Thursday, 2017-06-22

« Wednesday, 2017-06-21 Index Friday, 2017-06-23 »
*** jmlowe has quit IRC00:14
*** jmlowe has joined #openstack-keystone00:15
*** openstackgerrit has joined #openstack-keystone00:22
openstackgerritMerged openstack/keystone master: Fix PCI DSS docs on change_password_after_first_use  https://review.openstack.org/47623500:22
samueldmqthis should be easy to get in https://review.openstack.org/#/c/475460/00:42
*** shuyingya has joined #openstack-keystone00:46
*** Shunli has joined #openstack-keystone01:02
*** liujiong has joined #openstack-keystone01:31
*** chlong has joined #openstack-keystone01:44
*** zhurong has joined #openstack-keystone01:52
*** chlong has quit IRC02:04
*** liujiong_lj has joined #openstack-keystone02:10
*** liujiong has quit IRC02:12
*** namnh has joined #openstack-keystone02:22
*** gongysh has joined #openstack-keystone02:24
*** liujiong_lj is now known as liujiong02:27
*** aselius has quit IRC02:29
*** chlong has joined #openstack-keystone02:37
*** zsli_ has joined #openstack-keystone02:55
*** Shunli has quit IRC02:58
*** gyee has quit IRC02:58
*** markvoelker has quit IRC03:21
*** markvoelker has joined #openstack-keystone03:21
*** nicolasbock has joined #openstack-keystone03:22
*** edmondsw has quit IRC03:22
*** markvoelker has quit IRC03:26
*** gongysh has quit IRC03:39
*** gongysh has joined #openstack-keystone03:42
*** namnh_ has joined #openstack-keystone03:45
*** aselius has joined #openstack-keystone03:45
*** namnh has quit IRC03:48
*** zhurong has quit IRC03:49
*** gongysh has quit IRC03:53
*** dave-mccowan has quit IRC03:56
*** chlong has quit IRC04:02
*** chlong has joined #openstack-keystone04:16
*** links has joined #openstack-keystone04:21
*** xuhaigang has quit IRC04:35
*** markvoelker has joined #openstack-keystone05:28
*** markvoelker has quit IRC05:40
*** markvoelker_ has joined #openstack-keystone05:44
*** gongysh has joined #openstack-keystone05:47
*** pnavarro has joined #openstack-keystone05:50
*** markvoelker_ has quit IRC05:52
*** aselius has quit IRC05:55
*** Dinesh_Bhor has quit IRC05:57
*** ducttape_ has joined #openstack-keystone06:01
*** ducttape_ has quit IRC06:06
*** Dinesh_Bhor has joined #openstack-keystone06:06
*** sjain has joined #openstack-keystone06:23
sjaincmurphy: Hi!, The patch you rebased initially passed the jenkins test, then after some time it is again giving the merge conflict06:24
sjainand its related patches are also giving the merge conflicts06:25
*** rcernin has joined #openstack-keystone06:30
*** sjain has quit IRC06:34
*** rcernin has quit IRC06:37
*** gagehugo has quit IRC06:40
*** markvoelker has joined #openstack-keystone06:40
*** gagehugo has joined #openstack-keystone06:42
*** markvoelker has quit IRC06:47
*** tbh_ has joined #openstack-keystone06:50
*** rcernin has joined #openstack-keystone06:50
*** markvoelker has joined #openstack-keystone06:59
*** tesseract has joined #openstack-keystone07:02
*** markvoelker has quit IRC07:04
*** pcaruana has joined #openstack-keystone07:05
*** markvoelker has joined #openstack-keystone07:08
*** markvoelker has quit IRC07:13
*** f13o has joined #openstack-keystone07:14
openstackgerrit龚肖 proposed openstack/keystone master: Fix token persistence driver number in configuration.rst.  https://review.openstack.org/47638407:18
*** markvoelker has joined #openstack-keystone07:21
*** markvoelker has quit IRC07:29
*** sjain has joined #openstack-keystone07:47
sjainthanks cmurphy, I'll try to rebase the patch again07:48
cmurphysjain: cool07:48
sjainone more doubt, when I do git rebase -i master, there are a series of changes which come up, should I select all or only the changes I have made?07:50
cmurphysjain: you should not use rebase -i here07:50
sjainokay, what does -i stand for?07:51
cmurphyit stands for interactive, so it's a way to go back to individual commits and reorder them or edit them or squash them into each other07:51
sjainokay, so I should just do git rebase master?07:52
cmurphyyes, and make sure your local master is up to date07:53
sjainokay, I'll do that07:53
sjainthanks!07:53
cmurphyno problem07:53
openstackgerritSamriddhi proposed openstack/keystone master: Updated the keystone docs to follow the docs theme  https://review.openstack.org/46606607:58
openstackgerritSamriddhi proposed openstack/keystone master: Reorganised keystone documentation structure  https://review.openstack.org/47511907:58
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** sjain has quit IRC08:12
