Monday, 2017-07-10

*** thorst has joined #openstack-keystone		00:02
*** thorst has quit IRC		00:08
*** thorst has joined #openstack-keystone		00:36
*** zhurong has joined #openstack-keystone		00:48
*** dave-mccowan has joined #openstack-keystone		01:33
*** thorst has joined #openstack-keystone		01:52
*** ducttape_ has joined #openstack-keystone		01:54
*** thorst has quit IRC		01:56
*** ducttape_ has quit IRC		01:59
*** lbragstad has joined #openstack-keystone		02:10
*** ChanServ sets mode: +o lbragstad		02:10
*** zzzeek_ has joined #openstack-keystone		02:30
*** zhurong has quit IRC		02:43
*** aojea has joined #openstack-keystone		03:11
*** aojea has quit IRC		03:15
*** ducttape_ has joined #openstack-keystone		03:38
*** ducttap__ has joined #openstack-keystone		03:40
*** ducttape_ has quit IRC		03:40
*** ducttap__ has quit IRC		03:44
*** Dinesh_Bhor has joined #openstack-keystone		03:52
*** thorst has joined #openstack-keystone		03:53
*** thorst has quit IRC		03:57
*** lbragstad has quit IRC		04:04
*** dave-mccowan has quit IRC		04:05
*** ducttape_ has joined #openstack-keystone		04:42
*** ducttape_ has quit IRC		04:44
*** ducttape_ has joined #openstack-keystone		04:44
*** zhurong has joined #openstack-keystone		04:46
*** ducttape_ has quit IRC		04:46
*** ducttape_ has joined #openstack-keystone		04:49
*** ducttape_ has quit IRC		04:53
*** tobberydberg has joined #openstack-keystone		05:29
*** ducttape_ has joined #openstack-keystone		05:49
*** thorst has joined #openstack-keystone		05:54
*** ducttape_ has quit IRC		05:55
*** thorst has quit IRC		05:59
*** rvba has joined #openstack-keystone		06:28
*** rvba has quit IRC		06:28
*** rvba has joined #openstack-keystone		06:28
*** rcernin has joined #openstack-keystone		06:47
*** belmoreira has joined #openstack-keystone		06:54
*** Shunli has joined #openstack-keystone		06:59
*** clenimar has quit IRC		07:04
*** harlowja has quit IRC		07:11
*** zsli_ has joined #openstack-keystone		07:14
*** Shunli has quit IRC		07:17
*** aojea has joined #openstack-keystone		07:21
*** tesseract has joined #openstack-keystone		07:36
*** nicolasbock has joined #openstack-keystone		07:37
*** masber has quit IRC		07:40
*** masber has joined #openstack-keystone		07:53
*** namnh has joined #openstack-keystone		07:54
*** thorst has joined #openstack-keystone		07:54
*** ducttape_ has joined #openstack-keystone		07:58
*** zzzeek has quit IRC		08:00
*** thorst has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:02
*** ducttape_ has quit IRC		08:03
*** jistr\|off is now known as jistr		08:25
*** afazekas\|away is now known as afazekas		08:34
*** namnh has quit IRC		08:39
*** slunkad has joined #openstack-keystone		08:59
*** ducttape_ has joined #openstack-keystone		08:59
*** mdavidson has joined #openstack-keystone		09:04
*** ducttape_ has quit IRC		09:04
*** mvk has joined #openstack-keystone		09:21
*** thorst has joined #openstack-keystone		09:23
*** zsli_ has quit IRC		09:27
*** thorst has quit IRC		09:28
*** ducttape_ has joined #openstack-keystone		10:02
*** ducttape_ has quit IRC		10:04
*** ducttape_ has joined #openstack-keystone		10:05
*** ducttape_ has quit IRC		10:10
*** sjain has joined #openstack-keystone		10:12
openstackgerrit	Samriddhi proposed openstack/keystone master: Expanded the best practices subsection in devdocs https://review.openstack.org/476541	10:23
openstackgerrit	Samriddhi proposed openstack/keystone master: Reorganised developer documentation https://review.openstack.org/476606	10:24
openstackgerrit	Samriddhi proposed openstack/keystone master: Added new subsections to developer docs https://review.openstack.org/476635	10:25
openstackgerrit	Samriddhi proposed openstack/keystone master: Added configuration options using oslo.config https://review.openstack.org/479631	10:52
openstackgerrit	Samriddhi proposed openstack/keystone master: Added configuration references to documentation https://review.openstack.org/474543	10:52
*** ducttape_ has joined #openstack-keystone		11:06
*** ducttape_ has quit IRC		11:10
*** edmondsw has joined #openstack-keystone		11:25
*** edmondsw has quit IRC		11:25
*** edmondsw has joined #openstack-keystone		11:25
samueldmq	morning	11:26
*** tobberyd_ has joined #openstack-keystone		11:31
*** shuyingya has joined #openstack-keystone		11:34
*** tobberydberg has quit IRC		11:35
*** tobberyd_ has quit IRC		11:36
*** shuyingya has left #openstack-keystone		11:36
*** sjain_ has joined #openstack-keystone		11:36
*** sjain has quit IRC		11:38
samueldmq	sjain_: morning	11:38
sjain_	Hi samueldmq: morning :)	11:39
