodrigods | lbragstad, cool | 13:26 |
| *** agrebennikov has quit IRC | 13:31 | |
| *** knangia has joined #openstack-keystone | 13:46 | |
| *** ma9_ has quit IRC | 13:46 | |
| *** markvoelker has joined #openstack-keystone | 13:49 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move service provider to DocumentedRuleDefault https://review.openstack.org/449347 | 13:49 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move group policies to DocumentedRuleDefault https://review.openstack.org/449237 | 13:52 |
| *** lamt has quit IRC | 13:52 | |
| *** ma9_ has joined #openstack-keystone | 13:53 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move user policies to DocumentedRuleDefault https://review.openstack.org/449240 | 13:54 |
| *** agrebennikov has joined #openstack-keystone | 14:00 | |
| *** jlopezgu_ has joined #openstack-keystone | 14:01 | |
| *** edmondsw has quit IRC | 14:02 | |
| *** ma9_ has quit IRC | 14:03 | |
| *** lucasxu has joined #openstack-keystone | 14:04 | |
| *** edmondsw has joined #openstack-keystone | 14:05 | |
| *** ma9_ has joined #openstack-keystone | 14:10 | |
| *** jaosorior has quit IRC | 14:12 | |
| *** markvoelker has quit IRC | 14:17 | |
| openstackgerrit | Merged openstack/keystone master: Add a note to db_sync configuration section https://review.openstack.org/449744 | 14:29 |
| *** sjain has joined #openstack-keystone | 14:32 | |
| openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove policy file from source and refactor tests https://review.openstack.org/449675 | 14:37 |
| *** edmondsw has quit IRC | 14:38 | |
| *** agrebennikov has quit IRC | 14:40 | |
| *** edmondsw has joined #openstack-keystone | 14:41 | |
| *** ravelar has joined #openstack-keystone | 14:41 | |
| *** rderose has joined #openstack-keystone | 14:45 | |
| openstackgerrit | Merged openstack/keystone master: Move release note from /keystone/releasenotes to /releasenotes https://review.openstack.org/449798 | 14:46 |
| *** lamt has joined #openstack-keystone | 14:47 | |
| openstackgerrit | Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441 | 14:51 |
| *** agrebennikov has joined #openstack-keystone | 14:53 | |
| openstackgerrit | Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441 | 14:56 |
| knikolla | o/ | 14:58 |
| *** ma9_1 has joined #openstack-keystone | 15:02 | |
| *** ma9_ has quit IRC | 15:04 | |
| lbragstad | o/ | 15:05 |
| lbragstad | ravelar a published an edit on https://review.openstack.org/#/c/449675/ | 15:05 |
| lbragstad | ravelar which is now dependent on https://review.openstack.org/#/c/450818/ | 15:05 |
| ravelar | lbragstad sweet | 15:06 |
| ravelar | sounds good :) | 15:06 |
| ravelar | thanks | 15:06 |
| *** adrian_otto has joined #openstack-keystone | 15:06 | |
| lbragstad | ravelar i tested it locally with a fresh devstack and all the identity tempest tests passed | 15:06 |
| lbragstad | so - i'm hoping that's a good sign | 15:07 |
| lbragstad | ravelar http://logs.openstack.org/75/449675/4/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/d78fd47/logs/devstacklog.txt.gz#_2017-03-27_18_29_25_334 was the thing causing you're patch to fail before | 15:07 |
| ravelar | lbragstad nice! | 15:14 |
| *** lamt has quit IRC | 15:17 | |
| *** lamt has joined #openstack-keystone | 15:20 | |
| openstackgerrit | Richard Avelar proposed openstack/keystone master: Remove policy file from source and refactor tests https://review.openstack.org/449675 | 15:22 |
| lbragstad | ravelar heads up - i left some comments on patch set 5 ^ | 15:29 |
| ravelar | lbragstad ahh, see it, will do! | 15:29 |
| *** rcernin has quit IRC | 15:31 | |
| *** rcernin_ has quit IRC | 15:31 | |
| *** sjain has quit IRC | 15:33 | |
| *** dikonoo has quit IRC | 15:41 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move domain config to DocumentedRuleDefault https://review.openstack.org/449337 | 15:41 |
| *** lamt has quit IRC | 15:41 | |
| openstackgerrit | Dolph Mathews proposed openstack/keystone master: Doc db_sync --expand incurring downtime in upgrades to Newton https://review.openstack.org/450863 | 15:44 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move trust to DocumentedRuleDefault https://review.openstack.org/449278 | 15:49 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move trust to DocumentedRuleDefault https://review.openstack.org/449278 | 15:50 |