*** markvoelker has joined #openstack-keystone08:17
*** markvoelker has quit IRC08:22
*** sjain has joined #openstack-keystone08:24
*** zhurong has joined #openstack-keystone08:28
*** markvoelker has joined #openstack-keystone08:36
*** dmk0202 has joined #openstack-keystone08:40
*** mdavidson has quit IRC08:41
*** markvoelker has quit IRC08:42
*** f13o has quit IRC08:47
*** mdavidson has joined #openstack-keystone08:50
*** henrynash has joined #openstack-keystone08:53
*** shuyingya has quit IRC08:57
*** markvoelker has joined #openstack-keystone09:00
*** f13o has joined #openstack-keystone09:02
*** markvoelker has quit IRC09:05
*** zhurong has quit IRC09:16
*** tbh_ has quit IRC09:20
*** zsli_ has quit IRC09:25
*** sjain has quit IRC09:26
*** henrynash has quit IRC09:35
*** Administrator__ has joined #openstack-keystone09:37
*** Administrator_ has quit IRC09:40
*** dmk0202 has quit IRC09:40
*** liujiong has quit IRC09:59
*** ducttape_ has joined #openstack-keystone10:02
*** wasmum has quit IRC10:04
*** ducttape_ has quit IRC10:06
*** wasmum has joined #openstack-keystone10:06
*** wasmum has quit IRC10:11
*** f13o has quit IRC10:13
openstackgerritKristi Nikolla proposed openstack/keystone master: Return 400 when trying to create trust with ambiguous role name  https://review.openstack.org/47645110:16
openstackgerritKristi Nikolla proposed openstack/keystone master: Return 400 when trying to create trust with ambiguous role name  https://review.openstack.org/47645110:20
*** wasmum has joined #openstack-keystone10:22
*** henrynash has joined #openstack-keystone10:26
*** f13o has joined #openstack-keystone10:28
*** zhurong has joined #openstack-keystone10:31
*** henrynash has quit IRC10:35
*** markvoelker has joined #openstack-keystone10:36
*** henrynash has joined #openstack-keystone10:40
*** markvoelker has quit IRC10:41
*** henrynash has quit IRC10:41
*** markvoelker has joined #openstack-keystone10:47
*** gongysh has quit IRC10:47
openstackgerritSamriddhi proposed openstack/keystone master: Migrated docs from devdocs to general docs  https://review.openstack.org/47616210:48
*** markvoelker has quit IRC10:55
*** ayoung has quit IRC10:57
*** ayoung has joined #openstack-keystone11:00
*** ebbex has joined #openstack-keystone11:00
ebbexDoes check_revocations_for_cached really only apply to PKI or fernet aswell? (documentation only mentions PKI)11:01
*** sjain has joined #openstack-keystone11:13
*** vladiskuz has joined #openstack-keystone11:18
vladiskuzHello everybody! What I should use instead pki_setup right now?11:19
openstackgerritSamriddhi proposed openstack/keystone master: Migrated docs from devdocs to general docs  https://review.openstack.org/47616211:29
bretonvladiskuz: you should not use pki at all11:34
bretonvladiskuz: pki tokens are deprecated and afaik removed11:34
*** sjain has quit IRC11:56
openstackgerritSamriddhi proposed openstack/keystone master: Migrated docs from devdocs to user docs  https://review.openstack.org/47620011:57
openstackgerritSamriddhi proposed openstack/keystone master: Migrated docs from devdocs to operator docs  https://review.openstack.org/47620911:57
*** mvk has quit IRC11:59
*** zhurong has quit IRC12:01
*** namnh_ has quit IRC12:07
*** edmondsw has joined #openstack-keystone12:10
*** zhurong has joined #openstack-keystone12:16
*** zhurong has quit IRC12:18
*** henrynash has joined #openstack-keystone12:26
*** chlong has quit IRC12:26
*** gongysh has joined #openstack-keystone12:27
*** mvk has joined #openstack-keystone12:29
*** edmondsw has quit IRC12:38
*** cristicalin has joined #openstack-keystone12:43
*** dave-mccowan has joined #openstack-keystone12:43
*** pooja_jadhav has joined #openstack-keystone12:58
*** f13o has quit IRC13:04
*** lucasxu has joined #openstack-keystone13:06
*** henrynash has quit IRC13:10
*** henrynash has joined #openstack-keystone13:11
*** edmondsw has joined #openstack-keystone13:11
*** henrynash has quit IRC13:12
*** jmlowe has quit IRC13:16
*** bknudson has joined #openstack-keystone13:17
*** f13o has joined #openstack-keystone13:18
*** catintheroof has joined #openstack-keystone13:20
*** markvoelker has joined #openstack-keystone13:22
*** liujiong has joined #openstack-keystone13:31
openstackgerritSamuel Pilla proposed openstack/keystone master: WIP: Add project tags  https://review.openstack.org/47031713:37
*** chlong has joined #openstack-keystone13:39
*** edmondsw_ has joined #openstack-keystone13:40
*** edmondsw_ has quit IRC13:40
*** raildo has joined #openstack-keystone13:49
*** wasmum has quit IRC13:50
*** markvoelker has quit IRC13:53
*** wasmum has joined #openstack-keystone13:53
*** ducttape_ has joined #openstack-keystone14:03
*** spzala has joined #openstack-keystone14:12
*** liujiong has quit IRC14:18
*** raildo has quit IRC14:27
*** raildo has joined #openstack-keystone14:27
*** jmlowe has joined #openstack-keystone14:33
*** phalmos has joined #openstack-keystone14:44
*** sbezverk has quit IRC14:44
*** links has quit IRC14:45
*** raildo has quit IRC14:51
openstackgerritSamriddhi proposed openstack/keystone master: Expanded the best practices subsection in devdocs  https://review.openstack.org/47654114:51