*** raildo has joined #openstack-keystone		11:51
*** thorst has joined #openstack-keystone		11:53
*** dave-mccowan has joined #openstack-keystone		11:55
*** d0ugal has joined #openstack-keystone		12:04
*** d0ugal has quit IRC		12:04
*** d0ugal has joined #openstack-keystone		12:04
openstackgerrit	Samriddhi proposed openstack/keystone master: Added configuration options using oslo.config https://review.openstack.org/479631	12:05
*** d0ugal has quit IRC		12:12
*** brad[] has quit IRC		12:16
*** sjain_ has quit IRC		12:17
*** brad[] has joined #openstack-keystone		12:18
*** bhagyashris has joined #openstack-keystone		12:30
*** iurygregory has quit IRC		12:31
*** zhurong has quit IRC		12:36
*** sjain has joined #openstack-keystone		12:38
*** jmlowe has quit IRC		12:40
*** iurygregory has joined #openstack-keystone		12:41
bhagyashris	samueldmq: itted working progress (proposed solution for [1]) patch: https://review.openstack.org/#/c/478143/ but that is not that much feasible so Is the logging the request and "request_id" at info level is feasible in the keystoneauth	12:44
bhagyashris	samueldmq: Hi, I need your opinion Need your opinion	12:44
bhagyashris	samueldmq: please ignore above msg mistakenly send it	12:45
samueldmq	bhagyashris: no problem	12:45
bhagyashris	samueldmq: Similar to all python-*clients I have proposed patch in openstacksdk [1]: https://review.openstack.org/#/c/478143/to return request-id from all openstacksdk API's but there is a objection saying why can not we just refer to the request-id logged in keystoneauth. The proposal is to change to logging request-d from DEBUG level [2] to INFO level. Please refer to the Brain's proposal.	12:45
samueldmq	bhagyashris: I will try to keep an eye on that, and also copy others. this week is gonna be kinda super busy for me, but I will try, thanks for the heads up	12:47
samueldmq	bhagyashris: also, try to get a full working version (removing from WIP) and get tests passing	12:47
samueldmq	will help getting reviews :)	12:48
bhagyashris	samueldmq: Actaully I just need your opinion regarding logging request-d from DEBUG level [2] to INFO level.	12:50
samueldmq	bhagyashris: I am not seeing any logging in https://review.openstack.org/#/c/478143	12:51
bhagyashris	samueldmq: I have submitted patch in pyhton-openstacksdk and on that I have got comment to make this change in keystoneauth as I have mentioned above because the patch [1] proposal that I have submitted is anyways will not be accepted.	12:52
samueldmq	bhagyashris: I see Brian's comments now	12:52
bhagyashris	samueldmq: yeah that imp	12:52
samueldmq	if you want to see what's wrong with your call (check the logs)	12:52
samueldmq	if you are checking what's wrong, debug should be fine (you're effectively debugging it)	12:53
bhagyashris	samueldmq: yes	12:53
bhagyashris	samueldmq: but for operators point of view	12:54
*** d0ugal has joined #openstack-keystone		12:54
*** d0ugal has quit IRC		12:54
*** d0ugal has joined #openstack-keystone		12:54
samueldmq	bhagyashris: for operators, is it bad to have debug level for debugging?	12:54
bhagyashris	samueldmq: it should be info IMO	12:55
samueldmq	bhagyashris: so it would be logging as info the request-id for every single request that hits keystoneauth?	12:56
bhagyashris	samueldmq: yes	12:57
samueldmq	bhagyashris: ok, I dont see why it'd need to be logged as info. I'd like to hear from mordred morgan or jamielennox on that	12:58
samueldmq	since they have a broader knowledge than me on request-ids	12:58
samueldmq	mordred: morgan: jamielennox: there is a proposal to log request-id at INFO level (it's currently under DEBUG). thoughts?	12:59
*** d0ugal has quit IRC		12:59
*** catintheroof has joined #openstack-keystone		13:04
*** masber has quit IRC		13:06
*** d0ugal has joined #openstack-keystone		13:08
*** lbragstad has joined #openstack-keystone		13:08
*** ChanServ sets mode: +o lbragstad		13:08
bhagyashris	mordred: morgan: jamielennox: Hi, waiting for some thoughts as mentioned above.	13:12
cmurphy	sdague might also be a good person to ask about that	13:16
bhagyashris	cmurphy: ok thanks.	13:18
openstackgerrit	Samriddhi proposed openstack/keystone master: Replaced policy.json with policy.yaml https://review.openstack.org/482139	13:19
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: fix identity:get_identity_providers typo https://review.openstack.org/482142	13:22
*** ducttape_ has joined #openstack-keystone		13:24
edmondsw	I'm not sure what the keystone stance is on backward compatibility and changes like ^	13:25