| *** lamt has joined #openstack-keystone | 15:56 | |
| openstackgerrit | Richard Avelar proposed openstack/keystone master: Remove policy file from source and refactor tests https://review.openstack.org/449675 | 15:59 |
| *** prashkre has joined #openstack-keystone | 15:59 | |
| *** aojea_ has quit IRC | 16:00 | |
| *** Aqsa has quit IRC | 16:00 | |
| prashkre | lbragstad: Hi Lance. need a workflow on this https://review.openstack.org/#/c/450027/ to back port the fix to stable/ocata. could you please help me on this? | 16:03 |
| *** erlon has quit IRC | 16:05 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move policy policies to DocumentedRuleDefault https://review.openstack.org/449248 | 16:18 |
| *** ma9_1 has quit IRC | 16:18 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move access token to DocumentedRuleDefault https://review.openstack.org/449265 | 16:18 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move revoke events to DocumentedRuleDefault https://review.openstack.org/449346 | 16:18 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move implied role policies to DocumentedRuleDefault https://review.openstack.org/449246 | 16:18 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move policy association to DocumentedRuleDefault https://review.openstack.org/449344 | 16:18 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move endpoint group to DocumentedRuleDefault https://review.openstack.org/449273 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move auth to DocumentedRuleDefault https://review.openstack.org/449336 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move ec2 credential policies to DocumentedRuleDefault https://review.openstack.org/449235 | 16:19 |
| lbragstad | prashkre yeah - i can review | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move region policies to DocumentedRuleDefault https://review.openstack.org/449213 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move credential policies to DocumentedRuleDefault https://review.openstack.org/449233 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move mapping to DocumentedRuleDefault https://review.openstack.org/449341 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move protocol to DocumentedRuleDefault https://review.openstack.org/449345 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move token revocation to DocumentedRuleDefault https://review.openstack.org/449255 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move endpoint policies to DocumentedRuleDefault https://review.openstack.org/449212 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move role assignment to DocumentedRuleDefault https://review.openstack.org/449253 | 16:19 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move role policies to DocumentedRuleDefault https://review.openstack.org/449251 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move project policies to DocumentedRuleDefault https://review.openstack.org/449238 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move service policies to DocumentedRuleDefault https://review.openstack.org/449214 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move domain policies to DocumentedRuleDefault https://review.openstack.org/449234 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move consumer to DocumentedRuleDefault https://review.openstack.org/449269 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move grant policies to DocumentedRuleDefault https://review.openstack.org/449244 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move project endpoint to DocumentedRuleDefault https://review.openstack.org/449276 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move identity provider to DocumentedRuleDefault https://review.openstack.org/449275 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move service provider to DocumentedRuleDefault https://review.openstack.org/449347 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move group policies to DocumentedRuleDefault https://review.openstack.org/449237 | 16:20 |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move domain config to DocumentedRuleDefault https://review.openstack.org/449337 | 16:20 |
| dstanek | antwash: i thought you said those per safe to review :-) | 16:21 |