*** markvoelker has joined #openstack-keystone14:55
lbragstadasettle: there is an openstack manuals guide for writing isn't there?14:56
*** raildo has joined #openstack-keystone14:56
asettlelbragstad: contributor guide yo14:56
asettlehttps://docs.openstack.org/contributor-guide/14:56
asettle"writign documentation" and 'writing style'14:56
lbragstadfantastic!14:57
lbragstadebbex: where do you see that?14:57
lbragstadebbex: yes - that's only applies to PKI tokens, fernet tokens must be validated against the identity service directly14:59
ebbexIs keystone doing something totally different with tokens than the other projects when it comes to caching? tcpdumping the memcache shows "get 8de2523b4c7276ae861e477c4b66018416107d2b", whilst projects like glance have queries like "get tokens/aef1af34ab1d95cefc5ab4fe90af28147b5bc6244df683165cc512b395ef47a7".15:00
lbragstadebbex: at which point the identity service will check the token against all the revocation events keystone knows about15:00
*** bknudson1 has joined #openstack-keystone15:00
morganebbex: keystone does build cache keys differently15:00
*** aselius has joined #openstack-keystone15:00
morganebbex: it also caches a LOT of extra data that other services do not15:01
morganthe reason for the tokens/ prefix is largly historical and older implementations (in middleware)15:01
morganbut in short, keystone makes an effort to cache project data, user data, domain data, etc. and the cache keys all look like sha1 hashes (by design)15:01
ebbexah, so that explains when I do a "token revoke", the other projects still find a "valid" token in memcache..?15:02
openstackgerritSamriddhi proposed openstack/keystone master: Expanded the best practices subsection in devdocs  https://review.openstack.org/47654115:02
morganpartly15:02
morgana token revoke was never invalidating caches15:02
morganthe risk with caching is explicitly allowing revoked tokens for the cache window (in middleware)15:02
*** bknudson has quit IRC15:03
morgankeystone doesn't control/know/understand the other services caches15:03
morgankeystone also doesn't use token ids for caching, it does all memoization, so it is based upon the arguments to methods. the cache in middleware is based on the token id15:03
ebbexmorgan: but isn't it actually the keystone-middleware that does this for the other projects though?15:04
morganyes15:04
morgankeystone service/server doesn't know middleware's cache details15:04
morgankeystonemiddleware should probably be renamed to openstack_auth_middleware15:05
morganit handles authz validation. thats it.15:05
ebbexbut it knows its cache key though..?15:05
morganmiddleware is run in the processpsace of nova.15:05
*** enriquetaso_ has joined #openstack-keystone15:05
morgankeystone (Server) has no idea what the cache server/details nova is using15:06
morganyou might have different memcache servers because you have multiple regions15:06
lbragstadthe cache backend the keystone server uses is different from the cache backend the middleware uses15:06
*** rcernin has quit IRC15:09
ebbexlbragstad: https://docs.openstack.org/ocata/config-reference/common-configurations/auth.html, turning check_revocations_for_cached on i see a GET to /v3/auth/tokens/OS-PKI/revoked15:10
lbragstadebbex: yeah - that's middleware attempting to fetch a list of revoked tokens from keystone15:10
ebbexWouldn't this also have worked nicely if it wasn't limited to just PKI?15:11
lbragstadebbex: it worked for PKI because PKI tokens were persisted in the keystone database15:11
lbragstad(like UUID tokens)15:11
lbragstadwhich made returning a list of revoked tokens easy since keystone knows about the whole set and can reason about it15:12
ebbexAren't fernet revocations persistent in database aswell?15:12
lbragstadFernet tokens are completely non-persistent15:12
morganthe revocations are a lot less direct15:12
morganin fernet15:12
ebbexBut not the revocations tho?15:12
lbragstadebbex: the revocation event is persisted in keystone15:13
morganyes, they are persisted, but it's not as easy to determine revocations from that data.15:13
lbragstadright15:13
morganit's an event that says "tokens from time X for user Y and project Z are now revoked"15:13
lbragstadebbex: with PKI and UUID tokens, we could determine which tokens were revoked based on attributes of the token itself (we actually just flipped a bit in the database when revoking a PKI or UUID token)15:14