edmondsw	but with all the changes being made for policy in pike, it seems like a good time to fix that one way or another	13:26
*** ducttap__ has joined #openstack-keystone		13:26
*** bknudson has joined #openstack-keystone		13:28
*** ducttape_ has quit IRC		13:29
*** belmorei_ has joined #openstack-keystone		13:31
*** belmoreira has quit IRC		13:32
breton	edmondsw: so... what was the default rule for the action before the change?	13:33
breton	edmondsw: could i as non-admin get an identity provider?	13:33
*** zzzeek_ has quit IRC		13:34
edmondsw	breton admin required	13:37
edmondsw	breton I didn't change the default.. just the name of the rule	13:40
edmondsw	from plural to singular, since it's a get, not a list	13:40
*** sjain has quit IRC		13:45
*** sjain has joined #openstack-keystone		13:46
edmondsw	samueldmq yeah, that's what I was trying to start a discussion about ^	13:49
edmondsw	I can certainly add a release note	13:50
edmondsw	that all?	13:50
samueldmq	edmondsw: yeah, I am not sure it's worth it, and we don't have deprecation workflow for those things	13:50
samueldmq	edmondsw: if we had a keystone doctor check on the policy rules, to make sure they're all there and valid or somehting	13:52
samueldmq	that'd certainly help in cases like that one	13:52
edmondsw	yeah	13:52
edmondsw	can't check that they're all there, because they always will now that there are defaults in the code, but you could check if there are rules that aren't used	13:53
samueldmq	edmondsw: yes, and fail if there are any	13:54
edmondsw	well not fail... warn	13:55
edmondsw	because someone could be extending keystone and need those extra rules for that, and we wouldn't know	13:55
breton	edmondsw: did the old name work? And really prevented non-admin from getting an idp?	13:59
edmondsw	breton I assume so... I don't use federation, so...	14:00
samueldmq	edmondsw: if we just warn it would be easier for someone to ignore and that go in (e.g your change) without being noticed	14:00
samueldmq	they can just ignore the failure (saying the list of not recognized policies) if they have something besides what we offer	14:00
breton	edmondsw: i have a slight feeling that it didn't work	14:01
sjain	Hi, can someone please take a look at this patch and suggest why the tests are failing, https://review.openstack.org/#/c/479631/	14:01
*** gagehugo_ has joined #openstack-keystone		14:02
*** superdan is now known as dansmith		14:02
sjain	It is giving me unauthorized access message in error	14:02
*** d0ugal has quit IRC		14:03
breton	so the default is `"default": "rule:admin_required"`	14:04
breton	depending on this default rule we operators can be either covered or no	14:05
edmondsw	breton the default rule is no longer used/relevant since we moved policy into code	14:07
edmondsw	because that rule is only checked if the rule isn't found, and with policy in code the rule will always be found... in code, if not in policy.yaml	14:07
breton	edmondsw: i think we should treat this as a micro security bug. Because of it if some operator modified policy.json and changed rule for get_identity_providers, or changed the "default" rule, it didn't get applied.	14:07
*** gyee has joined #openstack-keystone		14:07
breton	edmondsw: but "get_identity_provider" is never found, neither in your code, nor before	14:08
breton	edmondsw: well, *neither with policy-in-code, nor before policy-in-code	14:08
edmondsw	breton let me check if the code looked for get_identity_provider or get_identity_providers in ocata...	14:09
breton	edmondsw: it's "get_identity_provider" what is protected by @protected decorator, not "get_identity_providers". "get_identity_prodivers" action never existed, so that rule applied to nothing	14:09
breton	edmondsw: i checked already	14:09
breton	edmondsw: it's broken there	14:10
edmondsw	k	14:11
edmondsw	samueldmq if breton's right about this being broken in ocata, I think that should negate your concerns with the change	14:12
breton	morgan: lbragstad: what's your opinion on this bug being of minor security type?	14:12
edmondsw	breton good catch	14:12
*** ducttap__ has quit IRC		14:13
*** raildo has quit IRC		14:14
*** rmascena has joined #openstack-keystone		14:14
*** ducttape_ has joined #openstack-keystone		14:14
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: fix identity:get_identity_providers typo https://review.openstack.org/482142	14:15
samueldmq	edmondsw: yeah I agree with breton	14:17
samueldmq	that's an unfortunate bug :(	14:17
breton	it might be worth cheking other rules	14:18
breton	that they match respective controllers	14:18
breton	and maybe write some unit-tests that would check the match	14:18