| prashkre | lbragstad: Thank you :) | 16:21 |
| dolphm | i was just wondering the same | 16:21 |
| dstanek | s/per/were/ | 16:21 |
| antwash | dstanek: haha, just rebasing on top of master :) | 16:21 |
| lbragstad | antwash so those are all based individually on master? | 16:21 |
| antwash | lbragstad: yeah master is "9034755743875de39363dbdcd35477e82e37ea1b" | 16:22 |
| dstanek | antwash: unless there is a conflict don't worry about that | 16:22 |
| dstanek | it's just noise | 16:22 |
| dstanek | you're harshing my buzz | 16:22 |
| *** pcaruana has quit IRC | 16:26 | |
| lbragstad | dolphm in case you're interested in doing a stable review - https://review.openstack.org/#/c/450027/ | 16:29 |
| *** lucasxu has quit IRC | 16:31 | |
| *** chlong has quit IRC | 16:34 | |
| antwash | dstanek : about this bug, what should we mark it as https://bugs.launchpad.net/keystone/+bug/1674676 | 16:38 |
| openstack | Launchpad bug 1674676 in OpenStack Identity (keystone) "The URL listed against the details of identity resources returns 404 Not Found error" [Medium,Confirmed] - Assigned to Anthony Washington (anthony-washington) | 16:38 |
| *** lucasxu has joined #openstack-keystone | 16:40 | |
| knikolla | just to make sure before i answer an email, keystone does not support rate limiting the api right? | 16:44 |
| *** bjornar_ has quit IRC | 16:46 | |
| dstanek | antwash: closed it | 16:48 |
| *** chlong has joined #openstack-keystone | 16:49 | |
| dstanek | antwash: i was expecting the person in here asking about it to close it :-( i thought it would be a good new comer exer cise | 16:49 |
| antwash | dstanek: haha, yeah it would be -- well at least bugs list is getting shorted :) | 16:50 |
| antwash | shorter lol | 16:50 |
| dstanek | antwash: my goal is for it to be in tehe 70s by the end of the week | 16:51 |
| *** lamt has quit IRC | 16:52 | |
| knikolla | antwash: RIP openstack CI with all those patches to check, haha. | 16:52 |
| antwash | knikolla: haha, I was just thinking the same thing! | 16:53 |
| dstanek | knikolla: keystone doesn't do any kind of rate limiting | 16:57 |
| *** lamt has joined #openstack-keystone | 16:58 | |
| knikolla | dstanek: thanks, thought so. codesearch came up empty. | 16:59 |
| openstackgerrit | Kristi Nikolla proposed openstack/keystone master: Differentiate between dpkg and rpm for libssl-dev https://review.openstack.org/450891 | 17:06 |
| *** lucasxu has quit IRC | 17:09 | |
| *** mvk has quit IRC | 17:13 | |
| *** MasterOfBugs has joined #openstack-keystone | 17:14 | |
| *** pramodrj07 has joined #openstack-keystone | 17:14 | |
| *** lucasxu has joined #openstack-keystone | 17:15 | |
| *** lucasxu has quit IRC | 17:15 | |
| *** lucasxu has joined #openstack-keystone | 17:16 | |
| *** lucasxu has quit IRC | 17:18 | |
| *** lucasxu has joined #openstack-keystone | 17:19 | |
| *** lucasxu has quit IRC | 17:20 | |
| *** lamt has quit IRC | 17:27 | |
| *** prashkre has quit IRC | 17:32 | |
| *** toddnni has quit IRC | 17:35 | |
| *** adrian_otto has quit IRC | 17:37 | |
| *** adrian_otto has joined #openstack-keystone | 17:40 | |
| lbragstad | just a friendly reminder that the weekly keystone meeting will be starting in #openstack-meeting in 20 minutes | 17:42 |
| lbragstad | fyi we're going to do a roll call for the next couple weeks so that we can get an accurate attendee list | 17:42 |
| lbragstad | starting today | 17:42 |
| *** toddnni has joined #openstack-keystone | 17:44 | |
| *** aojea has joined #openstack-keystone | 17:45 | |
| notmorgan | lbragstad: i might miss the role call(s), but i usually at least lurk most of the meetings | 17:47 |
| notmorgan | lbragstad: fyi | 17:47 |
| lbragstad | notmorgan ack - i'll include you in roll call today | 17:47 |
| lbragstad | notmorgan thanks for the heads up | 17:48 |
| *** bjornar_ has joined #openstack-keystone | 17:48 | |
| *** adrian_otto has quit IRC | 17:50 | |
| *** mvk has joined #openstack-keystone | 17:52 | |
| lbragstad | antwash quick note on the commit message that can probably be applied to the rest of the patches - https://review.openstack.org/#/c/449237/5//COMMIT_MSG | 17:54 |
| lbragstad | antwash i didn't want to go through and apply the same comment to all your patches | 17:55 |
| *** henrynash has joined #openstack-keystone | 18:02 | |
| *** adrian_otto has joined #openstack-keystone | 18:06 | |