morganeven with PKI tokens and token revocation lists, there was often times where cached valid tokens would still work. This has all the same issues as CRLs for SSL certs.15:14
lbragstadbut - the trade of is that you have a *massive* token table15:14
morganand ^^ what lbragstad said15:14
ebbexmorgan: But there's code already present to validate those things right? (if a fernet token is revoked or not)15:14
morganright, but only if you actively ask keystone15:14
morgankeystone has to decode the token15:15
lbragstadand rebuild the authorization context15:15
morganthe token content itself is very stubby and is AES encrypted15:15
lbragstadfrom there - keystone compares the values of the token to all revocation events it knows about15:15
morgannova (and keystonemiddleware) cannot decode it. only keystone server can15:15
lbragstadthe revocation system in keystone comes up with an answer saying either "this token is revoked" or "this token is valid"15:15
lbragstadoh- right15:16
lbragstadyeah - we're using symmetric encryption to protect the data within the token15:16
ebbexWe just see 404 not found when using revoked tokens...15:16
morgancorrect, because tokens are (at least in v2, they were) a resource in REST15:18
morganauth/tokens/token_id15:18
morgana 404 would be correct if it was invalid.15:18
morganin v3... it is different, but likely historically still 404s (ugh)15:18
lbragstadhttps://github.com/openstack/keystone/blob/6b24ba507c2a001e2b95ee598e0f0f5b66c11bff/keystone/revoke/core.py#L167-L16915:18
*** f13o has quit IRC15:19
*** tobberyd_ has joined #openstack-keystone15:19
lbragstadthe values of a token are passed in and if the revocation api detects an event that matches the values of that token in some way, it throws a 40415:19
ebbexOk, thanks for clarifying.15:20
morganebbex: sure thing15:20
lbragstadebbex: anytime15:21
lbragstadebbex: hopefully that cleared some stuff up15:21
*** tobberydberg has quit IRC15:22
*** tobberyd_ has quit IRC15:23
ebbexSo I suppose the weirdest case we were troubleshooting was that we're querying nova, which queries neutron, neutron does a check for auth/subjet token, (meanwhile, we've changed the password for nova) so the token is revoked. Keystone sends 404 to neutron, and neutron sends 401 to nova. But nova doesn't seem to understand that it's token is revoked. And just tries using it again and again, to the same errors/effect.15:23
*** raildo has quit IRC15:26
*** raildo has joined #openstack-keystone15:28
knikollao/15:28
morganebbex: nova should give up and error after a few attempts15:29
morganand pass the error back up to the user.15:29
morganindicating 401, token invalid15:29
morganlong term we're trying to address this kind of thing with a few initiatives15:29
*** raildo has quit IRC15:29
morgansome of which are things like allowing neutron (since nova accepted the token) to know it's a service-to-service request and use a "?invalid_ok" validation15:30
lbragstadideally - only validating the user token at the edge of the operation15:30
lbragstadand allowing service-to-service trust to happen15:30
*** raildo has joined #openstack-keystone15:30
morgan++15:34
*** raildo has quit IRC15:35
*** jmlowe_ has joined #openstack-keystone15:36
*** jmlowe has quit IRC15:38
knikollaFYI that I'll be UTC+2 for the next 3 weeks.15:42
*** pcaruana has quit IRC15:42
openstackgerritSamriddhi proposed openstack/keystone master: Reorganised developer documentation  https://review.openstack.org/47660615:43
*** gyee has joined #openstack-keystone15:46
*** bknudson1 has quit IRC15:49
lbragstadfwiw - once https://review.openstack.org/#/c/469515/2 merges we can really start working on removing duplicate documentation from our devref15:50
*** bknudson has joined #openstack-keystone15:53
*** rderose has joined #openstack-keystone15:55
lbragstadsamueldmq: is sjain around?15:57
*** cristicalin has quit IRC16:00
lbragstadstepping out to get a run in over lunch16:02
*** tobberydberg has joined #openstack-keystone16:03
*** gongysh has quit IRC16:05
*** raildo has joined #openstack-keystone16:06
*** tobberydberg has quit IRC16:08
openstackgerritKristi Nikolla proposed openstack/keystone master: Return 400 when trying to create trust with ambiguous role name  https://review.openstack.org/47645116:25
*** thorst has joined #openstack-keystone16:44
*** raildo has quit IRC16:48
*** raildo has joined #openstack-keystone16:48
samueldmqlbragstad: I don't think so16:52
samueldmqanything I can help with?16:52