edmondsw	breton agreed	14:21
mordred	samueldmq, bhagyashris: so - in shade (fwiw, I made a specific logger for request ids - shade.request-ids) to allow a user/operator to decide if they want to see or not see request ids	14:23
*** chlong_ has joined #openstack-keystone		14:24
mordred	request ids at the info level by default in keystoneauth would be VERY chatty for people just using keystoneauth to make their HTTP requests	14:24
*** bombart has joined #openstack-keystone		14:24
mordred	but - I think there's also a great argument to be made for being able to turn them on easily and get them at the info level	14:25
*** ducttape_ has quit IRC		14:25
mordred	so pehaps including them, as we do now, in the debug level of the http layer "request to {url} used request id {id}" - but also emit in the same place a similar message to a request_ids logger at the INFO level	14:26
mordred	(turns out python logging is incredibly powerful 077081	14:26
mordred	and being able to configure what you want to see at the application layer is really useful)	14:26
*** ducttape_ has joined #openstack-keystone		14:27
*** zzzeek_ has joined #openstack-keystone		14:28
breton	we don't have "default" rule any more?	14:30
*** zhurong has joined #openstack-keystone		14:30
breton	we do! ./base.py: name='default',	14:30
*** bombart has quit IRC		14:31
*** chandankumar has joined #openstack-keystone		14:32
edmondsw	breton then that's another bug... we shouldn't	14:32
edmondsw	it doesn't make sense with policy in code	14:32
*** bombart has joined #openstack-keystone		14:33
breton	edmondsw: well, it served great as a fuse	14:34
edmondsw	a fuse?	14:34
breton	well	14:35
breton	safety valve	14:35
chandankumar	breton: please have a look on this bug https://bugs.launchpad.net/keystone/+bug/1701541 thanks :-)	14:35
openstack	Launchpad bug 1701541 in tempest "Keystone v3/roles has differnt response for HEAD and GET (again)" [Undecided,New]	14:35
*** sjain has quit IRC		14:35
* breton 's english in this stuff is not good		14:35
breton	chandankumar: i have no idea what to do with it :p	14:37
chandankumar	breton: whom can i catch for the same.	14:37
chandankumar	from keystone side.	14:37
edmondsw	breton your english was fine... but I'm not following how it was a fuse / safety valve	14:39
edmondsw	breton I opened https://bugs.launchpad.net/keystone/+bug/1703392	14:40
openstack	Launchpad bug 1703392 in OpenStack Identity (keystone) "default rule no longer applies with policy in code" [Undecided,New]	14:40
*** belmorei_ has quit IRC		14:41
*** phalmos has joined #openstack-keystone		14:42
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: remove default rule https://review.openstack.org/482164	14:46
*** aselius has joined #openstack-keystone		14:48
*** toddnni has quit IRC		14:48
*** zhurong has quit IRC		14:56
*** rcernin has quit IRC		14:57
*** chlong_ has quit IRC		15:16
breton	edmondsw: well, if there was no default rule, what would be the rule for get_identity_provider?	15:18
edmondsw	the one we define once the bug I opened is fixed	15:19
edmondsw	breton all the things we check should be defined, so there is no need for a default rule	15:19
*** ducttape_ has quit IRC		15:19
edmondsw	if we miss something, that's a bug... one we shouldn't hide by having a default rule that makes things look like they're working	15:20
edmondsw	when they're not working as expected...	15:20
edmondsw	breton ^	15:20
*** d0ugal has joined #openstack-keystone		15:20
*** d0ugal has quit IRC		15:20
*** d0ugal has joined #openstack-keystone		15:20
breton	edmondsw: if we remove default rule, who can access list_roles_for_trust?	15:22
edmondsw	breton whether or not we remove default rule, the answer is the same... everyone: https://github.com/openstack/keystone/blob/2edcfb9fe7b74340ff0220e46e8099a4c0732115/keystone/common/policies/trust.py#L26	15:23
breton	edmondsw: so the default rule is not operational now?	15:24
edmondsw	breton it is... sortof	15:24
edmondsw	it would get used if there was a mismatch where code checks for a rule but that rule is not defined in code	15:25
edmondsw	that should never happen though... that's a bug	15:25
edmondsw	a perfect example is the get_identity_provider bug I just opened	15:25
edmondsw	that's the only case where default rule would get checked	15:26
breton	edmondsw: is there a unit test for it? Or maybe you could show me the code that does that?	15:26
edmondsw	breton that does what?	15:26
breton	edmondsw: the check of "default" rule	15:27
edmondsw	breton it's in oslo.policy: https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L213	15:28