| *** tesseract has quit IRC | 18:06 | |
| *** henrynash has quit IRC | 18:07 | |
| *** henrynash has joined #openstack-keystone | 18:08 | |
| *** henrynash has quit IRC | 18:11 | |
| *** Aqsa has joined #openstack-keystone | 18:11 | |
| *** henrynash has joined #openstack-keystone | 18:12 | |
| *** prashkre has joined #openstack-keystone | 18:18 | |
| *** lamt has joined #openstack-keystone | 18:20 | |
| *** adrian_otto has quit IRC | 18:21 | |
| *** gyee has joined #openstack-keystone | 18:26 | |
| *** aojea has quit IRC | 18:29 | |
| *** aojea has joined #openstack-keystone | 18:29 | |
| *** markvoelker has joined #openstack-keystone | 18:32 | |
| *** aojea has quit IRC | 18:34 | |
| *** eandersson_ is now known as eandersson | 18:35 | |
| openstackgerrit | Mohammed Naser proposed openstack/keystonemiddleware master: Add python-memcached to requirements https://review.openstack.org/285315 | 18:43 |
| *** lamt has quit IRC | 18:49 | |
| *** lamt has joined #openstack-keystone | 18:55 | |
| openstackgerrit | Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441 | 18:56 |
| *** markvoelker has quit IRC | 18:57 | |
| lbragstad | dstanek breton knikolla rderose if we patch trusts to honor the ephemeral group memberships of a token, is there any additional clean up required by the operators? | 19:02 |
| dstanek | lbragstad: yes, i think they'd still need to tell use when that user changes | 19:02 |
| knikolla | the trust cleanup | 19:03 |
| knikolla | when group changes | 19:03 |
| dstanek | no matter what that has to happen | 19:04 |
| *** henrynash has quit IRC | 19:04 | |
| dstanek | lbragstad: making that change means that people can use the trusts without manually assigning to groups | 19:04 |
| *** ravelar has quit IRC | 19:04 | |
| knikolla | i feel making groups persistent is a better option. as that can be more easily cleaned up via automation. it's hard to keep track of what created which trust and why. | 19:05 |
| knikolla | ops can just compare groups in idp and keystone and update. | 19:06 |
| dstanek | knikolla: fair point | 19:07 |
| lbragstad | what if trusts validated the groups in the token at usage time? | 19:08 |
| dstanek | lbragstad: i think that's actually what the problem is. it does | 19:09 |
| dstanek | but federated users are never in the groups | 19:09 |
| breton | lbragstad: no. But my operators were ok with manual clean-up if group membership is persistent | 19:10 |
| lbragstad | dstanek what if we made it so trusts pulled the ephemeral groups instead of looking for persistent ones? | 19:11 |
| dstanek | lbragstad: that what i'm advocating for. just don't check group membership for federated trusts | 19:12 |
| lbragstad | ah | 19:12 |
| *** chris_hultin|AWA is now known as chris_hultin | 19:12 | |
| *** Aqsa has quit IRC | 19:14 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Remove unnecessary processing when deleting grant. https://review.openstack.org/450938 | 19:21 |
| *** henrynash has joined #openstack-keystone | 19:26 | |
| openstackgerrit | Anthony Washington proposed openstack/keystone master: Move endpoint policies to DocumentedRuleDefault https://review.openstack.org/449212 | 19:29 |
| *** henrynash has quit IRC | 19:31 | |
| *** aojea has joined #openstack-keystone | 19:32 | |
| knikolla | lbragstad: are we still doing keystone office hours fridays? | 19:32 |
| lbragstad | knikolla yessir | 19:32 |
| *** lamt has quit IRC | 19:32 | |
| knikolla | lbragstad: sweet! | 19:33 |
| *** ravelar has joined #openstack-keystone | 19:35 | |
| *** lamt has joined #openstack-keystone | 19:39 | |
| *** chris_hultin is now known as chris_hultin|AWA | 19:42 | |
| *** adrian_otto has joined #openstack-keystone | 20:08 | |
| *** chris_hultin|AWA is now known as chris_hultin | 20:14 | |
| *** Darren has joined #openstack-keystone | 20:20 | |
| openstackgerrit | Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441 | 20:40 |
| notmorgan | dstanek, lbragstad answered your comments on the password hashing CR | 20:40 |
| lbragstad | notmorgan thanks | 20:40 |
| notmorgan | it still needs a rebase and a little work. but take a look at answers and reply/comment if needed before i do that work | 20:41 |
| *** chris_hultin is now known as chris_hultin|AWA | 20:44 | |
| *** Darren has quit IRC | 20:50 | |