*** eandersson has quit IRC16:54
*** thorst has quit IRC16:57
*** thorst has joined #openstack-keystone16:57
*** hyakuhei has quit IRC17:00
*** hyakuhei has joined #openstack-keystone17:00
*** hyakuhei has quit IRC17:00
*** hyakuhei has joined #openstack-keystone17:00
*** tobberydberg has joined #openstack-keystone17:00
*** thorst_ has joined #openstack-keystone17:00
*** thorst has quit IRC17:02
*** thorst_ has quit IRC17:05
*** sjain has joined #openstack-keystone17:06
*** mvk has quit IRC17:06
sjain@lbragstad, samueldmq: Hi, I'm here now, you needed to discuss anything?17:07
*** mvk has joined #openstack-keystone17:08
*** tobberydberg has quit IRC17:09
*** tobberydberg has joined #openstack-keystone17:10
*** ducttape_ has quit IRC17:13
openstackgerritSamriddhi proposed openstack/keystone master: Added new subsections to developer docs  https://review.openstack.org/47663517:14
*** tobberydberg has quit IRC17:14
*** eandersson has joined #openstack-keystone17:16
*** thorst has joined #openstack-keystone17:20
lbragstadsamueldmq: sjain i started noticing just how much duplication we have across the various guides and devref17:23
lbragstadi was also wondering if the chain (starting at https://review.openstack.org/#/c/466066/11 ) needs to be in a series or if they can start being working in parallel?17:24
*** mvk has quit IRC17:24
lbragstadupdating the theme seems like the logical first step - but do the rest need to be in a series?17:24
sjainthere is even more with config guides I guess17:24
sjainyes, saw your comments17:24
*** thorst has quit IRC17:24
openstackgerritMerged openstack/keystone master: Updated the keystone docs to follow the docs theme  https://review.openstack.org/46606617:25
lbragstadwoo! ^17:25
lbragstadspeaking of docs17:25
sjainthe other steps are after the reorganising in 4 categories17:25
sjainthank God this is merged!17:25
lbragstad:)17:25
sjainyeah I was saying, that chain has different docs from dev docs shifted to other 3 categories17:26
sjainand then reorganising dev docs internally17:27
lbragstadgot it17:27
lbragstadwe might be able to work some of those changes in parallel17:27
sjainlast parts could have been done in parallel, but I have already finished those :P17:27
lbragstadwhich should hopefully get them moving a bit faster17:27
samueldmqlbragstad: ++17:27
sjainthey are very small changes17:27
lbragstadsjain: oh - sure, i mean proposing them in parallel17:28
lbragstadinstead of having them dependent on each other17:28
sjaincan it be done now btw?17:28
samueldmqI asked sjain to do some of those in a chain so that she gets to learn how amazing it is to maintain patches in a chain17:28
samueldmq:-)17:28
lbragstadahh17:28
sjainyeah I struggled at first but now I'm fine working on them in chains17:29
lbragstadok17:29
sjainsamueldmq, all the 6 patches I have uploaded17:29
samueldmqlbragstad: what if we keep those in a chain but decide better for follow-ups17:29
samueldmqlbragstad: those should be really easy to get it, mostly moving things around17:30
lbragstadsamueldmq: yeah - that should be fine17:30
samueldmqnice17:30
lbragstadlet's get everything moved over, then start tracking works for fixing the duplication17:31
sjainlbragstad gave some reviews on the reorganised docs patch, should I address those on same patch or a separate review?17:31
lbragstad(there is so much of it)17:31
samueldmqsjain: lbragstad I will review all those later today17:31
samueldmqlbragstad: perfect17:31
sjain:)17:31
samueldmqlbragstad: duplication of what we have VS what we're migrating, correct?17:31
lbragstadsjain: which patch are you referencing?17:31
sjainjust a sec17:32
samueldmqlbragstad: are you documentign the duplicaitons you're seeing somewhere? it'd be nice if we got a list and assignees17:32
lbragstadsamueldmq: yeah - for example we have a section that describes caching in keystone in devref, but the admin-guide also has one17:32
sjainthis, https://review.openstack.org/#/c/475119/17:32
samueldmqdocs are going to get in a great shape :)17:32
lbragstadthis probably goes without saying, but i doubt it makes sense to have two separate sections on caching17:32
lbragstadsjain: my comment here can be addressed later https://review.openstack.org/#/c/475119/6/doc/source/getting-started/apache-httpd.rst,unified17:33
lbragstadaddressing these two now might not be a bad idea - https://review.openstack.org/#/c/475119/6/doc/source/index.rst17:34
lbragstadand this one, too https://review.openstack.org/#/c/475119/6/doc/source/related_projects.rst17:34
lbragstadonce we merge that we can refactor the duplication17:34
sjainokay I'll have a look at those17:34
lbragstadsjain: thanks17:35
sjain:)17:35
samueldmqlbragstad: I hear what you say in 47511917:36
samueldmqhttps://review.openstack.org/#/c/475119/17:36