*** ducttape_ has joined #openstack-keystone		15:30
*** chlong_ has joined #openstack-keystone		15:30
breton	ok, my bad	15:31
breton	i thought that default rule is a replacement for empty rule	15:31
edmondsw	np	15:35
breton	"identity:delete_trust": ""	15:36
* breton sighs		15:36
edmondsw	breton ooo... yeah, ugh	15:36
edmondsw	breton you gonna open a bug on that I hope?	15:37
breton	edmondsw: well, no :p we are covered there in the code	15:38
edmondsw	breton did they mixup delete_trust and create_trust?	15:38
edmondsw	I could see create_trust being '' because there can't be an owner yet, right?	15:38
edmondsw	or is that checking owner from the request?	15:39
breton	edmondsw: https://git.openstack.org/cgit/openstack/keystone/tree/keystone/trust/controllers.py#n232	15:39
edmondsw	I haven't done much with trusts, not even sure if there is an owner in the request	15:39
edmondsw	breton ok good	15:40
openstackgerrit	Andy McCrae proposed openstack/keystone master: [TEST] Test OSA upgrade job's status. https://review.openstack.org/482189	15:41
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: don't validate trust in policy https://review.openstack.org/482190	15:47
edmondsw	breton ^	15:47
*** gongysh has joined #openstack-keystone		15:51
*** d0ugal has quit IRC		15:56
*** aojea has quit IRC		16:03
*** chlong_ has quit IRC		16:06
*** gongysh has quit IRC		16:15
*** chlong_ has joined #openstack-keystone		16:20
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Expand some discover.py docstrings https://review.openstack.org/482207	16:22
*** amyge has joined #openstack-keystone		16:33
amyge	Hi I have a question about the keystone token. If I have 10 commands in a shell script and I pass in a valid token which created by myself. will the script generate 10 new tokens from the one I pass in? or will it just create one new token from the one I pass in and use it for all 10 commands? or will it use the token I pass in?	16:35
amyge	I think I'm a bit confused about the specific definition of 'scenario' in 'one token per scenario' during the discussion I had here last Friday.	16:37
*** harlowja has joined #openstack-keystone		16:37
*** chlong_ has quit IRC		16:38
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Expand some discover.py docstrings https://review.openstack.org/482207	16:38
*** lwanderley has joined #openstack-keystone		16:40
*** tesseract has quit IRC		17:01
*** bombart has quit IRC		17:01
*** sjain has joined #openstack-keystone		17:02
*** aojea has joined #openstack-keystone		17:09
morgan	amyge: it really depends on how you invoke the commands. It could use the token you created, it may generate 10 new tokens based upon the token you created, etc. There are many variations on the invocations of CLI tools	17:10
samueldmq	mordred: thanks, a separate log for request-ids might make sense for keystoneauth too	17:13
*** aojea has quit IRC		17:13
*** aojea has joined #openstack-keystone		17:13
samueldmq	bhagyashris: ^	17:13
samueldmq	let's hear more from others and see what we get :)	17:13
sjain	samueldmq: can you review this please, https://review.openstack.org/#/c/476541/, should be an easy one, you gave +2 to this before :)	17:15
*** lwanderley has quit IRC		17:16
samueldmq	sjain: sure	17:16
sjain	thanks :)	17:16
amyge	morgan: I see. for example if I am just trying to generate nova, neutron and bunch of other clients in the command, and do some basic information list like 'nova service-list', 'flavor-list'... will it generate new token for each command?	17:23
*** ducttape_ has quit IRC		17:28
*** sjain has quit IRC		17:29
*** lwanderley has joined #openstack-keystone		17:37
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: normalize_version_number([1]) => (1, 0) and docs https://review.openstack.org/481309	17:37
*** aojea has quit IRC		17:48
*** jmlowe has joined #openstack-keystone		17:58
*** ducttape_ has joined #openstack-keystone		18:00
*** aojea has joined #openstack-keystone		18:01
*** dmellado has quit IRC		18:02
*** dmellado has joined #openstack-keystone		18:02
lbragstad	breton: sorry - just got your ping, in meeting all day today	18:04
lbragstad	breton: i'll review the conversation in a bit and check it out	18:05
*** aojea has quit IRC		18:06
rmascena	lbragstad, hey sir, can you add this patch in your review list? https://review.openstack.org/#/c/480287/ I'm looking to send the backport asap	18:22
*** rmascena is now known as raildo		18:22
lbragstad	raildo: sure thing - i'll review today	18:23
raildo	lbragstad, thanks :)	18:23
lbragstad	raildo: thank you for the backport	18:23