| lbragstad | the TC group is asking for keystone feedback on https://review.openstack.org/#/c/447031 | 20:54 |
| dstanek | notmorgan: sure | 20:56 |
| *** markvoelker has joined #openstack-keystone | 20:59 | |
| *** markvoelker has quit IRC | 21:04 | |
| *** henrynash has joined #openstack-keystone | 21:05 | |
| *** henrynash has quit IRC | 21:06 | |
| *** aojea has quit IRC | 21:07 | |
| dstanek | lbragstad: that's neato | 21:07 |
| lbragstad | dstanek the resolution? | 21:08 |
| dstanek | lbragstad: yes | 21:09 |
| lbragstad | dstanek you're good with it? | 21:11 |
| *** spilla has quit IRC | 21:12 | |
| dstanek | lbragstad: yes, i like the delegation call out | 21:13 |
| lbragstad | yeah | 21:14 |
| lbragstad | it's detailed, but i wonder how much detail there is suppose to be (going back to sdague's comment) | 21:15 |
| *** ravelar1 has joined #openstack-keystone | 21:15 | |
| lbragstad | if it's a mission statement, I'm not sure how much "How" needs to be included, but it would be useful | 21:15 |
| *** ravelar has quit IRC | 21:16 | |
| dstanek | 'how' meaning deletegation? | 21:16 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Remove orphaned AuthTestMixin from test_v3 https://review.openstack.org/450984 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Remove decorator for asserting validation errors https://review.openstack.org/450985 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Remove orphaned _create_context test helper https://review.openstack.org/450986 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Remove conflict guards in load_fixtures https://review.openstack.org/450987 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Consolidate and cleanup test_backend_ldap setup https://review.openstack.org/450988 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Reduce fixutre setup in test_backend_ldap https://review.openstack.org/450989 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Remove create_container_group from tests https://review.openstack.org/450990 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Removed domain conflict guard in load_fixtures https://review.openstack.org/450991 | 21:18 |
| openstackgerrit | David Stanek proposed openstack/keystone master: Replace wip with skip https://review.openstack.org/450992 | 21:18 |
| dstanek | lbragstad: i couldn't push all of them, but that's good for starters | 21:19 |
| rodrigods | ^ wow | 21:20 |
| dstanek | rodrigods: i had a productive Sunday | 21:20 |
| rodrigods | dstanek, that you can call productive, for sure | 21:21 |
| lbragstad | dstanek yeah | 21:24 |
| lbragstad | dstanek nice patches! | 21:24 |
| dstanek | hopefully i'll have some time this weekend to work on it a bit more | 21:26 |
| lbragstad | dstanek well - i appreciate you working on it during the weekend | 21:28 |
| *** aojea has joined #openstack-keystone | 21:29 | |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements https://review.openstack.org/451014 | 21:29 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements https://review.openstack.org/439318 | 21:29 |
| *** prashkre has quit IRC | 21:30 | |
| lbragstad | antwash around? | 21:34 |
| antwash | lbragstad: yeah I am, what's up? | 21:34 |
| dstanek | lbragstad: deleting code is like stress relief | 21:34 |
| lbragstad | antwash did you happen to see my comment here? https://review.openstack.org/#/c/449237/5//COMMIT_MSG | 21:35 |
| lbragstad | dstanek yeah it is | 21:35 |
| * dstanek needs to get ready for soccer practice | 21:35 | |
| lbragstad | dstanek i specifically get a weird amount of satisfaction out of deleting if statements | 21:35 |
| lbragstad | antwash i wanted to follow up directly on that comment instead of going through and leaving it on every proposed patch :) | 21:36 |
| antwash | lbragstad: I just read it now, so I need to modify the commit message for all the patches? | 21:36 |
| lbragstad | antwash if you have to spin new versions of the patches anyway I would | 21:37 |
| lbragstad | only because it makes the commit message more descriptive of what the change is actually doing | 21:37 |
| lbragstad | antwash does the comment make sense? | 21:37 |
| *** edmondsw has quit IRC | 21:42 | |
| *** edmondsw has joined #openstack-keystone | 21:42 | |
| *** raildo has quit IRC | 21:43 | |
| antwash | lbragstad: yeah, but I wasn't planning on pushing up any new versions except for the user and trust one honestly | 21:44 |