lbragstadwhich part?17:36
samueldmqI think renaming developer to contributor makes sense17:36
lbragstadyeah - it sounds like keystone is going to be inheriting "developer" documentation from the openstack manuals repo17:37
samueldmqlbragstad: what if we get that in and rename in a follow-on ?17:37
lbragstad"developer" as in someone developing applications on top of keystone or openstack17:37
lbragstadwhich is different than keystone "developer" or contributor17:37
samueldmqthe others following it should be easy to merge17:37
samueldmqand we reduce the burden of maintaining that chain for sjain17:37
lbragstadsamueldmq: yeah - we can fast follow it17:38
samueldmqyes I asked her to do that, good experience17:38
samueldmqlbragstad: ++17:38
samueldmqlbragstad: +2 from me.17:38
sjainthank you so much :P17:38
lbragstadsjain: thanks for the patches17:39
sjainno problem :)17:39
lbragstadsjain: i'd like to get to a point where we can have multiple folks cleaning things up at once17:39
sjainyeah I understand, thats why for openstack-manuals I was trying to work in parallel17:41
*** ducttape_ has joined #openstack-keystone17:46
samueldmqsjain: wow the docs are rendering really greatly at the end of the chain17:46
samueldmqI will take a more detailed look later today, checking against that etherpad we had17:47
openstackgerritJaewoo Park proposed openstack/keystone master: WIP: Add project tags  https://review.openstack.org/47031717:47
*** mvk has joined #openstack-keystone17:53
knikollahttps://review.openstack.org/#/c/476451/17:54
sjainsure samueldmq, I have added 1-2 comments in that etherpad too related to the changes17:54
knikollalbragstad:  for ^^ didn't know what to call the error and called it AmbiguityError17:54
lbragstadknikolla: checking17:55
lbragstadknikolla: yeah - i think that makes sense17:57
lbragstadknikolla: reviewed17:57
*** sjain has quit IRC17:59
*** tesseract has quit IRC17:59
knikollalbragstad: going to answer here since gerrit is dreadful on an ipad. Yes, only possible when a global role conflicts with a domain one. Or two domain ones.17:59
openstackgerritJaewoo Park proposed openstack/keystone master: WIP: Add project tags  https://review.openstack.org/47031718:01
openstackgerritKristi Nikolla proposed openstack/keystone master: Return 400 when trying to create trust with ambiguous role name  https://review.openstack.org/47645118:04
knikollaMy patches come from the future now https://i.imgur.com/3k1pbjh_d.jpg?maxwidth=64018:08
lbragstadknikolla: looks like you got yourself one of those fancy time machines18:09
knikollalbragstad: too bad it can only send patches to the future and not to the past. Haha18:11
lbragstadknikolla: ++18:11
knikollalbragstad: thanks for the superquick review!18:12
lbragstadknikolla: no problem18:12
*** raildo has quit IRC18:16
morganhmm18:22
morganknikolla, lbragstad: +2, just waiting for CI before +A18:23
*** thorst has joined #openstack-keystone18:23
*** thorst has quit IRC18:27
lbragstadmorgan: thanks18:34
lbragstadknikolla: actually - do you have a release note for that bug yet?18:35
*** thorst has joined #openstack-keystone18:35
lbragstadknikolla: it might be good to amend https://review.openstack.org/#/c/476451/ with a release note so that it gets generated when keystone is released18:35
*** gus has quit IRC18:38
*** henrynash has joined #openstack-keystone18:38
*** thorst has quit IRC18:40
*** gus has joined #openstack-keystone18:40
knikollalbragstad: will add one18:47
lbragstadknikolla: that'd be great, thanks!18:47
*** henrynash has quit IRC18:49
*** thorst has joined #openstack-keystone18:50
lbragstadsamueldmq: cmurphy want to give this a review? https://review.openstack.org/#/c/449244/18:52
lbragstadmorgan: thoughts on the comments here? https://review.openstack.org/#/c/449255/7/keystone/common/policies/token_revocation.py18:53
*** nicolasbock has quit IRC18:54
*** thorst has quit IRC18:54
*** henrynash has joined #openstack-keystone18:56
morganlbragstad: commented19:00
morganbasically19:00
morganwe can't remove APIs19:00
morganwe can make them return an empty list19:01
morganin this case19:01
lbragstadmorgan: what about cmurphy's comment about backwards compatibility?19:01
morganan empty list is compatibler19:01
morgancompatible*19:01
lbragstadis a change backwards incompatible if there is a a change in logic?19:01
morganthe change is not backwards incompatible if a response is valid19:02
morganaka, pki tokens disappearing, if the revocation list is empty, that is a valid response19:02
morganbut it would be invalid to make that api result in a 40419:02
lbragstadso the only way that change is valid is because we don't support pki anymore19:02