lbragstad	raildo: is that going all the way back to stable/newton?	18:23
lbragstad	looks like it	18:24
raildo	lbragstad, yeap	18:24
raildo	ocata and newton	18:24
lbragstad	raildo: then this can be reproposed? https://review.openstack.org/#/c/469514/	18:25
raildo	lbragstad, exactly, I was thinking in send a new patch and ask for abandon this change	18:27
raildo	sounds good for you?	18:27
lbragstad	raildo: works for me	18:28
raildo	ok	18:28
lbragstad	raildo: https://review.openstack.org/#/c/480287/4 looks good	18:28
lbragstad	want to add a release note?	18:28
raildo	sure, I can do it :)	18:28
lbragstad	https://docs.openstack.org/keystone/latest/devref/development_best_practices.html	18:28
*** aojea has joined #openstack-keystone		18:39
morgan	amyge: if you use --os-token (and provide the endpoints via... --os-endpoint? [cc mordred, stevemar, lbragstad]) it should not generate new tokens, but if you don't have a catalog it will.	18:46
amyge	morgan: I see~~ and just one more question, is there a way in python/command line for me to check if a new token is generated?(e.g. in osclient I can do osclient.keystone.auth_ref.auth_token)	18:57
morgan	with debug output, possibly	18:58
morgan	not 100% sure on that	18:58
bknudson	we had code in keystoneclient to cache the token in a keystore but that seems to have disappeared with keystoneauth	18:58
bknudson	not sure if it ever really worked… probably doesn't now especially since the version of keystore is pinned.	18:58
catintheroof	hi guys, quick question, does keystone support trust relationship for services like nova and neutron to comunicate with keystone without user/passwd right? do i have some documentation to read on setting that up ?	19:00
amyge	morgan: you mean '--debug' in my command? will try that	19:02
bknudson	catintheroof: keystone supports tokenless authentication https://docs.openstack.org/keystone/latest/advanced-topics/configure_tokenless_x509.html . I've never used it.	19:03
catintheroof	bknudson: thanks!	19:05
mordred	morgan, amyge: re-using tokens across different clients in a shell script like that is ultimately going to get to a hard-to-understand place - if it were me, I'd just write whatever you're scripting in python instead - but I dont have context, so that might not be possible	19:05
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Make Discover.version_data accept null max_version https://review.openstack.org/482250	19:06
amyge	mordred: yeah I'm actually writing it in python. but just wanted to understand more about using the same token across clients so I asked about shell script~	19:07
amyge	mordred, morgan: btw, in python, I know that if I cache and use the same session across clients, I will be able to use the same token. but is there any method that I can call to check if I'm using the same token across clients?	19:09
mordred	amyge: you can just look at the token in the session with session.get_token()	19:10
mordred	amyge: if you pass the same session to each client, then ksa will use the same token (it only has one token)	19:10
amyge	mordred: oh i see. thanks!^^	19:11
mordred	amyge: although if you're writing python and using different clients from python-*client I'd ALSO recommend not doing that :)	19:11
mordred	but that's a whole different issue	19:11
*** jmlowe has quit IRC		19:14
amyge	mordred: i see. just got a question for caching session then. right now I'm caching the session in osclient object, but when I create a new osclient and update auth_ref, I will have to generate a new session, which will generate a new token. Is there better way to cache session so that I can use the token longer?	19:17
mordred	amyge: what's osclient from?	19:20
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Expand some discover.py docstrings https://review.openstack.org/482207	19:21
openstackgerrit	Raildo Mascena proposed openstack/keystone master: Fixing flushing tokens workflow https://review.openstack.org/480287	19:23
*** ducttape_ has quit IRC		19:23
*** ducttape_ has joined #openstack-keystone		19:23
*** lwanderley has quit IRC		19:24
*** tobberydberg has joined #openstack-keystone		19:38
*** tobberydberg has quit IRC		19:43
*** jessegler has joined #openstack-keystone		19:43
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Nix EndpointData.get_versioned_data(authenticated) https://review.openstack.org/482260	19:45
*** edmondsw_ has joined #openstack-keystone		19:53
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Fix _run_discovery caching https://review.openstack.org/481754	19:56