| *** edmondsw has quit IRC | 21:47 | |
| *** henrynash has joined #openstack-keystone | 21:48 | |
| *** aojea has quit IRC | 21:49 | |
| *** aojea has joined #openstack-keystone | 21:49 | |
| *** thorst has quit IRC | 21:51 | |
| *** adrian_otto has quit IRC | 21:53 | |
| *** aojea has quit IRC | 21:54 | |
| *** markvoelker has joined #openstack-keystone | 21:59 | |
| *** mnaser has joined #openstack-keystone | 22:03 | |
| mnaser | is there a way to configure a default base set of roles for all users? | 22:03 |
| mnaser | aka heat_stack_owner for everyone, as an example | 22:03 |
| *** bjornar_ has quit IRC | 22:03 | |
| *** markvoelker has quit IRC | 22:06 | |
| lbragstad | mnaser sounds like you want a default role for a user | 22:07 |
| mnaser | lbragstad isnt the default _member_ in keystone now? | 22:07 |
| mnaser | then of course projects want to have their own roles to allow usage of specific services :< | 22:07 |
| lbragstad | mnaser yeah - that's hard to manage without having control to lay down specific policy files for a service | 22:08 |
| mnaser | lbragstad so i'm back to either play with policy files (rather not, because i fear that i'll miss a change with an upgrade) | 22:09 |
| mnaser | or i guess just add all these roles to users | 22:09 |
| lbragstad | mnaser we're currently working on some policy specs to do two things | 22:09 |
| lbragstad | 1.) migrate all default policies into code | 22:09 |
| lbragstad | (and register them like we do configuration) | 22:10 |
| lbragstad | 2.) document policies better | 22:10 |
| lbragstad | both are targeted to pike | 22:10 |
| mnaser | i love the effort on 1. nova policy file is empty now, love that :> | 22:10 |
| lbragstad | mnaser ++ we're doing the same thing | 22:10 |
| lbragstad | mnaser so maintenance is hopefully a little bit better | 22:10 |
| mnaser | yeah it just becomes a dropin | 22:11 |
| lbragstad | https://github.com/openstack/keystone/blob/master/etc/policy.json | 22:11 |
| mnaser | but that doesnt solve the issue for all the other projects | 22:11 |
| mnaser | oh sweet | 22:11 |
| lbragstad | our current policy file is empty - soon to be removed | 22:11 |
| lbragstad | mnaser right - that's another issue we still have to step up and address | 22:11 |
| lbragstad | mnaser which has to deal with policy administration | 22:11 |
| mnaser | yeah i remember reading policies in keystone thing a while back | 22:12 |
| *** edmondsw has joined #openstack-keystone | 22:12 | |
| lbragstad | mnaser do you remember which thing that was? dynamic policy? | 22:12 |
| mnaser | yes | 22:13 |
| lbragstad | mnaser if openstack provided a better, more granular, set of roles by default, would that help you? | 22:13 |
| mnaser | lbragstad 100%. as an operator, as we add new services, we constantly have to figure out what new roles it wants (or choose to modify policy files, which we dont want) | 22:14 |
| lbragstad | mnaser or are you looking for true policy administration via an API? | 22:14 |
| mnaser | so we gotta retroactively go back to all tenants and add that role | 22:14 |
| mnaser | #1, policy admin via API would be more of a complication imho, dropping in a file via config mgmt is a lot easier than dealing with an api in provisioning/etc | 22:15 |
| mnaser | ex: standarized "user" role across all projects, rather than (so far in my experience): swift wanting a role, heat wanting a role, barbican wanting a role | 22:15 |
| lbragstad | sure | 22:15 |
| lbragstad | mnaser our first couple steps towards doing that were 1.) move policy into code 2.) document policy so it can be generated on the fly and take into account overrides | 22:16 |
| *** edmondsw has quit IRC | 22:16 | |
| lbragstad | but we've been entertaining the idea of doing something along the lines of https://review.openstack.org/#/c/428454/ | 22:16 |
| lbragstad | mnaser see lines 40 - 63 - https://review.openstack.org/#/c/428454/6/specs/keystone/ongoing/richer-policy-by-default.rst | 22:17 |
| * mnaser reads | 22:17 | |
| lbragstad | granted - this is something we're trying to do in lock-step with nova, who has a similar spec proposed https://review.openstack.org/#/c/427872/ | 22:18 |
| mnaser | lbragstad i like this a lot | 22:19 |