morgancorrect19:03
morganbut the API must still work as expected19:03
lbragstadsince it's impossible to use pki tokens with that version of keystone (outside of rolling your own) that's a valid change since it's just returning an empty list19:03
morganyes.19:03
lbragstadgot it19:03
lbragstadthanks morgan, that makes sense19:03
morgannow that said, pki tokens aren't an API19:03
morganso we could remove PKI tokens19:04
morganit doesn't impact an api anyone using keystone19:04
*** henrynash has quit IRC19:04
morganbut rev list was an actual GET api19:05
openstackgerritMerged openstack/keystone master: Reorganised keystone documentation structure  https://review.openstack.org/47511919:05
lbragstadmorgan: right19:06
*** ducttap__ has joined #openstack-keystone19:22
*** ducttape_ has quit IRC19:25
openstackgerritLance Bragstad proposed openstack/keystone master: Move ec2 credential policies to DocumentedRuleDefault  https://review.openstack.org/44923519:25
lbragstadsamueldmq: hrybacki ^ updated19:26
openstackgerritLance Bragstad proposed openstack/keystone master: Move ec2 credential policies to DocumentedRuleDefault  https://review.openstack.org/44923519:26
*** eandersson has quit IRC19:38
*** eandersson has joined #openstack-keystone19:38
*** thorst has joined #openstack-keystone19:40
*** thorst has quit IRC19:44
*** rderose has quit IRC19:44
openstackgerritLance Bragstad proposed openstack/keystone master: Move related project information into main doc  https://review.openstack.org/47667519:45
lbragstadsamueldmq: ^19:46
*** thorst has joined #openstack-keystone19:46
*** thorst has quit IRC19:50
openstackgerritLance Bragstad proposed openstack/keystone master: Gear documentation towards a wider audience  https://review.openstack.org/47667619:53
*** rderose has joined #openstack-keystone19:57
lbragstadmorgan: quick question - it looks like admin_token_auth has been competely removed20:00
morganhm20:00
morganuh20:00
morganmaybe20:00
lbragstadmorgan: is there anything stopping us from removing http://192.168.122.160/doc/build/html/configuration.html#bootstrapping-keystone-with-admin-token20:00
morgansec20:00
lbragstadsure20:00
morganwell20:00
morganwe merged the functionality from the admin token middleware into the auth_context middleware20:01
morganso... we can remove it20:01
morganbut the base functionality wont go away20:01
morgan(remove the docs that is)20:01
morganeveryone should use bootstrap.20:01
lbragstadhttps://github.com/openstack/keystone/blob/f992b1ce42d6d553146f538f7874fa40f1934cd8/keystone/middleware/core.py#L59-L7120:01
lbragstadlooks like we won't remove that until queens opens for development20:01
morganyah20:02
lbragstadok20:02
morganand that is just a stub20:02
*** sbezverk has joined #openstack-keystone20:02
morganso we don't break people's paste pipelines20:02
lbragstadright20:02
morganagain auth_token functionality is still in auth_context middleware20:02
morganauth...admin token20:02
morgan... bah, you know what i mean20:03
lbragstadoh - so it's still possible?20:03
morganyes you can still use admin token20:03
lbragstadah.... https://github.com/openstack/keystone/blob/f992b1ce42d6d553146f538f7874fa40f1934cd8/keystone/middleware/auth.py#L14520:03
morganhttps://github.com/openstack/keystone/blob/master/keystone/middleware/auth.py#L145-L15320:04
morganyeah20:04
lbragstadmorgan: do we still need to keep the cerificate stuff around? https://docs.openstack.org/developer/keystone/configuration.html#certificates-for-pki20:05
lbragstadthe certificates were suppose to stick around because of the revocation list API, right?20:05
morgandon't think so20:05
lbragstadok20:05
morganbut... i dunno20:05
lbragstadI'll propose a patch to remove that since I don't think we need it anymore20:05
*** phalmos has quit IRC20:06
openstackgerritLance Bragstad proposed openstack/keystone master: Remove PKI certificate documentation  https://review.openstack.org/47668820:09
*** jrist has quit IRC20:09
*** jrist has joined #openstack-keystone20:17
openstackgerritMerged openstack/keystone master: Check log output rather than emitting in tests  https://review.openstack.org/47546020:18
*** rderose has quit IRC20:26
openstackgerritSamuel Pilla proposed openstack/keystone master: WIP: Add project tags  https://review.openstack.org/47031720:29
openstackgerritGage Hugo proposed openstack/keystone master: Prep for is_admin_project for scoped operations  https://review.openstack.org/46267020:41
*** jmlowe_ has quit IRC20:41
*** lucasxu has quit IRC20:49
*** ducttape_ has joined #openstack-keystone20:50
openstackgerritLance Bragstad proposed openstack/keystone master: Add history behind why keystone has two ports  https://review.openstack.org/47670320:51