*** edmondsw has quit IRC		19:56
*** edmondsw has joined #openstack-keystone		19:57
*** d0ugal has joined #openstack-keystone		19:57
*** edmondsw_ has quit IRC		19:59
lbragstad	raildo: one comment on the release note - otherwise it looks good	20:06
lbragstad	raildo: thank you!	20:06
raildo	lbragstad, thanks for the review, I'll fix it and send a new patch set now	20:08
openstackgerrit	Raildo Mascena proposed openstack/keystone master: Fixing flushing tokens workflow https://review.openstack.org/480287	20:11
lbragstad	cc stevemar ^	20:12
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Miscellaneous cleanup in discover.py https://review.openstack.org/482271	20:16
openstackgerrit	Samuel Pilla proposed openstack/python-keystoneclient master: WIP: Add project tags to keystoneclient https://review.openstack.org/481223	20:29
*** ducttape_ has quit IRC		20:31
*** nicolasbock has quit IRC		20:34
*** ducttape_ has joined #openstack-keystone		20:34
*** rderose has joined #openstack-keystone		20:34
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: normalize_version_number([1]) => (1, 0) and docs https://review.openstack.org/481309	20:38
*** thorst has quit IRC		20:42
*** aojea has quit IRC		20:44
*** thorst has joined #openstack-keystone		20:45
*** aojea has joined #openstack-keystone		20:46
*** aojea has quit IRC		20:46
*** aojea has joined #openstack-keystone		20:46
*** thorst has quit IRC		20:49
*** d0ugal has quit IRC		20:52
*** catintheroof has quit IRC		20:53
*** thorst has joined #openstack-keystone		21:00
*** phalmos has quit IRC		21:11
*** raildo has quit IRC		21:13
*** sghosh has quit IRC		21:14
*** dklyle has joined #openstack-keystone		21:18
*** dgedia has quit IRC		21:18
*** david-lyle has quit IRC		21:19
*** aojea has quit IRC		21:28
*** aojea has joined #openstack-keystone		21:28
*** aojea has quit IRC		21:34
*** rderose has quit IRC		21:37
*** zzzeek_ has quit IRC		21:37
*** eandersson has joined #openstack-keystone		21:38
eandersson	We have an interesting issue with service catalog	21:39
eandersson	We are using the file based catalog	21:39
eandersson	and we are getting a list of dictionaries	21:39
eandersson	which causes calls like this to pick the first region in the list	21:40
eandersson	https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/base.py#L262	21:40
*** zzzeek_ has joined #openstack-keystone		21:40
eandersson	We have to fix these type of issues using patches like this http://paste.openstack.org/show/614967/	21:40
*** gongysh has joined #openstack-keystone		21:47
*** rderose has joined #openstack-keystone		21:57
*** rderose has quit IRC		21:58
*** rderose has joined #openstack-keystone		21:58
*** thorst has quit IRC		22:02
nkinder	lbragstad: is there anyone working on the application credentials implementation?	22:03
jamielennox	samueldmq: agree with mordred, putting request-id at info would be very noisy in logs, however i'd be ok with putting a new handler name in so that anyone who wants that info could turn up the logging for just that	22:11
mordred	eandersson: liucky for you - we just added apis to keystoneauth to do all of those things for you	22:12
mordred	eandersson: I'm going to strongly recommend that you migrate to using the keystoneauth library - most of that file, from the looks of it, will be able to be deleted	22:13
mordred	eandersson: I'm in another meeting- but we should connect - there's really no reason for y'all to have your own copy of service and version discovery directly in horizon anymore	22:14
mordred	and it turns out it's a massively complex topic	22:14
samueldmq	jamielennox: ++	22:15
samueldmq	bhagyashris: ^ see jamielennox's comment above. same as mordred's suggestion	22:15
eandersson	mordred, the above patch is for horizon	22:16
eandersson	ops missed your last comment	22:17
*** deep-book-gk_ has joined #openstack-keystone		22:18
*** deep-book-gk_ has left #openstack-keystone		22:20
lbragstad	nkinder: mordred is tackling that work	22:23
mordred	nkinder: it's on my plate - I have not started writing any code as of yet (the rest of my plate needs to burn down a bit before I can get to it in earnest)	22:24
*** phalmos has joined #openstack-keystone		22:27
*** aojea has joined #openstack-keystone		22:30
*** phalmos_ has joined #openstack-keystone		22:31
*** phalmos has quit IRC		22:31
eandersson	mordred, simple question when hitting keystone get_v3_catalog are service types intended to contain all regions? e.g. dns contain regionOne, regionTwo?	22:31
*** zzzeek_ has quit IRC		22:32
*** bknudson has quit IRC		22:34
mordred	eandersson: yes	22:35