| mnaser | that's very useful and gives a good set of starting points for new deployments | 22:19 |
| lbragstad | mnaser the overall idea would be that all projects (wanting to adhere to basic RBAC) would have to define those roles and map them to the operations for that project | 22:19 |
| lbragstad | so - out of the box, you'd have a little more flexibility as an operator to work with with respect to roles | 22:20 |
| lbragstad | i.e. being able to grant someone a role to be a project administrator and not global admin | 22:21 |
| mnaser | lbragstad id be on board with this. hell even better if those basic roles get installed in the keystone bootstrap process | 22:21 |
| lbragstad | mnaser ++ | 22:21 |
| lbragstad | mnaser i'm not totally sure this is going to be something we will be able to commit to for pike | 22:21 |
| mnaser | understandable | 22:21 |
| lbragstad | mnaser but there are plenty of interested parties willing to share the work | 22:21 |
| mnaser | its a big cross project cooperation for it to be useful | 22:21 |
| lbragstad | exactly | 22:22 |
| lbragstad | its a problem that spans across OpenStack, and those kinds of problems certainly don't get fixed over night :) | 22:22 |
| mnaser | an interesting issue is | 22:22 |
| mnaser | how these things would get handled in upgrades | 22:22 |
| lbragstad | mnaser what specifically during the upgrade? | 22:23 |
| mnaser | i.e. just upgraded my keystone, everything is running smooth, upgrade nova, my new roles didnt get created | 22:23 |
| lbragstad | mnaser ah | 22:23 |
| mnaser | nova maps to role names that are defined in that spec | 22:23 |
| mnaser | everything stops (unless we start talking about "deprecated" role names, which can be very confusing for someone who says "i wanna just use my own system") | 22:23 |
| mnaser | maybe a keystone_authtoken option *shrug* | 22:24 |
| lbragstad | so during an upgrade if nova adds a new role - then something would have to happen during the upgrade process to create that role in keystone | 22:24 |
| lbragstad | but from a definition standpoint, it would be handled in the code | 22:25 |
| mnaser | yeah but then you got the cases where $user has been running cloud since liberty with policy.json in place | 22:25 |
| lbragstad | meaning you don't have to manually add newly defined operations/roles in the policy files anymore, you should only have to worry about the things you're overriding | 22:25 |
| mnaser | and the modifications you make in the code are being "overwritten" | 22:25 |
| lbragstad | mnaser we have some bits for that too | 22:26 |
| lbragstad | mnaser part of the tooling for moving policy into code allows you to pass oslo.policy a policy file and it spits out all the policies you can remove because they are the default | 22:26 |
| lbragstad | so it's a way to prune the policy file to only the things you care about, which are the operations you want to override | 22:27 |
| mnaser | yeah but i think you're going to have to make a lot of noises and warnings | 22:27 |
| mnaser | i think most deployers arent as involved with these big changes | 22:27 |
| mnaser | (i really like to think most people spend as much time as i do reading upgrade notes) | 22:27 |
| mnaser | but i think that's something that people skip a lot heh | 22:27 |
| lbragstad | mnaser i'd believe it | 22:27 |
| lbragstad | mnaser we plan on honoring whatever is defined in the policy file though, so the upgrade would be backwards compatible | 22:28 |
| lbragstad | (not sure if i'm understanding that particular concern or not) | 22:28 |
| mnaser | lbragstad thinking about it you're right | 22:29 |
| mnaser | if they don't remove policy.json, the old policies stay and everything is ok | 22:29 |
| lbragstad | right | 22:29 |
| mnaser | if they dont have one, keystone (should) usually be upgraded before all services so as part of the upgrade it can add those roles | 22:29 |
| lbragstad | operators can migrate away from the older policies to something more granular if/when they want to | 22:29 |
| mnaser | yeah this doesnt change any existing functionality fair enough | 22:29 |
| lbragstad | but it allows you the ability to slim down your policy file to only what you need in your config management system | 22:30 |
| lbragstad | and then when you go to upgrade, you don't have to manually munge policy files together based on the overrides you care about and new operations that were added to the project | 22:31 |