*** enriquetaso_ has quit IRC20:51
*** ducttap__ has quit IRC20:53
cmurphymorgan: lbragstad what happened to these other os-pki actions? https://review.openstack.org/#/c/449255/7/keystone/common/policies/token_revocation.py didn't removing those break the API?21:00
*** thorst has joined #openstack-keystone21:04
openstackgerritColleen Murphy proposed openstack/keystone master: Split test_get_head_catalog_no_token  https://review.openstack.org/47671021:08
cmurphylbragstad: ^21:08
morganv2?21:12
morgani dunno.21:12
*** edmondsw has quit IRC21:13
openstackgerritColleen Murphy proposed openstack/keystone master: Split test_get_head_catalog_no_token  https://review.openstack.org/47671021:16
*** edmondsw has joined #openstack-keystone21:16
*** catintheroof has quit IRC21:18
lbragstadcmurphy: those were just moved into a different module = https://review.openstack.org/#/c/449255/7/keystone/common/policies/token.py21:20
*** edmondsw has quit IRC21:21
lbragstadthey were specific to the os-pki bits, and they weren't specifically token_revocation APIs21:21
lbragstadjust general token authentication and validation APIs21:21
lbragstadi thought having them in a separate module that didn't group them with "revocation" would be easier21:22
cmurphylbragstad: yeah i realized that after i asked, but i'm still wondering what happened to reduce https://developer.openstack.org/api-ref/identity/v3/index.html#os-pki-api to just one GET, it probably used to have more features?21:23
lbragstadcmurphy: i don't think it did - i'm pretty sure it was only for getting revoked PKI tokens21:24
* lbragstad goes to dig in old code21:24
cmurphyah okay21:25
cmurphyi'll believe you21:25
lbragstadi think it was for middleware to get a list of revoked tokens so that it could do offline validation easier?21:25
lbragstadbut - then again, that doesn't make sense to me21:25
lbragstadand seems counter-intuitive to doing offline validation anyway21:25
lbragstadcmurphy: this is mitaka - https://github.com/openstack/keystone/blob/stable/mitaka/keystone/auth/routers.py#L34-L3921:27
openstackgerritMerged openstack/keystone master: Move grant policies to DocumentedRuleDefault  https://review.openstack.org/44924421:35
knikollaAny patch i can review to help me get sleepy despite jetlag? :P21:38
*** sbezverk has quit IRC21:39
lbragstadknikolla: https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bug/169657421:39
lbragstadknikolla: or any of https://review.openstack.org/#/q/owner:j.samriddhi13%2540gmail.com+status:open21:39
openstackgerritMerged openstack/keystone master: Return 400 when trying to create trust with ambiguous role name  https://review.openstack.org/47645121:41
knikollalbragstad: sure. I believe i have already reviewed all of HEAD previously. Will check if there's newer patches/sets.21:41
knikollaAnd with that merging one bug is closed :)21:42
knikolla^^21:42
knikollaAnother hundred to go.21:42
gagehugoknikolla \o/21:46
*** thorst has quit IRC21:47
knikollaNow if only I could make commenting in gerrit work from ipad I'd be happy.21:47
*** spzala has quit IRC21:55
*** spzala has joined #openstack-keystone21:56
*** spzala has quit IRC21:56
*** spzala has joined #openstack-keystone21:56
*** chlong has quit IRC21:57
openstackgerritMerged openstack/python-keystoneclient master: Add support for endpoint group filtering  https://review.openstack.org/18265822:02
openstackgerritMerged openstack/keystone master: Add HEAD API to auth  https://review.openstack.org/47288122:03
*** dave-mccowan has quit IRC22:15
*** bknudson has quit IRC22:18
*** henrynash has joined #openstack-keystone22:36
*** adriant has quit IRC22:39
*** adriant has joined #openstack-keystone22:39
*** edmondsw has joined #openstack-keystone22:49
*** spzala has quit IRC22:49
*** thorst has joined #openstack-keystone22:52
*** phalmos has joined #openstack-keystone22:56
*** henrynash has quit IRC22:56
openstackgerritColleen Murphy proposed openstack/keystone master: Split test_get_head_catalog_no_token  https://review.openstack.org/47671022:57
*** ducttape_ has quit IRC23:07
*** raildo has joined #openstack-keystone23:08
*** thorst has quit IRC23:09
*** chlong has joined #openstack-keystone23:10
*** raildo has quit IRC23:12
*** raildo has joined #openstack-keystone23:12
*** raildo has quit IRC23:20
*** gongysh has joined #openstack-keystone23:31
*** gongysh has quit IRC23:33
*** gongysh has joined #openstack-keystone23:37
*** gongysh has quit IRC23:38
*** aloga has quit IRC23:43
*** aloga has joined #openstack-keystone23:45
« Wednesday, 2017-06-21 Index Friday, 2017-06-23 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!