mordred	eandersson: you may want to check out: http://specs.openstack.org/openstack/api-wg/guidelines/consuming-catalog.html	22:35
eandersson	So the templated code does not do that	22:35
*** aojea has quit IRC		22:36
eandersson	Pretty sure the templated catalog does not behave as intended	22:36
mordred	eandersson: http://paste.openstack.org/show/614968/	22:37
*** ducttape_ has quit IRC		22:37
mordred	eandersson: there is an example from citycloud's public cloud	22:37
mordred	eandersson: when you say "the templated catalog" - what do you mean?	22:38
eandersson	templated backend	22:39
eandersson	https://github.com/openstack/keystone/blob/master/keystone/catalog/backends/templated.py	22:39
*** catintheroof has joined #openstack-keystone		22:43
eandersson	mordred, http://paste.openstack.org/show/614969/	22:43
eandersson	I would expect that the above would have the endpoints for both regions in a single dict	22:45
*** ducttape_ has joined #openstack-keystone		22:45
mordred	the endpoint for a service in v3 should have a list of dicts - each dict has region, interface and url	22:46
mordred	like - there is no structure to handle more than one region in a single dict	22:47
mordred	since region, interface and url are all keys	22:47
*** zzzeek_ has joined #openstack-keystone		22:50
*** ducttape_ has quit IRC		22:50
openstackgerrit	Matthew Edmonds proposed openstack/keystone master: fix assert_admin https://review.openstack.org/482359	22:58
eandersson	mordred, so compared the result of openstack catalog list on templated vs. sql	23:03
eandersson	with the sql backend you have nova/compute with all regions	23:04
eandersson	with the templated backend you have a nova/compute per region	23:05
mordred	eandersson: oh - wow - looking at code there - that seems to be a very weird version od the v2 catalog	23:05
mordred	I especially like this: https://github.com/openstack/keystone/blob/master/keystone/catalog/backends/templated.py#L170-L171	23:06
mordred	morgan: ^^ what new form of torture has eandersson found for me?	23:06
eandersson	I almost feel vindicated - been working around this "issue" for so long :D	23:08
mordred	eandersson: :)	23:09
mordred	eandersson: well - honestly - the main thing we really need to do is get you out of the business of parsing service catalogs	23:09
mordred	eandersson: and on to the business of letting the keystoneauth library do it for you	23:10
mordred	becuase if keystone is emitting catalogs that keystoneauth can't parse - well, that's a clear bug now isn't it?	23:10
*** ducttape_ has joined #openstack-keystone		23:12
*** thorst has joined #openstack-keystone		23:17
*** ducttape_ has quit IRC		23:20
*** gagehugo_ has quit IRC		23:21
*** thorst has quit IRC		23:21
*** rderose has quit IRC		23:22
eandersson	yea - makes sense	23:23
jamielennox	the file based backend was deprecated a number of cycles ago wasn't it?	23:23
jamielennox	at least particularly the one called templated, because it only produced a v2 format and then it had to be converted to v3 rather badly	23:24
jamielennox	there was a proposal (i'm pretty sure i was involved) to make it like a yaml file with a non version related format	23:25
eandersson	Yea - looking at the code it has never worked properly for v3 and multi-region	23:25
jamielennox	but that cloud kinda went up in smoke and so the urgency fell away	23:25
eandersson	It's not marked as deprecated in the config though	23:27
jamielennox	eandersson: you're right, there's no sign of a deprecation notice	23:28
jamielennox	but i would consider it largely untested and probably broken	23:29
eandersson	It works in general I think, but breaks a couple of services (e.g. Horizon won't work with multi-region).	23:30
eandersson	The fact that the openstack client gives the wrong result probably indicates that it needs to be fixed on the keystone side	23:32
eandersson	or maybe deprecated and eventually removed :D	23:32
morgan	mordred: the templated catalog is terrible	23:36
morgan	and it should never be used	23:36
morgan	i advocated deleting it... but everyone said no	23:36
morgan	because it's easy for CMS to deploy	23:36
morgan	the sad part is.. it is almost 100% not validated	23:36
morgan	so, good luck?	23:36
morgan	yeah untested at best	23:37
morgan	broken most likely	23:37
mordred	eandersson, morgan, jamielennox: I advocate for removed. it's broken	23:39
*** edmondsw has quit IRC		23:40
mordred	it produces invalid catalogs	23:40
eandersson	good - because we are totally not using it in PROD	23:41
*** thorst has joined #openstack-keystone		23:57
*** catintheroof has quit IRC		23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!