| mnaser | yeah that really made things so nice for nova | 22:31 |
| lbragstad | i bet - i'm anxious for keystone to get to that point | 22:31 |
| mnaser | we literally had to write an ansible json_file resource to make sure that we tweaked the right files instead of just uploading them | 22:31 |
| lbragstad | mnaser so it sounds like you need a way for projects to have specific roles incorporated by default | 22:46 |
| *** lamt has quit IRC | 22:46 | |
| lbragstad | mnaser but would also benefit from having standardization of some kind | 22:47 |
| mnaser | yes exactly | 22:48 |
| *** david-lyle has quit IRC | 22:51 | |
| *** thorst has joined #openstack-keystone | 22:51 | |
| lbragstad | mnaser awesome - we'd appreciate any of that feedback on the specs if you're willing to give it | 22:51 |
| mnaser | lemme put my name in there and as movement happens ill try to give comments/thoughts | 22:52 |
| lbragstad | mnaser that'd be fantastic | 22:52 |
| mnaser | added on both, thanks lbragstad :) | 22:52 |
| lbragstad | mnaser thanks for sharing your opinions! | 22:53 |
| mnaser | lbragstad no problem, feel free to highlight me anytime for operator feedback or anything :> | 22:53 |
| lbragstad | mnaser if you have any other suggestions regarding the standardization or management of policy in particular, i'm all ears | 22:53 |
| lbragstad | mnaser will do (you might regret that statement!) | 22:53 |
| mnaser | lbragstad something i brought up a while ago was being able to shadow a user as an admin (but this is on a super unrelated note) | 22:53 |
| mnaser | as an operator it would be great if i can impersonate another user for a period of time | 22:54 |
| lbragstad | mnaser for a support role capacity? | 22:54 |
| mnaser | lbragstad yeah | 22:54 |
| lbragstad | mnaser to see things like a user sees them? | 22:54 |
| mnaser | we could integrate with something like that to give temp. access to support staff for things rather than giving them full admin access | 22:55 |
| lbragstad | mnaser have you looked into trusts? | 22:55 |
| *** thorst has quit IRC | 22:55 | |
| mnaser | lbragstad but trusts seem like they are more longer lived | 22:57 |
| mnaser | and they require setting up revokes (or maybe im wrong and you can put a expiry time on them) | 22:58 |
| mnaser | and im not sure how easy it is to use openstack CLIs with trusts | 22:58 |
| lbragstad | mnaser trusts support an expiration | 22:58 |
| lbragstad | so you can create one for 10 minutes | 22:59 |
| *** lamt has joined #openstack-keystone | 23:00 | |
| lbragstad | mnaser it looks like osc supports trusts https://github.com/openstack/python-openstackclient/blob/1b3f953715ec592ee366b717c9eb6ab5c504acf9/doc/source/command-objects/trust.rst | 23:00 |
| mnaser | okay i guess i have somme more learning to do then :) | 23:01 |
| *** markvoelker has joined #openstack-keystone | 23:02 | |
| lbragstad | mnaser http://cdn.pasteraw.com/m1wnyry7k4syuydisnxlwtcif8xdmvo | 23:05 |
| mnaser | lbragstad ill have to try that out and see if we can somehow integrate with horizon | 23:05 |
| lbragstad | mnaser yeah - curious to get your feedback because I've heard the request before | 23:06 |
| lbragstad | specifically for support use cases | 23:06 |
| *** markvoelker has quit IRC | 23:06 | |
| *** thorst has joined #openstack-keystone | 23:08 | |
| mnaser | lbragstad it'll be a fun horizon exercise | 23:09 |
| *** adrian_otto has joined #openstack-keystone | 23:15 | |
| *** lamt has quit IRC | 23:17 | |
| *** ravelar1 has quit IRC | 23:20 | |
| *** thorst has quit IRC | 23:25 | |
| *** thorst has joined #openstack-keystone | 23:25 | |
| *** thorst has quit IRC | 23:29 | |
| *** dave-mccowan has quit IRC | 23:31 | |
| dstanek | lbragstad: that's what i get for having a bunch of uncommited crap in my working directory. i have to eyeball pep8 because it always fails and then something slides through | 23:33 |
| *** catintheroof has joined #openstack-keystone | 23:37 | |
| *** chrome0 has quit IRC | 23:40 | |
| *** gyee has quit IRC | 23:43 | |
| *** chrome0 has joined #openstack-keystone | 23:43 | |
| *** erlon has joined #openstack-keystone | 23:43 | |
| *** thorst has joined #openstack-keystone | 23:56 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!